RANSOMEWARE
There is no defence against the malware known as Ransomeware. There are now many many attempts at defence, but ANYTHING attached to the internet is vulnerable.
UPDATE: it may be a defence against phishing to activate your firewall’s “family” protection which can block access to “bad” web sites. It’s unlikely to be foolproof, but very much better than nothing.
UPDATE 2: It has become more common to defeat attacks with good backup and restores processes; so now crooks will say “ok, so you survived that, well done. If you do not pay us x,000,000 we will publish all your data on the dark web”. That means exposure to identity theft and much else. So this is a “heads up” to take great care what unencrypted personal or indeed business data available to steal. Note I said “unencrypted”; explore keeping your data or at least some of it encrypted – it’s called “encryption at rest” I believe.
Search Here: https://duckduckgo.com/?q=encryption+at+rest&t=brave&ia=web
Therein lies the key
Forgive the intended pun, which is that ransomeware works by demanding payment for a decryption “key” and we are looking for the “key” to defending against these attacks.
There is only one defence that cannot be attacked, which is:
OFFLINE COPIES / BACKUPS.
OFFLINE means disconnected from the internet and in the event, not attached to computers at all. Think of the ancient “floppy disk” and more corporately offline “tape backups”.
Crucial to all discussions about “offline backups/copies” is how long, how many days back in time these go. For example a simple daily backup will fail by being overwritten by the ransomed data. My last update said this malware is typically resident for several days, two or three, while it carries out its work before declaring itself and demanding the ransom – which demand is usually very polite. Apparently this malware can be in place for months before it activates/attacks so watch out what you restore. Restore data not programs.
I do like the idea of ransomeware detection software that works by placing “honeypot” (i.e. attractive to the malware) files which it then monitors for encryption so as to provide early warning. It is however an ongoing battle, so offline is the current established defence. Problem is of course one does lose data even if “only” a few days worth.
Large businesses have dedicated departments to engage in active defences, so I am speaking only in the context of small businesses who do not have any or much of a budget for cyber defence. Indeed there are some small businesses who could drop their computers and lose everything and it would not be any loss. We have to consider our position and make choices accordingly.
LAN
Defences
Offline Defence list
CAVEAT
I think it is safe to say nothing in my ideas is free. However, the costs are generally one time, such as buying say 14 SD cards, or if annual then also useful in other regards such as cloud storage services like sync and dropbox etc.
Hard disk drives
HDDs vary from one to 12 or more terrabytes. Note that “archive” designated disks are designed to be written to as archives so are cheaper sometimes, but not for desktop or NAS type daily use. Remember these are OFFline which means disconnected and sitting on a safe shelf somewhere (off-site being ideal, but that is another defence story)
SD Cards
250gb Like HDs these are increasing in size. Except for the smallest drives their use requires careful selection of one’s critical data.
Dropbox 3TB et al
Dropbox 3 terrabytes. Sync.com, Google Drive, Apple iCloud Drive, Tresorit and others. SOME and by no means all offer data recovery from a point back in time. Have great care how far back in time and different “memberships” have different “rewind” times.
S3 Immutable Storage
https://en.wikipedia.org/wiki/Amazon_S3
https://en.wikipedia.org/wiki/Immutable_object
IMMUTABLE is the critical word here. It means the data can be written (saved) only once and cannot be overwritten. Changes are saved as “incremental” later additions. This means the earlier saved data cannot be overwritten by ransomeware encryption. This assumes the account itself cannot be deleted or disabled by the ransomeware malware.
Tape backups
These can be expensive, but offer large data storage which is kept offline.
Related links and searches
In searches below make sure to scroll down past the ADverts which can be a whole screen full.
Backup software to immutable storage
CASE STUDY – mostly about data sizes and storage sizes.
Describing a real life scenario.
This user has a LAN consisting of several computers, mobile devices and NAS drives.
While calling these “backups” (which they are) these are simple copies of files, they are not stored using any dedicated backup software. This means they can be tested directly by checking files are not corrupted. Untested backups that turn out to be corrupted in some way are the cause of many a failed disaster recovery. TEST YOUR BACKUPS.
Video and photos take the most space = TERABYTES
Massive volume of tera bytes of videos and photographs. These by their nature are fixed and do not change, therefore after organising them in suitable fashion they can be saved to one preferably more hard disks and stored both off-site and locally, in suitable packaging bearing in mind the shelf life of unused hard disks up to ten years. He uses a disk cataloguing app to keep track of what is stored where, including all the other backups we mention. This is really like we used to use floppy disks 40 years ago, but those stored only 360k (kilo bytes)
Next come old files, archives and the like = GIGABYTES
Even if over a tera byte I still view this as in giga byte territory. Over a decade or two these can occupy significant amounts of space and they belong on the same type of unchanging storage as the Videos and photos above, but separate because they have a possible probability of being needed, not least for earlier versions of the same work files, data corruption being by far the most usual reason for needing to refer to backups.
