Are cloud storage services a good strategy to protect against ransomware attacks?

Question

I have been reading a lot here about Ransomware attacks and I am wondering if my strategy for protecting myself is valid or not.

I have 10Gb of personal data and 90Gb of photos and videos. I have them in D:\ drive in two separate folders. Personal data folder is synced with Google Drive. Photos are synced with a similar tool (Hubic). This way every new photo I copy to D:\ drive is soon sent to Cloud Storage. If my hard drive dies or is stolen I still have my online copy.

But in case I suffer a Ransomware attack, I am thinking it might not be good as possibly the data would be deleted/encrypted also in Google Drive. So my question is:

• Is my method of syncing my data to online storage services (Google Drive, Dropbox, etc.) a good way to protect myself against Ransomware?

• Is there a better backup strategy for ensuring I can recover from Ransomware?

Note: There is a similar question here but it focuses on if the online storage vendor can be trusted or not. In my case I choose to trust them, so, given a successful Ransomware attack, would I have a backup to ignore Ransomware demands.

Answer 1

I'm not sure about Google Drive, but Dropbox provides a way to recover previous file versions, a feature that wouldn't be impacted by the ransomware, since it relies on a file copies on the Dropbox servers. So it'd certainly be a way of protecting your data.

However, recovering everything over your internet connection is a relatively slow process. Personally, I would use a NAS device, but wouldn't map it as a network drive (because those can - and will be influenced if a ransomware is activated on your computer). I would use it via FTP / SFTP, probably with a script that syncs the files on a regular basis. This way you have the files locally, which makes restoring from an attack less of a problem. It is probably cheaper too.

Also, if you prefer Dropbox-like experience, you might want to try ownCloud on your own device - it also keeps the previous versions of file, allowing you to roll back in case of file damage or corruption. Keep in mind that storing multiple old versions of a file takes space on your NAS's disk(s).

Answer 2

Simple, cheap and relatively scalable solution
(Although I'm aware it has nothing with online storage to do)

I have two USB drives that I rotate regularly (you can add a reminder in your calendar if you're afraid to do so). You can use one of the many synchronization tools to choose which folders should be copied, I use Allway Sync.

One of the drive is always offline. You could even move it to another location to make your data resilient to burglars visiting your home or fire or whatever.

You can encrypt the drive too if you don't want other people to tamper with your backup. I use VeraCrypt.

Notes

The more often you rotate your drives, the least data you will lose in case of ransomeware infection. But of course that's the downside of this solution, that you need to manually rotate your drives every now and then.
But it's a cheap, flexible and effective solution against many problems that could occur.

A simple solution

To me, it matters to keep the solution simple so that it cannot be misused. For example, the NAS solution will only work if no one ever mounts the drives. I can easily see how this could fail with unexperienced user that don't know exactly what they do.
Plan for that day when you sit and try to solve a problem. One solution is to mount the drives and you totally forgot about your backup scheme that you set up several months ago.

Answer 3

At the time of writing, Dropbox would be a good way to mitigate ransomware attacks because a 30 day version history of file changes is kept on their servers (even on the free tier).

This, depending on the volume of data, requires a fast internet connection for both upload and download for it to be effective.

However, (big caveat) it wouldn't take much for new ransomware to be engineered that grabs your session token from Dropbox.com, or that installs a keylogger in order to capture your cloud provider password and then proceeds to select the "Permanently Delete" option, rendering the files irrecoverable.

The same goes for any online storage options, whether mapped as a drive or not, as ransomware could easily be engineered to search out SMB shares on the local network and encrypt files there too. The only real option for online backup would be if you had a write only option where the network protocol will allow new files, changes and deletions only with full version control and no possible way to disable the version control or to permanently delete past copies.

This then leaves offline backups as the final option. These would have to be manually initiated to removable media, which would be best stored encrypted off-site for protection against non-malware threats (e.g. fire or theft).

Answer 4

What would you recommend as backup strategy to avoid Ransomware?

Read Only Storage

The simplest solution covers 90% of the average person's data preservation needs: store your old data in a read-only format. How much of your data is old tax information, resources from past schools/jobs, photos from vacations, or any other type of information that isn't going to change?

