Sadly, protection from ransomware is not totally possible

Page 1 of 2 12 LastLast

  1. Posts : 184
    Windows 11 Pro
       #1

    Sadly, protection from ransomware is not totally possible


    I was trying to see what might be a good way to protect oneself from ransomware. The reason that I started thinking about this is that my external backup disks are continuously connected to my PC. This would mean that a ransomware attack could infect those external disks as well as my internal disk.

    Unfortunately the discussion threads that I saw do not come up with anything definitive other than to have at least one backup offline. The most useful strategy that I read was in Idea for ransomware protection of network drives where the poster suggests the following steps.

    1) Disconnect from Internet
    2) Run scan for Ransomware -- if detected take remedial action otherwise continue
    3) Mount remote HDD's / Attached HDD's - target for your Backup
    4) Run the backup
    5) Detach / unmount the HDD's
    6) Re-connect to Internet etc.
    7) Optionally send notification - job finished.
    I wish I could develop a program to do all that automatically, on a schedule!
      My Computer


  2. Posts : 42,734
    Win 10 Pro (22H2) (2nd PC is 22H2)
       #2

    Hi, I think that was discussed a long time ago; I recall comments like
    - that's why I need a wife (or similar) - could be husband of course..
    - discussion of a robot arm...

    You could create an obscure program that rogue software would not run to control power to your backup source:
    USB Relay Controller | eBay

    but you'd want to be able to power it down safely, of course.
      My Computers


  3. Posts : 31,468
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       #3

    In general, ransomeware looks for all the drive letters in your system. If you don't map a letter to a network drive it can't find it. You can still back up files to it though, using a UNC path of the form...

    \\ComputerName\SharedFolder\Resource
    https://en.wikipedia.org/wiki/Path_(...ing_Convention
      My Computers


  4. Posts : 5,442
    Windows 11 Home
       #4

    Other possibility, if you are using a standard user account or have UAC to set to full.

    1. Change your drive to read only and allow only admins to modify/write.
    2. Setup your auto-backup software to run as admin and that is it.

    Note: You should also disable WSH and restrict powershell, both can be used to elevate user rights.
      My Computer


  5. Posts : 668
    Win 10 pro
       #5

    I've been also thinking of a "simple" solution and this is what i'm doing,
    set up a hybrid system with both win and linux, windows back up to a linux samba share
    then linux back up to a non shared folder, possibly invisible to the windows network.
    Now if windows get infected the non sahred folder will still be safe.
    Never got a ransomware so I wonder if it will really work, could it?
      My Computer


  6. Posts : 720
    Win10 x64 Pro - 2 desktops, 2 laptops
       #6

    Bree said:
    In general, ransomeware looks for all the drive letters in your system. If you don't map a letter to a network drive it can't find it. You can still back up files to it though, using a UNC path of the form...
    I read somewhere that some ransomware programs can assess SMB-connected drives even if not mapped. I have no idea if that's true, but I found it frightening.

    One option that adds a small degree of safety is to take FTP backups to a server that does not have SMB running. And have the backup scripted so that the script fails if it tries to copy an already infected file. (That's probably an unnecessary step. If files were infected that would probably include the backup script.)
      My Computer


  7. Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       #7

    TairikuOkami said:
    Other possibility, if you are using a standard user account or have UAC to set to full.

    1. Change your drive to read only and allow only admins to modify/write.
    2. Setup your auto-backup software to run as admin and that is it.

    Note: You should also disable WSH and restrict powershell, both can be used to elevate user rights.
    I think there still exists the problem if the ransomware is executed under an Administrator account, there exists exploits to bypass UAC.

    This can potentially stop Standard accounts from compromising backups and the host.

    roy111 said:
    I've been also thinking of a "simple" solution and this is what i'm doing,
    set up a hybrid system with both win and linux, windows back up to a linux samba share
    then linux back up to a non shared folder, possibly invisible to the windows network.
    Now if windows get infected the non sahred folder will still be safe.
    Never got a ransomware so I wonder if it will really work, could it?
    I personally like this idea a lot! This is not too simple and requires a lot of user intervention, but it sounds like it can work.

    Correct me if I'm wrong, the Linux Samba Share must also be online to transfer files over the network to the active Linux box.

    How would you accomplish this on a single box, if only one operating system can be online while the other is turned off
    ? I think you meant two separate machines or a virtual machine, yes?

    Personally, for ransomware attacks.:

    I would use MBAM 3's Ransomware protection feature while reconfiguring it's exploitation options for maximum allowed,along loaded with Windows Firewall (custom configuration) and EMET 5.5 maximum compliance.

