Windows 10: Sadly, protection from ransomware is not totally possible

Page 1 of 2 12 LastLast
  1.    21 Jun 2017 #1

    Sadly, protection from ransomware is not totally possible


    I was trying to see what might be a good way to protect oneself from ransomware. The reason that I started thinking about this is that my external backup disks are continuously connected to my PC. This would mean that a ransomware attack could infect those external disks as well as my internal disk.

    Unfortunately the discussion threads that I saw do not come up with anything definitive other than to have at least one backup offline. The most useful strategy that I read was in Idea for ransomware protection of network drives where the poster suggests the following steps.

    1) Disconnect from Internet
    2) Run scan for Ransomware -- if detected take remedial action otherwise continue
    3) Mount remote HDD's / Attached HDD's - target for your Backup
    4) Run the backup
    5) Detach / unmount the HDD's
    6) Re-connect to Internet etc.
    7) Optionally send notification - job finished.
    I wish I could develop a program to do all that automatically, on a schedule!
      My ComputerSystem Spec

  2.    21 Jun 2017 #2

    Hi, I think that was discussed a long time ago; I recall comments like
    - that's why I need a wife (or similar) - could be husband of course..
    - discussion of a robot arm...

    You could create an obscure program that rogue software would not run to control power to your backup source:
    USB Relay Controller | eBay

    but you'd want to be able to power it down safely, of course.
      My ComputerSystem Spec

  3. Bree's Avatar
    Posts : 8,566
    10 Home x64 (1803) (10 Pro on 2nd pc)
       21 Jun 2017 #3

    In general, ransomeware looks for all the drive letters in your system. If you don't map a letter to a network drive it can't find it. You can still back up files to it though, using a UNC path of the form...

    \\ComputerName\SharedFolder\Resource
    https://en.wikipedia.org/wiki/Path_(...ing_Convention
      My ComputersSystem Spec

  4. TairikuOkami's Avatar
    Posts : 3,328
    10.5 Home 1803 x64
       21 Jun 2017 #4

    Other possibility, if you are using a standard user account or have UAC to set to full.

    1. Change your drive to read only and allow only admins to modify/write.
    2. Setup your auto-backup software to run as admin and that is it.

    Note: You should also disable WSH and restrict powershell, both can be used to elevate user rights.
      My ComputerSystem Spec


  5. Posts : 384
    Ubuntu 18.04, win 10 pro
       22 Jun 2017 #5

    I've been also thinking of a "simple" solution and this is what i'm doing,
    set up a hybrid system with both win and linux, windows back up to a linux samba share
    then linux back up to a non shared folder, possibly invisible to the windows network.
    Now if windows get infected the non sahred folder will still be safe.
    Never got a ransomware so I wonder if it will really work, could it?
      My ComputerSystem Spec


  6. Posts : 477
    Win10 x64 Pro -2 desktops, 1 laptop
       23 Jun 2017 #6

    Bree said: View Post
    In general, ransomeware looks for all the drive letters in your system. If you don't map a letter to a network drive it can't find it. You can still back up files to it though, using a UNC path of the form...
    I read somewhere that some ransomware programs can assess SMB-connected drives even if not mapped. I have no idea if that's true, but I found it frightening.

    One option that adds a small degree of safety is to take FTP backups to a server that does not have SMB running. And have the backup scripted so that the script fails if it tries to copy an already infected file. (That's probably an unnecessary step. If files were infected that would probably include the backup script.)
      My ComputerSystem Spec

  7. Hydrate's Avatar
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       23 Jun 2017 #7

    TairikuOkami said: View Post
    Other possibility, if you are using a standard user account or have UAC to set to full.

    1. Change your drive to read only and allow only admins to modify/write.
    2. Setup your auto-backup software to run as admin and that is it.

    Note: You should also disable WSH and restrict powershell, both can be used to elevate user rights.
    I think there still exists the problem if the ransomware is executed under an Administrator account, there exists exploits to bypass UAC.

    This can potentially stop Standard accounts from compromising backups and the host.

    roy111 said: View Post
    I've been also thinking of a "simple" solution and this is what i'm doing,
    set up a hybrid system with both win and linux, windows back up to a linux samba share
    then linux back up to a non shared folder, possibly invisible to the windows network.
    Now if windows get infected the non sahred folder will still be safe.
    Never got a ransomware so I wonder if it will really work, could it?
    I personally like this idea a lot! This is not too simple and requires a lot of user intervention, but it sounds like it can work.

    Correct me if I'm wrong, the Linux Samba Share must also be online to transfer files over the network to the active Linux box.

    How would you accomplish this on a single box, if only one operating system can be online while the other is turned off
    ? I think you meant two separate machines or a virtual machine, yes?

    Personally, for ransomware attacks.:

    I would use MBAM 3's Ransomware protection feature while reconfiguring it's exploitation options for maximum allowed,along loaded with Windows Firewall (custom configuration) and EMET 5.5 maximum compliance.

    Customized compiled VBScript calling Windows Script Host.

    BitLocker AES-256 encryption.

    Task Scheduler my C:\ransomware_protection.exe

    Typically, ransomware does not infect .exe nor %systemroot% because they want their ransom's and not a crippled system. So with the exception of a few ransomware attacks whom may or may not be exempt from this prior assumption...