A common, DVD-R stores nearly 5 GB for a few bucks. In addition to storing your information on Dropbox or an external USB, just throw last year's stuff on a disc on January 1 and Sharpie the year on the top. Continue to back up drives regularly in whatever way is convenient, but a physical "checkpoint" in a filing cabinet is never a bad thing.

For professionals in charge of large amount of business data, apparently, 1 TB optical storage is on the way, although frequent network backups are still necessary when even a few days worth of data (code development, business contracts, professional photography shoots) could be worth a lot of money.

Answer 5

It's kind of scary that only one answer here mentions the verification of the backups so I felt the urge to add this answer:

Whatever you chose as a backup strategy: Your backups are worth absolutely nothing if you don't have a working and well tested verification mechanism to check the integrity of the files.

It's just a matter of time until ransomware will attempt to decrypt files on the fly when you are trying to access them. After a certain amount of time the malware will then delete the local copy of the key(s) and will render many or most of your backups worthless. There are already attacks like this reported on databases of webservers.

Despite that: Personally I would never upload any sensitive data to any cloud service without encrypting it beforehand. (Yup that's kind of ironic) Remember: "cloud" is just a synonym for "another guys server".

Answer 6

No. Consumer grade cloud backup is not an effective solution. In fact no single solution will protect your data, you must mix it up a bit.

To give you a good answer I would have to know about your habits, usage patterns, and a lot of other details, but here is my best guess based on an average home/small business owner I'm usually working with.

So, to backup, or to be exact archiving.

It's a very complex question and you should decide how much you can afford to lose. Providing a 99,9% data security is a VERY expensive affair (think redundant geographically scattered storage with no single point of failure). Data can get lost in many more ways than you think, not just ransomware. For example DVD or BR-D will only last a few years, flash drive will be dead in around 7 years, typical hard drive is not usable after 5 years, format may get deprecated, interface may get deprecated, hard drives may make uncorrectable errors (and in fact they do), your backup may be killed by lightning strike, fire, flood, it may get stolen, you could lose your password if you encrypt (and you should)... Just imagine a nightmare scenario where you have NTBackup archive on a failing IDE hard drive - fun.

So a few solutions:

First of all, monitor your filesystem. Ransomware attack will create huge filesystem changes and you will know there is a problem right away.

OPTION 1 - go with M-Disc. 100GB of data is not that much, so you can make two copies of it on 100GB M-Disc BDXL. Put one in a drawer at home, put one in a bank safety deposit box and you are good. For a millennia, they say. Bear in mind you can still lose your data. It's a read only medium so using it on an infected computer is not a problem. Between archiving use a full size SD Card (say 128GB), flip it's switch to read only for everyday use and to read-write when you backup. Between archiving, use a DVD until you have enough for another M-Disc archive (pay attention to DVD longevity). I'm not affiliated with M-Disc in any way, but I do have a pretty good experience using it.

They also have Dropbox + M-Disc solution on their website, so you can use Dropbox for convenience, and get your archive shipped in.

OPTION 1.1 - Same as above, but using regular Blu-Ray disc. It' cheaper but much more risky. Make sure you re-burn your archive once a year.

OPTION 2 - setup a small (Linux) file server and mount it's storage for convenience, but make sure it is versioning it's backups to a storage not accessible from your client computers (NAS or Cloud or whatever). So if something goes wrong, mounted storage will get encrypted, but you can always go back as the server itself is not infected. Firewall it not to allow remote access as future more advanced ransomware may be able to exploit it by stealing credentials from an infected client. Make sure you always have more than one copy of your data, consider longevity of the media used, and replace hard disks on a first sign of trouble.

OPTION 3 - get a credible IT guy to set up a solution tailored to your needs so you get instant access to your data and (almost) bulletproof archive. I know people come here for DIY solutions, but data protection is a science, not something you can sum up in a single page and I'm 100% sure you can't see all the caveats to your solution.

Whatever you choose there is no "set it up and forget about it" solution, and who ever claims there is, is most likely incompetent.

Answer 7

Keep it simple.

