31

Windows 10 stores its backups in a protected folder, e.g. E:\System Volume Information, and only the SYSTEM account has full access to it. Does this make it safe from ransomware that encrypts files? Even when running 'As administrator' I cannot seem to access that folder, so it looks pretty safe, right?

And what about the Windows 10 File History feature, is that safe?

Just a note: @SilverlightFox is right, backups are not stored in the System Volume Information folder, as I thought they were, but rather in a folder having the same name as the computer, e.g. E:\MYCOMPUTER where E can be any drive. By default, this folder is accessible by the SYSTEM user and the Administrators group.

Berend
  • 412
  • 1
  • 4
  • 9
  • 4
    One problem that can occur is the usable backups being overwritten by encrypted documents of the same name. I don't know the details of how windows 10 stores versions or overwrites previous backups, but if it simply stores 1 version and that version is the most recent version, then if it gets overwritten by ransomware-encrypted files, then it will not be of any use to you. – Owen Aug 02 '16 at 15:39
  • I assume you also relies on Windows defender for protection? – mootmoot Aug 02 '16 at 16:52
  • 11
    A lot of ransomware [just deletes the System Restore points](https://www.google.com/search?q=ransomware+delete+shadow+copies), since that's easier than encrypting them. – benrg Aug 02 '16 at 18:19
  • Bear in mind also that you are likely just logged into the "unelevated administrator account". Windows 10 has multiple types of administrator accounts in effect. – John McNamara Aug 02 '16 at 20:22
  • 4
    Once any kind of malware runs on a windows PC the only 100% safe course of action is to assume ALL files on non-WORM media it was access to are compromised. – John McNamara Aug 02 '16 at 20:25
  • Also: try to avoid being logged in to services like Dropbox/Google drive all the time; enable them only when you need them and then log off. Because otherwise the ransomware will encrypt those files. In the best case you can revert all the changes, but it's a pain in the ass to do manually especially if you have many of them, in the worst case the ransomware is aware of dropbox/google drive and will also delete the histories of those files. – Bakuriu Aug 02 '16 at 20:42
  • @benrg: one of many reasons why System Restore/Windows Backup on an online drive attached to the system isn't exactly a bulletproof way of "backing up" your files :) – Tobia Tesan Aug 03 '16 at 16:05

8 Answers8

38

If the ransomware gains administrator access to your computer then it can damage any backups that the Windows machine may have created on that computer.

If the ransomware only acquires non-administrator access (i.e. you use a non-admin account for web-browsing) then those backups will be safe.

The best thing is to back up to a removable storage device. (surely Windows has an option for this) Keep this device in a safe place, separated from your computer. Not only will your backups be protected from viruses this way, you will still have your backups in the event of physical theft, or hardware failure.

You can also back your files up to a separated server, as long as that sever has been properly configured (and well secured) so that the ransomeware-damaged backups do not overwrite the originals.

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • 17
    If the remote drive is left on all the time it is vulnerable to being mounted at any time as well. Unplug the backup device when not in use performing the backup! – Mark S. Aug 02 '16 at 18:15
  • 11
    @MarkS.: I would think the ideal would be backup to an NFS drive on a server that then makes its own backups. If the server isn't compromised, and is set up to require that configuration tasks be performed locally (or using credentials which have never existed on the client machine in any form), nothing the client could do should be able to jeopardize earlier backups. – supercat Aug 02 '16 at 18:26
  • 2
    `The best thing is to back up to a removable storage device. (surely Windows has an option for this)` Indeed it does... Windows Backup lets you specify a backup location or locations, one of which can, and should be, a removable device or network location that you take offline when it's not being used as a backup target. Weekly fulls to a removable backup device, for example. Not that any but a tiny fraction of people actually do so, of course, but that's a different matter. – HopelessN00b Aug 03 '16 at 02:07
  • 1
    Not all editions of all Windows versions allow backup on network locations. Some restrict it to pro or enterprise. But there are lots of 3rd party backup solutions. – Philipp Aug 03 '16 at 14:45
  • 1
    What if the ransomware remains there and tries to get admin access (by for example waiting for you to download a file which legitimately needs admin privileges, silently replacing that file with the ransomware, and waiting for you to give it privileges? or just spamming the UAC dialog over and over again until you click yes - I bet most home users would fall for this). – André Borie Aug 04 '16 at 13:53
14

The System Volume Information folder only contains files backed up by System Restore. That is, it won't protect your personal files should they get overwritten by malware, it will only protect Windows system files.

