December 15, 20169 yr I didn't want to title this thread ransomware protection, because I am interested in what can be done to recover after the event. True, the actions are taken before the event, but they do not stop the event. Yeah, I am talking backups. Specifically, offline backups, as online backups are likely to be impacted. This eweek article indicates a large majority pay the ransom. This will continue to fund more events. First, let me cover the basics. [u][b]You need a backup[/b][/u] Sounds simple enough, but let's not ask for a show of hands of who has a less than 10 day old backup of everything. And don't forget this backup needs to be offline, meaning it has to be rather complicated to restore from. Some will jump in and say this easy use to software does the trick, and they might be correct, but anything with mapped drives or mounts, etc, will not survive. Ransomware is successful, and it is evolving. This extremely elegant plugin blocks ransomware from getting too far into data stored on the array. Since this reacts to damage done, cleanup is necessary. It is the cleanup (and being prepared to do the cleanup) that I am looking for input. Here is a scenario, from time to time I click on stuff my friend clicks on stuff, email attachments, links to interesting photos. You know, things none of us would ever do. The result, a call for help, tears, promises, etc. From the recent article, this also includes making payment to criminals. I'd rather not do that. I'd rather have the backup which is also useful in the event of fire, or drink spill, or drop. But most backups leave a lot of work to be done. First the OS needs to be installed and in many cases the applications, then the restore software, then the data can be restored. This other article talks about system image backups, but keeps mentioning the image is stored on a local filesystem (mounted external/nas drive, etc). These will be targeted by ransomware. Acronis has a Cloud option, but it is their cloud which means monthly charges (like $249/month for 5TB, yikes). Know of any system image backup to standard S3? Acronis kind of promised this in version 12, but it is missing.
December 15, 20169 yr The most effective strategy I have found in combatting ransomware is a combination of the 3-2-1 backup rule and defence in depth. So far it has worked to protect my customers but I am always weary that something will get through because, as you say, ransomware is evolving. In a corporate environment, most of my customers use Vmware, to backup their virtual machines I use Veeam, it does full image backups. These backups are stored online, on a separate server under a unique account not used anywhere else and there are no shares to this server. Virtual machines are also replicated to a different host. All email is filtered through a cloud service that scans and blocks offending and suspicious attachments or those that fall under predefined rules (eg. .js, .docm, .wsf etc) Further all my customers firewalls, scan attachments and sandbox them before releasing them, antivirus is installed everywhere, users are informed and educated on how to handle suspicious emails as much as possible. Finally crypto prevent is installed at the workstation level to hinder crypto malware infections. Nothing is foolproof, you do what you can and stay as informed about new and emerging threats as much as you can. As for an environment running unRAID, don't have open shares, and have backups of everything on a separate disk or server under a different account not shared out on the network. In terms of recovery, restore from image based backups is the quickest but don't forget to test your backups regularly.
December 15, 20169 yr Backup versioning should be a major concern, IMO. Time to recognition of the ransomware event is variable - you can't be sure that you will recognize the event and begin mitigation before your next backup kicks off. If you only have a single backup version you could over-write your backup with ransomed files. Even with a strong 3-2-1 strategy you could over-write your most current backup and be forced to restore older offsite files. I'm still working on my own strategy for this. I haven't settled in on a solution I'm comfortable with since my old Cobian backup days. I think a solution with Crashplan probably solves for this but I'd like a more open solution if I can find one.
December 15, 20169 yr I have several things in play to help recognize ransomware infections, but you are right, there is always going to be some period of time between the initial infection and it being recognized and contained. In some cases virtual machines are replicated every half hour or every hour, this mitigates too much data loss, but yes, there will be some.
Archived
This topic is now archived and is closed to further replies.