While cloud-sync solutions may provide protection against ransomware through file versioning, choosing individual solution requires research^{(1) (2)} and I think it's a task not worth the hassle. Depending on a cloud service their client-functionality is different and these companies create and support their solutions mainly as a synchronisation tool rather than for backup and versioning.

  ^{(1) Google Drive offers file versioning (30 days), but old versions count towards the space limit. Google does not seem to publish information what happens if you had a 100 GB plan and ~100 GB data that would change instantly. It could either stop syncing or sacrifice the old versions.}

  ^{(2) Dropbox offers unlimited versioning kept for 30 days in their paid-plans.}

I would suggest going with a full-fledged versioning backup solution which backs up to cloud (as well as your local network destination).

I use Arq which de-dupes files in a git-like fashion⁽³⁾ and AES-encrypts them before they leave the machine. Files stored in cloud or network do not morph after being backed up thus no ransomware would change their content (unless they would replace the executable, but that would be too targeted).

  ^{(3) This means that files backed up are split and treated as immutable chunks of data. In case source files change, new data is written with old remaining until garbage collection process removed it.}

Most important: it is a solution for data protection that can be tested (restore to the same machine, to another one) ahead of any disaster.

Such attitude also treats any cloud service as a mere storage space thus freeing user from having to consider subtle differences between services.

The only thing it does not offer is web access to files (because of encryption), so on has to perform a restore (and software installation in case all computers were lost), but you need to decide whether you want backup-and-protection or synchronisation-and-sharing.

Answer 8

I use a stack of external USB-3 hard drives, "A", "B", "C", etc that I rotate in sequence, and run an automatic nightly backup. (my computer runs 24/7 so at night it runs tasks like full backups, deep malware scans, and occasional defrags) In other words, the drive that gets written-to tonight is the oldest one in the sequence. I keep 3 of them offsite in a bank safe-deposit box which I refresh roughly once-a-week. Since I go to the bank, or the strip-mall the bank is in, regularly for other business this does not add much of a burden. (offsite storage protects against fire, theft and similar occurrences).

The only other work I have to do is, when I sit down at my computer to start my day, I have to remember to swap out the USB connector of last night's backup with the next one in the sequence, which is all habit now.

My next to-do task for this problem is to add some automatic verification that the files are readable and not encrypted. Right now I do that manually on a spot-check basis but that takes time and attention so I'd like to automate it.

Answer 9

The NAS Setup is my favorite choice, for second backup you could use an offline harddisk to make a backup once a month. The NAS is nice because you can take the disks offline whenever you want OR you can do what I try to do. Switch the disks around, once a year, clean disks on the NAS (also good for speed etc). Keep the old harddisks in a good place (and label them).

If they ever get thru your first layer of security, and they infect your NAS, you can just take out the disks.

Also I use default recovery systems that help me keep backups for when such things happen.

Answer 10

Crashplan, a paid cloud storage provider, has a dedicated article on how its online cloud storage solution can help you recover from some ransomware attacks.
Their services could be a suited alternative for your use-case where you need to backup a large amount of data for long-term storage (thanks @GuntramBlohm).

Excerpt:

CryptoLocker and CryptoWall are a form of malware that encrypts files on your computer and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind this attack, you can use CrashPlan to restore your files from a date and time prior to the infection. This article describes how to use CrashPlan to recover your files from a CryptoLocker or CryptoWall attack.

---

EDIT:
As noted in comments by @Ajedi32, clever ransomware could permanently delete files from your history, making your original files unrecoverable.
Many cloud storage providers don't delete your files immediately, but rather store them in a (time-limited) trash directory. That alone is not enough, as the trash directory can be typically emptied at any time.

Clever ransomware targeting ...

• Crashplan could change backup settings so that no deleted files are stored.
• Google Drive could permanently delete files from the trash.
• Dropbox could also permanently delete files from trash.

Answer 11

No solution involving "backup to cloud" code that runs SOLELY* on your "work" PC is safe.

*updated thanks to comments

Sooner or later the ransom-ware authors will start hijacking cloud-storage logins.

