4

From my understanding, most ransomware works in the background until they are finished with encrypting all their chosen files.

I assume that while the ransomware work in the background, if I plug in my external USB hard drive to make a daily (or weekly) backup, the ransomware would also target my external hard drive rendering my backup useless.

What is a good backup strategy to counter ransomware?

Rinel
  • 59
  • 1
  • 3
  • 1
    There is no specific good backup strategy specifically **to counter ransomware**, there are only good backup strategies in general, and there are [many questions about those on the site](http://security.stackexchange.com/search?q=is%3Aq+backup+strategy). If those seem not good enough, plase ask a more detailed question. –  Jun 02 '16 at 14:11
  • Backup services are cheap. Just pay them and don't worry – Neil Smithline Jun 02 '16 at 14:56
  • 3
    @JanDoggen Ransomware has a rather unique threat model compared to other potential sources of data loss. For instance, online backups are often ineffective against ransomware, whereas they can be very effective against other threats like hard drive failure, natural disasters, theft, etc. That said, I'm sure I've seen this question asked somewhere before... – Ajedi32 Jun 02 '16 at 16:02
  • Related: http://security.stackexchange.com/q/120808/29865 – Ajedi32 Jun 02 '16 at 16:03
  • make backups read-only, backup often, and keep backups offline. – dandavis Jun 02 '16 at 18:46

3 Answers3

3

Have multiple backups with at least one offsite. The time scale will depend on your usage. For example, many businesses will use daily offsite backups. For personal use, weekly or monthly may be sufficient. You will minimize your risk this way.

I doubt the ransom-ware will wait long to see if it can infect your monthly backups, because the longer it is on the system, the more likely it will be discovered/removed.

Stephen Spencer
  • 1,042
  • 8
  • 8
1

Don't back up a live system, and don't connect your backup media to a live system (at least, not as a writeable filesystem).

There are plenty of backup solutions that can run from bootable media. Doing this, you can boot to the backup software and the ransomware, if present, will not be running, and thus cannot destroy your backup. If you never connect your backup media except when you are running the backup software, you should be safe from whatever manages to install itself in your OS.

Of course there are lab examples of firmware/BIOS malware, but I haven't heard of ransomware using it (yet).

Ben
  • 3,846
  • 1
  • 9
  • 22
  • what is wrong with backing up a live system and what is wrong with connecting your backup read only to a live system? – emory Jun 04 '16 at 00:53
  • If you can back up the system without giving write access to that system (some network-based backup software can do that by pulling data from the system), then go for it. But if you're talking about personal backups of one computer you'd most likely need to connect your backup storage as a writeable filesystem, which risks the ransomware killing your backup. Mounting it read-only could probably be fine, but it would be easy to make a mistake, so personally I would just use the backup disk with the backup software only. – Ben Jun 04 '16 at 02:20
  • If a new backup is taken when the ransomware is almost done encrypting the files, doesn't this have the obvious risk of backing up files that the ransomware has already encrypted? Especially if the backup is taken with the ransomware not running... – user Jun 04 '16 at 13:07
  • 1
    @MichaelKjörling It is obvious - to me at least - that we need multiple backups over time. We can not predict when the ransomware will encrypt the files so we must regularly backup our files **and keep old backups**. Then if and when the bad thing happens, we can restore the last good backup copy. But it is probable that we will end up backing up some ransomware encrypted files. – emory Jun 04 '16 at 14:22
  • @MichaelKjörling as emory points out, like any backup strategy, you'll want to keep some number of old backup images. But I actually think you're more likely to get encrypted files in the backup if you do a live backup, just because it could start encryption while you're in the middle of it. I doubt there is any greater chance of starting tte backup halfway through encryption one way or the other. – Ben Jun 04 '16 at 14:49
  • The difference is -- and this said with the caveat that I have never suffered from ransomware, nor do I plan to -- that any reasonable ransomware wants to stay undetected for as long as possible, and certainly until it has finished encrypting all your files. Thus it makes sense that it would allow access to the unencrypted content of any encrypted files while the encryption process is running, and re-encrypt any re-saved files immediately. That is relatively easy to do with a file system driver on most OSes. When the infected OS is not running, the ransomware isn't there to do the decryption. – user Jun 04 '16 at 14:54
0

The best strategy is to secure your computer and network so that you dont get attacked in the first place. However, barring that it would largely depend on the type of backup you would like to preform.

If you are doing a backup of files (mostly text files) you could look into setting up a version control system which would allow you to do remote backups to a server in a way that incremental changes are stored. This means that even if your computer is infected and the backup you do in one revision is encrypted ... the version before that would be unaffected.

If you are doing a full image of your harddrive version control would not work so well ... and it might be a better idea to invest in a tape backup system with one tape for each day of a week or a month depending on how far back you want the backups to go.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40