    Customized compiled VBScript calling Windows Script Host.

    BitLocker AES-256 encryption.

    Task Scheduler my C:\ransomware_protection.exe

    Typically, ransomware does not infect .exe nor %systemroot% because they want their ransom's and not a crippled system. So with the exception of a few ransomware attacks whom may or may not be exempt from this prior assumption...

    I would write a WSH script with read and execution access, given the system hide and EFS encryption attributes and compile in a special third party software so it's more difficult to find the BitLocker pw. The script will detect for the integrity of several dummy files scattered randomly across the system in typical user directories (Desktop, Videos, Pictures) and it's contents, and then if the integrity or MD5 of these files (with read access only) has its MD5 altered, I would end the script and ransomware would not transfer. If ransomware strikes, the script would be encrypted and no transfers would take place.

    Else, the integrity has been maintained, I would allow it to transfer accordingly. For the transfer process to occur:

    The second barrier requires BitLocker drive encryption on backup drives. The script would navigate Windows and unlock the drive (yes with the BitLocker password encased in the script, which I would compile into an .exe) to allow the file transfer and lock the drive once it's completed.

    This sounds pretty complex and descent once it's setup.
      My Computer


  8. Posts : 668
    Win 10 pro
       #8

    Hydrate said:
    I personally like this idea a lot! This is not too simple and requires a lot of user intervention, but it sounds like it can work.

    Correct me if I'm wrong, the Linux Samba Share must also be online to transfer files over the network to the active Linux box.

    How would you accomplish this on a single box, if only one operating system can be online while the other is turned off
    ? I think you meant two separate machines or a virtual machine, yes?
    There is no intervention using the simplest solution with no personalized script,
    of course you need at least two machines:

    win save to linux samba with file history (automatic), linux save samba shared folder to a linux folder
    that could be a network SFTP or NFS folder or even an ext4 formatted external usb HD (automatic,
    i.e. with bacula or rsync/grsync).
    I think this make sense if you have a relatively complex environment
    with both windows and linux pc; for a single PC the virtualization could be overkill and an external usb
    (detachable) should do.
      My Computer


  9. Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       #9

    roy111 said:
    There is no intervention using the simplest solution with no personalized script,
    of course you need at least two machines:

    win save to linux samba with file history (automatic), linux save samba shared folder to a linux folder
    that could be a network SFTP or NFS folder or even an ext4 formatted external usb HD (automatic,
    i.e. with bacula or rsync/grsync).
    I think this make sense if you have a relatively complex environment
    with both windows and linux pc; for a single PC the virtualization could be overkill and an external usb
    (detachable) should do.
    What about those without 2 systems at their disposal?

    I personally like the idea of adding Linux (without wine, lol) into the mix, and it would bar the ransomware from executing on the Unix based system. But what if the Windows box is affected by the ransomware and does not backup the most latest, critical files? Is it a sustainable loss?
      My Computer


  10. Posts : 11,247
    Windows / Linux : Arch Linux
       #10

    Hydrate said:
    What about those without 2 systems at their disposal?

    I personally like the idea of adding Linux (without wine, lol) into the mix, and it would bar the ransomware from executing on the Unix based system. But what if the Windows box is affected by the ransomware and does not backup the most latest, critical files? Is it a sustainable loss?
    Hi there

    For those without 2 machines : You can actually have the Linux machine as a VM --it can still backup HDD's from the Host !!!.

    run the backup FROM the Linux server (obviously with Internet disconnected) and AFTER checking Windows box that there's no malware on it.

    From linux you'll need something like RSYNC or GRSYNC (graphical / GUI version of RSYNC) which is great for backing up DATA. RSYNC is standard on Linux distros, GRSYNC is available on most Linux distros including CENTOS which is what I use.
    Use the GUI version (GRSYNC) to test your parameters and when it works manually you can then use the command line version (RSYNC) for your batch backup job(s).

    GRSYNC example :

    Sadly, protection from ransomware is not totally possible-grsync.png

    For the (Windows) OS use something from he Linux box like CLONEZILLA which will image the OS (Windows HDD).

    It depends on how many systems you need to backup.
    If it's only 1 or 2 client machines then a stand alone backup on each client using macrium is fine -- but if you need an automated process you'll essentially have to use Linux. I'm not sure how complex job scheduling can be done in Windows --hopefully people better qualified than me could answer this question -- however it's relatively easy on Linux if the server can access your Windows drives.

    Simply use the Crontab to schedule your jobs and ensure the client (Windows) machines are available to the server.

    You will need to install SAMBA on the Linux machine though.



    Cheers
    jimbo
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:24.
Find Us




Windows 10 Forums