My solution is to share the users folders so that a 2nd highly secure Linux box somewhere (local or cloud) can read the users files and back them up to whatever the appropriate destination(s) is/are, local rw media, local read-only media or cloud. Assuming the Linux box stays secure, the malware cannot attack the backups directly.

You WILL need to keep enough historical full backups to cover the maximum time period between when ransom-ware STARTS encrypting your files and when you NOTICE it's happening. This might be considerably longer than a few days.

Ransom-ware authors face a trade-off between acting slowly to effect as much of the backups as possible and acting quickly to avoid detection and being stopped from further encryption of files.

Photo archives are likely a juicy target here as they are likely stored for a long time and not looked at and are often of high sentimental value. Slowly encrypting just someones photo collection (original and backup) MIGHT result in higher ransom payout than just trying to quickly attack an entire PC.

Answer 12

Let's summarize how ransomware works:

Ransomware will encrypt everything it finds. This includes:

• All local drives
• External media connected to your computer at the time of attack
• Mounted network shares with write access

This provides you with the following possible precautions

• Cloud storage without a locally installed client (not feasible for large quantities of files)
• Cloud storage with local client, but you're always logged out unless a backup is due (easy to forget)
• Offline drives, which you connect only when a backup is due
• Read-only media such as DVD and Blueray (Good for archiving)
• Network path where your user account does not have access to. Then, run the backup task from a different account that actually has access. The backup method must store multiple versions however. Otherwise the intact backups might simply be overwritten with the encrypted/corrupted versions in case the user does not notice the encryption early enough.

Personally I chose the last option for me because I still have fully automated backups. In the case that my computer would be compromised by ransomware, it would not be able to encrypt the network share due to the lacking permissions. Pair that with occasional offline backups and you should be fine.

Unfortunately, if we take all possible exploits into account, the single valid solution is using read-only media. A root-exploit, key-logger or similar renders most other methods useless. Because of the extra effort, these would probably only be used in attacks targeted at individuals (local office, restaurant etc.).

Answer 13

The other answers address your first concerns very well. As on alternatives to keep files safe from ransomware while still not depending on third party solutions (i.e. cloud hosting):

Get another PC (one with a big storage unit) running a safer OS in your local network, and install a version control software (e.g. Subversion) server.

Commit your files into a working copy, and keep it synched through the version control client.

Subversion would be fine for that, since there won't be many conflicts from concurrent submits. You can script the synch commands to run on a schedule.

Answer 14

Any cloud storage service with versioning enabled will protect you from ransomware. The versioning option is key here, as you may need to recover a previous version if the malware changed your files in the cloud service.

AWS S3 has versioning as an option, but it is not enabled by default. DropBox does have versioning enabled by default. Google Drive for non-Google files (Google Docs, etc.) requires you to manually enable the "keep forever" option to do this.

There is however a relatively simple non-cloud mitigation for this threat.

1. Set up a NAS or Linux file server for storing data, then add an external backup drive(s) to it.
2. Let your computers use storage directly from the NAS/server, or backup local storage to it.
3. Have a backup utility run directly on the NAS/server and set it to back up to the external drive.
4. Ensure the external drive is not accessible from anywhere besides the NAS/server itself - via file permissions on Linux, or via a configuration option in the NAS GUI.

This secondary backup will be inaccessible to ransomware on your computer. If you were to be infected, you would clean the malware (duh) and then restore that secondary backup to your NAS/server.

Most NAS units have a builtin backup feature for external drives. If you're running a Linux server, rsnapshot will do the job for you. You can set it up in cron to run as often as you like - guaranteeing that you will not lose more than the data produced in that amount of time.

CrashPlan could also be used for local backup if you need dedupe/compression. (Though that will only run once a day unless you subscribe)

Though this takes some setup work, it can run mostly maintenance free until you fill your storage.

Answer 15

I made my backup drives bootable with a small linux system doing an automatic rsnapshot and shutdown after that was successful. Since my data doesn't change that much, I can keep a high number of snapshots.

Oh, if you're really paranoid, you can measure the time the rsnapshot normally takes and if it all of a sudden takes a lot longer, that's a good indication that something's wrong on your system...