Thursday, July 13, 2017

Defend Your Backups Against Ransomware

My people have no tradition of proofreading.  —Ken White

Bob Brown

One of the newer (and nastier) tricks of The Bad Guys™ is a class of software known as ransomware.  It scrambles all the useful files on every disk it can find, including network and cloud drives, then puts up a message asking you to pay for the key that will unscramble your data.  You pay in Bitcoin, which is anonymous.  The amount is often a couple hundred bucks, which is enough to sting even if you manage your money well.  Finally, these people are thieves; there's no guarantee that you'll get a decryption key for your $$$.

So, how do we defend against such extortion?

Back Up Your Computer!

The first defense against all kinds of computer trouble is a good backup process.  "Good" means it's automated, so you won't forget to do it regularly.  Good also means you've tested that you can restore files from the backup media.

Backups are a subject for their own Bitmonger article, so for now let me just say that if you're not backing up your computer, you're waving in the wind.

Protecting the Backups

One of the nasty things about ransomware is that it encrypts all the drives it can find.  If you carefully back up to a USB drive, as I do, and you leave the drive attached to your computer, the backup drive is exposed in the case of ransomware.

Before I retired, I kept a USB backup drive in my office and another at home.  I made backups of my laptop at both locations on a regular schedule, so there was always an "off site" backup not connected to my laptop, and so protected from ransomware.   Now that I'm retired, I can't do that.  I still use two backup drives.  After all, one could fail.  However, they're both at home.  (The lack of an off-site backup means I'm exposed to risk of fire or theft, too.)

To keep my (and your) backup drives safe from ransomware, they need to be physically disconnected from the computer except when a backup operation is scheduled, and they should never both be connected at the same time.  You can accomplish that by unplugging the USB cable.  If your drive has a power switch, just turning the drive off works, too.  In my case, both options are somewhat fiddly operations in hard-to-reach places.

I'd really like to have an A-0-B switch switch for USB that connects drive A, drive B, or neither to the computer, and that will not allow both drives to be online at the same time.  I couldn't find one, but I did find a hub with push buttons that will allow one to connect or disconnect any of four devices with the push of a button.  I have to push two buttons to swap drives – connect A and disconnect B, or vice versa – but I've put the hub in a convenient location so I can swap drives with minimal fooling around.

If you're looking for a similar device, be sure you get one that's USB 3.0 compatible.  Otherwise, you will probably sacrifice speed, and speed is important when making backups.

 I've found several USB A-B switches, but they're all designed to share one peripheral among two computers, and not the other way around.

"Safely Remove" USB Drives

In earlier times, Windows did "lazy writes" by default.  That is, Windows waited until the CPU was briefly idle to actually write data to the disk.  In that case, just disconnecting such a disk could result in a corrupt file system because there may have been incomplete disk writes.  For current versions of Windows, "quick removal," which does not cache writes, is the default. You can find the details and info on how to check your own computer here at PC World.

So, if you use Windows, you can just push the button to disconnect a drive without having to fiddle with safely removing it.

Even so, there is value in logically removing your backup drive as soon as a backup is complete.  Although it's possible to detect and reconnect a drive that's attached but offline, I know of no ransomware that does that... yet.  Also, taking the drive offline immediately can prevent certain "Oops!" accidents.  If you run your backups manually, you can just push the button, but running backups manually is poor practice because we skip doing it.

If your backup is run from a batch file, or has a way to call a batch file when the backup ends, there is free software that will take the drive offline for you.  Two such programs are RemoveDrive and USBDiskEjector.  Consider using one of these, and if you do use one of them, consider making a donation to the author.

About Backing Up to the "Cloud"

There is no cloud.  There's only a bunch of computers you don't own run by a bunch of people you don't know.   It's more complicated than that, of course, and the various cloud services run some pretty slick software.  Down at the bottom, though, you are trusting someone else with your data.  Anything you store "in the cloud" should be encrypted, and you should never store the only copy of something "in the cloud."  (For a cautionary tale, read the sad story of MegaUpload.)

One of the things that makes cloud storage so convenient is that you can often treat a "cloud drive" like any other disk drive.  Sadly, that means ransomware can likely find and obscure your cloud backups just like everything else.  The lesson is that you should not depend on "cloud drives" to defend against ransomware.

Some vendors of cloud backup services have taken steps to protect against ransomware, but the ordinary "cloud drive" does not offer such protection. 

Copyright © 2017 by Bob Brown

Creative Commons License
Defend Your Backups Against Ransomware by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.