Protecting against ransomware

[silverback]

There's been a lot in the papers about ransomware recently. One article said it was vital that archives of personal files were taken so they could be restored in the event of an attack. I have, of course, always archived my files but was taken aback the the other day when another article said that the latest ransomware was encrypting the master file table, which of course means that restoring personal files is useless.
What do I need to be doing to secure myself against ransomware? Do I need to take a complete copy of the hard disc and, if so, what software is required?
I'm still using Windows XP so any software will have to run on that.

Many thanks
Silverback

[Argus]

I'd assume that any kind of traditional backups of system disk and user data would work as long as they are stored offline, i.e. external backup media, external disks.

AOMEI Backupper is one of the programs that (also) supports Microsoft Windows XP. Macrium Reflect is another.

(Using Windows XP on computers connected to the Internet isn't recommended, even if they, for one reason or another, didn't get caught by one of the latest ransomware.)

[viking33]

There's been a lot in the papers about ransomware recently. One article said it was vital that archives of personal files were taken so they could be restored in the event of an attack. I have, of course, always archived my files but was taken aback the the other day when another article said that the latest ransomware was encrypting the master file table, which of course means that restoring personal files is useless.
What do I need to be doing to secure myself against ransomware? Do I need to take a complete copy of the hard disc and, if so, what software is required?
I'm still using Windows XP so any software will have to run on that.

Many thanks
Silverback

I think the best way is to take a full image of your drives, using Acronis True Image or Shadow Protect or another. Keep the program itself on another media.

[stuck]

...encrypting the master file table, which of course means that restoring personal files is useless...

How so? Surely if you did get caught and all you had was a (good/clean/safe) copy of your personal files then you could get back to where you were before the ransomware as follows:
1) nuke the HDD with DBAN, which would give you a completely clean slate
2) repartition & format the HDD
3) reinstall the OS
4) apply all the OS updates
5) restore your personal files

Ken

[StuartR]

You missed a few steps Ken.

6) Reinstall all applications
7) Configure the operating system and applications the way you need them

[stuck]

You missed a few steps Ken...

Fair Gov'

Also, it would be tedious to have to resort to this procedure, especially compared to the already recommended method of restoring from a (clean) disk image. The only thing it has going for it is that it would get you out of a hole if all you had was a backup or your data files.

Ken

[StuartR]

Also, it would be tedious to have to resort to this procedure, especially compared to the already recommended method of restoring from a (clean) disk image. The only thing it has going for it is that it would get you out of a hole if all you had was a backup or your data files.

True

[ChrisGreaves]

I'd assume that any kind of traditional backups of system disk and user data would work as long as they are stored offline, i.e. external backup media, external disks.

... although if I were nefarious, I'd encrypt the backups and then wait, say, two weeks before encrypting the main drive and asking for money.

I would imagine (although I'm sure that SUN Microsystems has a report on this) that 95% of the people who make regular backups do so on a weekly basis or more frequently than that.
(signed) "Nice Guy" of Toronto

[Argus]

Yabbut I don't think ransomware is the biggest potential problem on a PC running an OS that sees no security updates. When it strikes, yes, but there are lots of other malware out there.

I check my backups every now and then, it's not fool proof though, since "every now and then" is quite random (perhaps an advantage in this case). I guess the biggest uncertainty is probably getting the backup boot media to run without problems, malware or no malware.

[stuck]

...stored offline, i.e. external backup media, external disks.

... although if I were nefarious...

How would you do that if the backups are off-line? Presumably by having your malware sit there, silently, waiting to the backups to be connected and then pounce? Meanwhile, the security concious user that has their back-ups safe off-line is running a real-time malware checker, which finds and kills your malware...

Ken

[ChrisGreaves]

...stored offline, i.e. external backup media, external disks.

... although if I were nefarious...

How would you do that if the backups are off-line? Presumably by having your malware sit there, silently, waiting to the backups to be connected and then pounce? Meanwhile, the security concious user that has their back-ups safe off-line is running a real-time malware checker, which finds and kills your malware...Ken

Hi Ken.
I was thinking that I would make this a two-step process.

(1) Encrypt the backup drives, and decrypt them temporarily while the backups are being run.
If the user does not use/test the backups, they will not know that they are encrypted.
I suspect that the ransomware encryption is, or could be, a matter of scrambling a few essential pointers.
It would not be like the business of TrueCrypt encrypting an entire drive on-the-fly; it could be quite fast.