Live data – several gigabytes “only” 250gb SD Cards
This is where the SD cards come in to play. These are the tiny things we see in mobile phones (NOT Apple) and cameras. Current sizes rise to 250 gigabytes at the time of writing and increasing. So our case study has 14 250gb SD cards and copies to one every day or two, so not necessarily every day at all. This is because given a ransom attack takes say two or three days taking a copy so even taking a copy every day will require going back at least three days to find clean data, bearing in mind we have cloud storage as our first line defence in any case.
Whole system backups to 6tb HDDs
He has six 6TB hard disks and “standard” backup software operating with hourly incremental backups. Every few days he switches to the next disk. They are in a “caddy” so can be inserted and removed at will by hand.
Whole data cloud backups such as dropbox
This means the likes of dropbox and Sync. However in their business forms so not a mere 5 gigabytes. Subscriptions will be required also to ensure sufficient “rewind” history to offer comfort. 30 days can be standard but I prefer 180 days or a year. Our case study has all data synchronised to dropbox with a 180 day rewind facility.
Whole system backups to S3 Immutable storage.
and finally, recently implemented Arq backups to Backblaze S3 compatible immutable storage. These “whole systems” differ from the above backups to hard disks because they have very long lists of excluded file types and folders. They do not include the archives of photos and videos.
CASE STUDY NOTES
Beware reliance on duplicated backups
I once had both fail with physical hard disk failure. However, these were in daily use. One lesson I took from that was to consider using different manufacturer’s disks – though granted I don’t currently do that. I do still find disks in use fail with monotonous regularity, when my only remaining backup would be the original data. These days the likes of dropbox, Gdrive and Sync et al offer a defence against this, as ordinary backup copies, but these vary a lot as regards the ability to “rewind in time”. Apple appears to offer none at all. None of this considers GDPR.
SD Cards 250gb comment
I have seen bigger ones up to two terabytes, but have no information about their reliability. If this live data is much bigger then small hard drives and indeed SSDs are relatively cheap, it’s just that they take more space. I see on a quick search 2.5″ HDDs of one TB costing around £35. That competes well with SD cards. However, SD cards can be carried about in a person’s wallet (thus off-site). That said I used to keep one backup copy in my car door pocket, so depending where I was in the car depended how “off site” it was. That was back in the 1980s long before modern day problems. I had a fire safe with backups in it and it was stolen by a burglar (screw it down!). You just never know so multiple types are a must.
Cost types
Physical storage costs a one-off £x per unit and no more. So this is the first 4 types listed opposite. Budget may affect how many of each, but over time suitable numbers should be attainable.
The last two require online subscriptions and licence payments for the software. Of these two the synchronising cloud storage has many other daily useful advantages whereas the S3 storage is straight ransomeware defence cost.
Veeam_Ransomware_Retrospective.indd
Successful backups are the last line of defense for cyberattacks and can be the deciding factor to prevent considerable downtime, data loss and paying a costly ransom.
and from VEEAM to quote:
Veeam_Ransomware_Retrospective.indd
Mitigating ransomware attacks
End-user education (20%), bolstering backup storage resiliency (19%) and securing internet access (16%) are the top choices of ransomware mitigation globally. Similar results are seen from a geo perspective where NA, LATAM and EMEA/MEA are more apt to invest in detection, while NA was more likely to use additional network monitoring for mitigation.
To better mitigate ransomware vulnerabilities, customers are now focused on bolstering backup storage resiliency, through immutability, investing in end-user education and securing internet access.
MY OPINION
See above where it says “immutability?” It has seemed to me for some time that aside from totally offline (that means disconnected sitting on a shelf) this is the ONLY type of backup defence that can be viewed as likely to be effective. It looks like the experession “backup resiliency” (which means nothing at all unless defined) is used to mean “immutability”. Ok adding in to it expressions like “education” and “securing access” are not in my view backup methods, they are defences, for sure, but they are not part of backups. So my whole paragraph here reduces all online defences that are capable of being effective are solely only and nothing else except immutabilty. That means copying your data to a W O R M drive. And no one can have rights to that drive, bceause if someone physically steals it all is for nought. So it needs to be off site and in the cloud so no one actually knows where it is. In reality this leaves small businesses etc with Amazon S3 type storage as the only current provider I am aware of. Backblaze offers compatible resources.
All of that said I think what surprises me is the absence from common knowledge about immutable storage
W O R M stands for Write Once Read Many; so once written it can be read but never deleted (written again). That means “immutable”. I plan to have another look at Veeam, but I THINK they are not aimed at small biz.