Additionally, although you cannot by default get access to this folder, if you were to take ownership of the folder as administrator (or with admin privs), nothing stops you from then accessing it.

File History is only as safe as the external drive it backs up to. i.e. don't choose an internal drive for your backup destination, as that would be just as vulnerable to ransomware and malware.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • 3
    ...and of course an external drive is only different at all from an internal drive if it's not plugged in all the time. If it's connected and on when the ransomware strikes, it will be encrypted with everything else. – HopelessN00b Aug 03 '16 at 02:09
  • 1
    It might be worth noting that Windows system files are rarely encrypted by ransomeware. If the system stops working entirely the user won't see the ransom message, so the creators of ransomware are less likely to get any money. – Shaamaan Aug 03 '16 at 11:36
4

You still have a physical drive with real data on it, and although an administrator may not be able to access it. Even if you prevent any access to it within Windows 10, randsomware or malware could use administrative access to install bootkits or worse.

Or, picture a scenario in which you have a normal usb drive plugged into your computer. An attacker could wipe the drive within Windows 10, flash a linux livecd iso with instructions to reconnect to his server, then restart. If a flash drive is first in the boot order, the computer will run whatever code the attacker wants, giving him access to all physical drives and the data on them.

Obviously this is a contrived/ludicrous example, but the overwhelming point to make here is that if an attacker can gain administrative access to the operating system, there isn't that much you can do to stop them from getting at hardware Windows 10 needs to access. Like Silverlight Fox pointed out, a simple permissions change can accomplish the same thing.

Verbal Kint
  • 737
  • 1
  • 6
  • 20
2

Generally speaking, most ransomware tries to encrypt both the main drive, as well as any attached drives (USB, network shares, etc). My bet is if it could find your backup files, they would be encrypted as well (had someone get an early version of Cryptolocker and encrypted all the network shares). Backups (with a defined backup policy) saved us from paying out.

This is why either an offline backup (i.e. external HDD not permanently attached) or a cloud backup is so important. Something that cannot be immediately accessed should your computer be compromised.

I should note that Windows (all versions going back to XP) uses its own proprietary incremental backup system. It builds a backup file and then increments the data with each subsequent backup. This is more than sufficient to keep your data safe (provided you have an offline drive).

Machavity
  • 3,766
  • 1
  • 14
  • 29
0

No backup locations Windows can directly access whenever it wants is safe for malware, period. Only pull-based backups or offline backups would not be reachable. On top of that, to prevent overwriting backups with infected or encrypted files, if a ton off files change at once, the backup system should alert you. A delta backup of say more than 30% of all your files during a backup run is hardly normal.

John Keates
  • 820
  • 4
  • 7
0

No, it's not safe from ransomware. First of all, ransomware is a generic term for a variety of malware / virus / spyware. So, to say something is safe from all ransomware is never going to be accurate. You would need to specify the version or variant of ransomware. As the Windows 10 backup becomes more prevalent, the current versions of ransomware may evolve to be able to access those backup points more readily.

Second, any 'on demand' type backup program that backs up files when they are 'changed' would be more subjective to ransomware than any other type of backup. That is, if the ransomware changes the file, the backup would perceive it as having changed and then back it up, thus corrupting the backup.

RobisaGeek
  • 1
  • Hi Robert. Welcome to Information Security SE. Though your answer is valid, you don't necessarily address OP's specific question, which is if sysrestore backups are only accessible to `SYSTEM`, and hence impervious to malware/ransomware. – Jedi Aug 03 '16 at 02:14
0

Privilege escalation is always a risk, so if you want to keep your backups completely safe then put them on a removable storage device and disconnect the removable storage device when not in use.

Micheal Johnson
  • 1,746
  • 1
  • 10
  • 14
0

And don't forget to disconnect your external drive once you've completed a backup to it. If it is still attached should your computer be attacked by ransomware, it will be just as vulnerable as your internal drives!

Noj
  • 1