(2) After a two-week delay, encrypt the main drive and demand money.
The user build a clean system, grabs the backup drives and discovers - TaDa! - that they too have been encrypted Lo! these past two weeks.

As for the user with a real-time malware checker, I suspect that ransomware preys on those who have no, or have ineffective malware checkers. A bit of a numbers game ...

Cheers
Chris

[StuartR]

One technique being used by malware right now is to encrypt your hard drive VERY slowly. A few files a day, over a period of weeks or even months. This can defeat even the best backup schedule.

[stuck]

...I suspect that ransomware preys on those who have no, or have ineffective malware checkers...

Aka 'ordinary' users, the vast majority who are NOT likely to have any sort of back regime, let alone an off-line one. So why go to all the effort of trying to ensnare the minority who have back-ups? Numbers game again.

Ken

[ChrisGreaves]

One technique being used by malware right now is to encrypt your hard drive VERY slowly. A few files a day, over a period of weeks or even months. This can defeat even the best backup schedule.

Stuart:
Ooooh! I like the idea. I suppose that “very slowly” expressed as “a few files per day” is a more detailed technique than my “all the files then wait two weeks”. That is, both techniques depend on a time interval. It’s the granularity that could make the difference.
I say “could” because I can conceive that I may find that my Christmas letter of 2016 was corrupted and get to pull the Emergency Cord before my client files were corrupted. That is, the fine-grained daily approach my not snag the really important files after all.
Sun Microsystems surved file usage some 10?15? years ago and found (I’m paraphrasing) that 95% of files were not accessed after seven days. I attended a presentation that described a three-tier system (online files, backed up to disk, backed up to tape) that exploited Sun’s study of file usage.
Cheers
Chris

[silverback]

Gah! The problem with joining a forum with so many knowledgeable people is that anwers tend to become discussions by proxy. I came to post thanks to Argus and Viking and found there's an enormous geek discussion going on. Right! Back to the simple people.
Argus and Viking : Many thanks. I have purchased a USB connected external disc (disk?) and downloaded AOMEI BAckupper. I am now backing up images and system archives plus differential archives. Amazing what you can learn when people point you in the right direction.
Stuck : Thanks for your original posting but it's not a lot of use to people like me who do not have the OS discs; my computer (DELL) came with OS installed and no means of reinstalling.
As for the rest of you - in case they didn't know, you seem to be giving some very subversive ideas to these who start the ransomware blights. Can't you discuss these ideas in private?

Thanks to all who've contributed
Silverback
Tell me and I forget. Teach me and I remember. Involve me and I learn.
Benjamin Franklin

[HansV]

As for the rest of you - in case they didn't know, you seem to be giving some very subversive ideas to these who start the ransomware blights. Can't you discuss these ideas in private?

Do you really think the 'bad guys' won't have thought of tricks like that? Sadly, there are many really intelligent people in the malware business...

[ChrisGreaves]

Do you really think the 'bad guys' won't have thought of tricks like that? Sadly, there are many really intelligent people in the malware business...

Now now, Hans. Don't get your back up .....

[StuartR]

Sadly, I learned my "tricks" from analysis of real incidents that have hurt real organizations.

[Argus]

Gah! The problem with joining a forum with so many knowledgeable people is that anwers tend to become discussions by proxy. I came to post thanks to Argus and Viking and found there's an enormous geek discussion going on. Right! Back to the simple people.

Before your comment I was just going to mention that, seen in so many forums; when the OP's away you can see all kinds of discussions.

Argus and Viking : Many thanks. I have purchased a USB connected external disc (disk?) and downloaded AOMEI BAckupper. I am now backing up images and system archives plus differential archives. Amazing what you can learn when people point you in the right direction.

I think there are several good backup programs; Bob mentioned some renowned ones; some are freeware with some limitations. I used the free version of Macrium Reflect several years ago, but switched to AOMEI Backupper when I built a new PC some years ago; mainly because of features at the time (incremental and differential backups etc.). They have now added more features.

As for the idea to slowly encrypt the hard drive; with backups stretching 2-3 years back it could be possible to restore quite a large percentage.

[StuartR]

The biggest problem with the gradual encryption is the effort needed to work out which files were encrypted when