Page 1 of 2 12 LastLast
  1.    21 Jun 2017 #1
    Join Date : Jun 2017
    Posts : 9
    Windows 10 Pro

    Sadly, protection from ransomware is not totally possible


    I was trying to see what might be a good way to protect oneself from ransomware. The reason that I started thinking about this is that my external backup disks are continuously connected to my PC. This would mean that a ransomware attack could infect those external disks as well as my internal disk.

    Unfortunately the discussion threads that I saw do not come up with anything definitive other than to have at least one backup offline. The most useful strategy that I read was in Idea for ransomware protection of network drives where the poster suggests the following steps.

    1) Disconnect from Internet
    2) Run scan for Ransomware -- if detected take remedial action otherwise continue
    3) Mount remote HDD's / Attached HDD's - target for your Backup
    4) Run the backup
    5) Detach / unmount the HDD's
    6) Re-connect to Internet etc.
    7) Optionally send notification - job finished.
    I wish I could develop a program to do all that automatically, on a schedule!
      My ComputerSystem Spec
  2.    21 Jun 2017 #2
    Join Date : Jan 2015
    UK, Midlands
    Posts : 10,992
    Win 10 Pro (1703)

    Hi, I think that was discussed a long time ago; I recall comments like
    - that's why I need a wife (or similar) - could be husband of course..
    - discussion of a robot arm...

    You could create an obscure program that rogue software would not run to control power to your backup source:
    USB Relay Controller | eBay

    but you'd want to be able to power it down safely, of course.
      My ComputerSystem Spec
  3.    21 Jun 2017 #3
    Join Date : Aug 2016
    S/E England
    Posts : 4,506
    10 Home x64 (1709) (10 Pro on 2nd pc)

    In general, ransomeware looks for all the drive letters in your system. If you don't map a letter to a network drive it can't find it. You can still back up files to it though, using a UNC path of the form...

    \\ComputerName\SharedFolder\Resource
    https://en.wikipedia.org/wiki/Path_(...ing_Convention
      My ComputersSystem Spec
  4.    21 Jun 2017 #4
    Join Date : Oct 2014
    Trnava
    Posts : 2,863
    Windows 10.4 Home 1709 x64

    Other possibility, if you are using a standard user account or have UAC to set to full.

    1. Change your drive to read only and allow only admins to modify/write.
    2. Setup your auto-backup software to run as admin and that is it.

    Note: You should also disable WSH and restrict powershell, both can be used to elevate user rights.
      My ComputerSystem Spec
  5.    22 Jun 2017 #5
    Join Date : Apr 2017
    Posts : 161
    OS

    I've been also thinking of a "simple" solution and this is what i'm doing,
    set up a hybrid system with both win and linux, windows back up to a linux samba share
    then linux back up to a non shared folder, possibly invisible to the windows network.
    Now if windows get infected the non sahred folder will still be safe.
    Never got a ransomware so I wonder if it will really work, could it?
      My ComputerSystem Spec
  6.    23 Jun 2017 #6
    Join Date : Jul 2015
    Pacific Northwest, USA
    Posts : 381
    Win10 x64 Pro -2 desktops, 1 laptop

    Quote Originally Posted by Bree View Post
    In general, ransomeware looks for all the drive letters in your system. If you don't map a letter to a network drive it can't find it. You can still back up files to it though, using a UNC path of the form...
    I read somewhere that some ransomware programs can assess SMB-connected drives even if not mapped. I have no idea if that's true, but I found it frightening.

    One option that adds a small degree of safety is to take FTP backups to a server that does not have SMB running. And have the backup scripted so that the script fails if it tries to copy an already infected file. (That's probably an unnecessary step. If files were infected that would probably include the backup script.)
      My ComputerSystem Spec
  7.    23 Jun 2017 #7
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by TairikuOkami View Post
    Other possibility, if you are using a standard user account or have UAC to set to full.

    1. Change your drive to read only and allow only admins to modify/write.
    2. Setup your auto-backup software to run as admin and that is it.

    Note: You should also disable WSH and restrict powershell, both can be used to elevate user rights.
    I think there still exists the problem if the ransomware is executed under an Administrator account, there exists exploits to bypass UAC.

    This can potentially stop Standard accounts from compromising backups and the host.

    Quote Originally Posted by roy111 View Post
    I've been also thinking of a "simple" solution and this is what i'm doing,
    set up a hybrid system with both win and linux, windows back up to a linux samba share
    then linux back up to a non shared folder, possibly invisible to the windows network.
    Now if windows get infected the non sahred folder will still be safe.
    Never got a ransomware so I wonder if it will really work, could it?
    I personally like this idea a lot! This is not too simple and requires a lot of user intervention, but it sounds like it can work.

    Correct me if I'm wrong, the Linux Samba Share must also be online to transfer files over the network to the active Linux box.

    How would you accomplish this on a single box, if only one operating system can be online while the other is turned off
    ? I think you meant two separate machines or a virtual machine, yes?

    Personally, for ransomware attacks.:

    I would use MBAM 3's Ransomware protection feature while reconfiguring it's exploitation options for maximum allowed,along loaded with Windows Firewall (custom configuration) and EMET 5.5 maximum compliance.

    Customized compiled VBScript calling Windows Script Host.

    BitLocker AES-256 encryption.

    Task Scheduler my C:\ransomware_protection.exe

    Typically, ransomware does not infect .exe nor %systemroot% because they want their ransom's and not a crippled system. So with the exception of a few ransomware attacks whom may or may not be exempt from this prior assumption...