    I would write a WSH script with read and execution access, given the system hide and EFS encryption attributes and compile in a special third party software so it's more difficult to find the BitLocker pw. The script will detect for the integrity of several dummy files scattered randomly across the system in typical user directories (Desktop, Videos, Pictures) and it's contents, and then if the integrity or MD5 of these files (with read access only) has its MD5 altered, I would end the script and ransomware would not transfer. If ransomware strikes, the script would be encrypted and no transfers would take place.

    Else, the integrity has been maintained, I would allow it to transfer accordingly. For the transfer process to occur:

    The second barrier requires BitLocker drive encryption on backup drives. The script would navigate Windows and unlock the drive (yes with the BitLocker password encased in the script, which I would compile into an .exe) to allow the file transfer and lock the drive once it's completed.

    This sounds pretty complex and descent once it's setup.
      My ComputerSystem Spec


  8. Posts : 384
    Ubuntu 18.04, win 10 pro
       24 Jun 2017 #8

    Hydrate said: View Post
    I personally like this idea a lot! This is not too simple and requires a lot of user intervention, but it sounds like it can work.

    Correct me if I'm wrong, the Linux Samba Share must also be online to transfer files over the network to the active Linux box.

    How would you accomplish this on a single box, if only one operating system can be online while the other is turned off
    ? I think you meant two separate machines or a virtual machine, yes?
    There is no intervention using the simplest solution with no personalized script,
    of course you need at least two machines:

    win save to linux samba with file history (automatic), linux save samba shared folder to a linux folder
    that could be a network SFTP or NFS folder or even an ext4 formatted external usb HD (automatic,
    i.e. with bacula or rsync/grsync).
    I think this make sense if you have a relatively complex environment
    with both windows and linux pc; for a single PC the virtualization could be overkill and an external usb
    (detachable) should do.
      My ComputerSystem Spec

  9. Hydrate's Avatar
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       24 Jun 2017 #9

    roy111 said: View Post
    There is no intervention using the simplest solution with no personalized script,
    of course you need at least two machines:

    win save to linux samba with file history (automatic), linux save samba shared folder to a linux folder
    that could be a network SFTP or NFS folder or even an ext4 formatted external usb HD (automatic,
    i.e. with bacula or rsync/grsync).
    I think this make sense if you have a relatively complex environment
    with both windows and linux pc; for a single PC the virtualization could be overkill and an external usb
    (detachable) should do.
    What about those without 2 systems at their disposal?

    I personally like the idea of adding Linux (without wine, lol) into the mix, and it would bar the ransomware from executing on the Unix based system. But what if the Windows box is affected by the ransomware and does not backup the most latest, critical files? Is it a sustainable loss?
      My ComputerSystem Spec

  10.    24 Jun 2017 #10

    Hydrate said: View Post
    What about those without 2 systems at their disposal?

    I personally like the idea of adding Linux (without wine, lol) into the mix, and it would bar the ransomware from executing on the Unix based system. But what if the Windows box is affected by the ransomware and does not backup the most latest, critical files? Is it a sustainable loss?
    Hi there

    For those without 2 machines : You can actually have the Linux machine as a VM --it can still backup HDD's from the Host !!!.

    run the backup FROM the Linux server (obviously with Internet disconnected) and AFTER checking Windows box that there's no malware on it.

    From linux you'll need something like RSYNC or GRSYNC (graphical / GUI version of RSYNC) which is great for backing up DATA. RSYNC is standard on Linux distros, GRSYNC is available on most Linux distros including CENTOS which is what I use.
    Use the GUI version (GRSYNC) to test your parameters and when it works manually you can then use the command line version (RSYNC) for your batch backup job(s).

    GRSYNC example :

    Click image for larger version. 

Name:	grsync.png 
Views:	1 
Size:	143.7 KB 
ID:	140989

    For the (Windows) OS use something from he Linux box like CLONEZILLA which will image the OS (Windows HDD).

    It depends on how many systems you need to backup.
    If it's only 1 or 2 client machines then a stand alone backup on each client using macrium is fine -- but if you need an automated process you'll essentially have to use Linux. I'm not sure how complex job scheduling can be done in Windows --hopefully people better qualified than me could answer this question -- however it's relatively easy on Linux if the server can access your Windows drives.

    Simply use the Crontab to schedule your jobs and ensure the client (Windows) machines are available to the server.

    You will need to install SAMBA on the Linux machine though.



    Cheers
    jimbo
      My ComputerSystem Spec


 
Page 1 of 2 12 LastLast

Related Threads
Source: Windows 10 Creators Update provides next-gen ransomware protection Windows Security
Read more: Data Protection or Virus Protection? | AV-TEST And people are still concerned about Windows privacy, while installing 3rd party AVs like their life depends on it. :zip:
Ransomware Protection? in AntiVirus, Firewalls and System Security
Been visiting a website that discusses ransomware and all of the nasty things that can happen, starting to make me paranoid. Data files are backed up and stored offline, but still...So, I am looking for a quality anti-ransomware software package. As...
I like backing up to local drives--I back up to the cloud also, but I like knowing I can get my data back quickly, even if the internet is down, as long as it's a simple problem like a main hard drive failure. But in order to do automatic local...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:44.
Find Us