    I would write a WSH script with read and execution access, given the system hide and EFS encryption attributes and compile in a special third party software so it's more difficult to find the BitLocker pw. The script will detect for the integrity of several dummy files scattered randomly across the system in typical user directories (Desktop, Videos, Pictures) and it's contents, and then if the integrity or MD5 of these files (with read access only) has its MD5 altered, I would end the script and ransomware would not transfer. If ransomware strikes, the script would be encrypted and no transfers would take place.

    Else, the integrity has been maintained, I would allow it to transfer accordingly. For the transfer process to occur:

    The second barrier requires BitLocker drive encryption on backup drives. The script would navigate Windows and unlock the drive (yes with the BitLocker password encased in the script, which I would compile into an .exe) to allow the file transfer and lock the drive once it's completed.

    This sounds pretty complex and descent once it's setup.
      My ComputerSystem Spec
  8.    24 Jun 2017 #8
    Join Date : Apr 2017
    Posts : 161
    OS

    Quote Originally Posted by Hydrate View Post
    I personally like this idea a lot! This is not too simple and requires a lot of user intervention, but it sounds like it can work.

    Correct me if I'm wrong, the Linux Samba Share must also be online to transfer files over the network to the active Linux box.

    How would you accomplish this on a single box, if only one operating system can be online while the other is turned off
    ? I think you meant two separate machines or a virtual machine, yes?
    There is no intervention using the simplest solution with no personalized script,
    of course you need at least two machines:

    win save to linux samba with file history (automatic), linux save samba shared folder to a linux folder
    that could be a network SFTP or NFS folder or even an ext4 formatted external usb HD (automatic,
    i.e. with bacula or rsync/grsync).
    I think this make sense if you have a relatively complex environment
    with both windows and linux pc; for a single PC the virtualization could be overkill and an external usb
    (detachable) should do.
      My ComputerSystem Spec
  9.    24 Jun 2017 #9
    Join Date : Jun 2017
    Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit

    Quote Originally Posted by roy111 View Post
    There is no intervention using the simplest solution with no personalized script,
    of course you need at least two machines:

    win save to linux samba with file history (automatic), linux save samba shared folder to a linux folder
    that could be a network SFTP or NFS folder or even an ext4 formatted external usb HD (automatic,
    i.e. with bacula or rsync/grsync).
    I think this make sense if you have a relatively complex environment
    with both windows and linux pc; for a single PC the virtualization could be overkill and an external usb
    (detachable) should do.
    What about those without 2 systems at their disposal?

    I personally like the idea of adding Linux (without wine, lol) into the mix, and it would bar the ransomware from executing on the Unix based system. But what if the Windows box is affected by the ransomware and does not backup the most latest, critical files? Is it a sustainable loss?
      My ComputerSystem Spec
  10.    24 Jun 2017 #10

    Quote Originally Posted by Hydrate View Post
    What about those without 2 systems at their disposal?

    I personally like the idea of adding Linux (without wine, lol) into the mix, and it would bar the ransomware from executing on the Unix based system. But what if the Windows box is affected by the ransomware and does not backup the most latest, critical files? Is it a sustainable loss?
    Hi there

    For those without 2 machines : You can actually have the Linux machine as a VM --it can still backup HDD's from the Host !!!.

    run the backup FROM the Linux server (obviously with Internet disconnected) and AFTER checking Windows box that there's no malware on it.

    From linux you'll need something like RSYNC or GRSYNC (graphical / GUI version of RSYNC) which is great for backing up DATA. RSYNC is standard on Linux distros, GRSYNC is available on most Linux distros including CENTOS which is what I use.
    Use the GUI version (GRSYNC) to test your parameters and when it works manually you can then use the command line version (RSYNC) for your batch backup job(s).

    GRSYNC example :

    Click image for larger version. 

Name:	grsync.png 
Views:	1 
Size:	143.7 KB 
ID:	140989

    For the (Windows) OS use something from he Linux box like CLONEZILLA which will image the OS (Windows HDD).

    It depends on how many systems you need to backup.
    If it's only 1 or 2 client machines then a stand alone backup on each client using macrium is fine -- but if you need an automated process you'll essentially have to use Linux. I'm not sure how complex job scheduling can be done in Windows --hopefully people better qualified than me could answer this question -- however it's relatively easy on Linux if the server can access your Windows drives.

    Simply use the Crontab to schedule your jobs and ensure the client (Windows) machines are available to the server.

    You will need to install SAMBA on the Linux machine though.



    Cheers
    jimbo
      My ComputerSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Windows 10 Creators Update provides next-gen ransomware protection
Source: Windows 10 Creators Update provides next-gen ransomware protection Windows Security
Windows 10 News
Data Protection or Virus Protection?
Read more: Data Protection or Virus Protection? | AV-TEST And people are still concerned about Windows privacy, while installing 3rd party AVs like their life depends on it. :zip:
Windows 10 News
Ransomware Protection?
Been visiting a website that discusses ransomware and all of the nasty things that can happen, starting to make me paranoid. Data files are backed up and stored offline, but still...So, I am looking for a quality anti-ransomware software package. As...
AntiVirus, Firewalls and System Security
Idea for ransomware protection of network drives
I like backing up to local drives--I back up to the cloud also, but I like knowing I can get my data back quickly, even if the internet is down, as long as it's a simple problem like a main hard drive failure. But in order to do automatic local...
Network and Sharing
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 21:55.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums