Spyware, Viruses, & Security forum

General discussion

Can my backup hard drives be affected by ransomware?

Can my backup hard drives be affected by ransomware?

With all the hacking and malware abound, I was wondering whether am I protected enough? I do not mean Norton or McAfee or ZoneLab. I have all my programs and immediately needed data on my solid state drive (C drive). All my work (relating to web design, graphics and photography) are stored on the second internal hard drive and on two external HDs I can switch off. I've read recently that some ransomware has coding in them so even if one pays, the ransomware is capable of locking the folders/files/data on those secondary drives and can even destroy the data in them. Question: Are are secondary hard drive and external drives safe? If not, how can I make them safe from ransomware? Thank you for your help.

--Submitted by Judit K.
Discussion is locked
You are posting a reply to: Can my backup hard drives be affected by ransomware?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Can my backup hard drives be affected by ransomware?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
"Secondary hard drives"

In reply to: Can my backup hard drives be affected by ransomware?

YES! nothing is safe at the moment. Malware is getting more invasive as time goes by. Read Carol's recent reports in "spyware and security".
Dafydd.

Edit by mod.

Post was last edited on November 20, 2015 5:01 PM PST

Collapse -
What about prevention?...

In reply to: "Secondary hard drives"

Like that provided by bleeping computer that is meant to prevent Cryptowall by using the crypto-prevent tool. Bleeping computer has a whole page showing how all these malware work, and exactly how to mitigate and fight most of them. In some cases it even is possible to decrypt some of the variants to save your data.

Collapse -
Generally, YES!

In reply to: Can my backup hard drives be affected by ransomware?

If a hacker can get onto your computer, they can generally do whatever they want to whatever drives they want. They can even format them!

Many of the early ransomware encryptors only affected .DOC files. The infection was fairly simple and, if they wanted a ransom to be paid, they had to make sure that they didn't do anything to your system files or the system won't boot at all.

Today, these hackers are a bit more sophisticated. The question is, will they just do your system drive or will they go after other drives as well? The answer is: "It depends." If you use a good backup program, the files on the backup device will probably have a completely different extension. For example, I'm using an older version of Nero Back-It-Up and the files have .NBA extensions. That doesn't mean that the hackers won't encrypt them, but it may make it less likely that they will do that. If you are just copying your files to external drives, they will still make a good target. I'd suggest finding good professional backup software, in any case.

Some suggestions:
1) Use removable media. Any drive that is usually external can be disconnected from the system after the backup. Use multiple media alternating.

2) In addition to using good backup software, you should keep your computer protected by using anti-malware (endpoint protection) software

3) FTPing files that are not private or confidential in nature can be made to the cloud. Make sure you don't send up files that a hacker has already encrypted. Always keep a few backups (grand-father, father, son,..). Sync is not a good idea if the hacked files replaces your good ones on backup.

4) Make a monthly backup to removable media and take that copy off-site it case of a fire or other natural disaster.

5) Know your data! What data can you afford to lose? What data is irreplaceable? Do you feel "lucky"?

6) Do you have enough media to replace your entire system? Hard drives can crash and, if you don't have installation media.

Post was last edited on December 4, 2015 11:19 AM PST

Collapse -
Recovering from ransom ware infection

In reply to: Generally, YES!

1. If I have a c drive that gets infected with ransom ware, can I remove that c drive and connect it via cable to a USB port of a second computer with out infecting the second computer?

2. Can I then rescue the user section of personal data (pictures, documents, etc.) for rebuilding purposes?

3. Can I then reformat the c drive and reload os and data and therefore wipe out the infection?

Thanks!

Collapse -
NO

In reply to: Recovering from ransom ware infection

All information is encrypted and the C drive is infected - you may be able t get rid of the infection, but the new variants may be able get even and destroy the data. Because you don't have the key, you still won't be able to access the files. Occasionally one gets lucky and the key can be determined if the crooks were careless - I would not count on it!

Collapse -
Agree

In reply to: NO

There are a few anti-malware sites that mainain lists of ransomware keys but I don't have the links at the tip of my fingers so you might have to search for them (sorry).

Collapse -
That's pretty much what I understand..

In reply to: Agree

I think if one started at bleepingcomputer(dot)com one could easily pickup the trail. I've seen some of the most extensive trials and tribulations on the subject over there. One can also get the CryptoPrevent download too. Thanks Hforman!

Collapse -
(NT) You're Welcome

In reply to: That's pretty much what I understand..

Collapse -
Answers

In reply to: Recovering from ransom ware infection

1. No - If ransomware encrypts your files, they will be encrypted no matter how you try to read the disk.
2. No - See #1 above - If your pictures, documents, etc. are, in fact, encrypted, you will have to find a key or some rescue method. This isn't about encrypting your system files or your computer might not boot and then there is no point paying a ransom. You have a backup for this stuff...correct?
3. It depends on if the computer is infected. Normally, ransomware doesn't infect anything; it just encrypts your files and then it is done. Of course, if it just changed your browser home page to point to their website, you can change that back without formatting. If this was a virus, it would be something else. Ransomware by using an anti-viral product that holds you for ransom is still difficult to clean but it can be done with patience and the use of safe mode. You'd use your a/v software to clean up. It can be difficult though.

Collapse -
Yes - No - Maybe

In reply to: Can my backup hard drives be affected by ransomware?

Ransomware can encrypt everything that is connected to a computer including external drives, pen drives and even cloud services. The important word here is "connected" ie through USB or Network. However | believe that what I do gives about the best protection possible.

I back up my system partition to a connected USB drive - this is permanently connected to allow for continuous back up and so I recognise that this back up would not be protected.

Depending on how much I have used my computer I also run a system and data back up to a large external drive about once a week - this drive is stored away from the computer and not connected to, computer or power other than during the back up process. Whenever I run this extra back up my computer is disconnected from the internet to avoid any risk of something infecting it, I also run a full virus scan before each of these updates. If my computer becomes infected by ransomware then I would simply wipe all of internal drives and my standard back up drive before rebuilding from the "safe" external back up.

For my purposes I have now increased the interval between extra back ups to once a month because since retirement I have decided I could afford to lose up to a months data but each users needs will differ.

My operating system including programmes are all on one SSD with data spread across two large drives. On the odd occasion when I have suspected any virus activity I wipe the SSD drive and restore it from the system image using the WinPE restore CD and in a couple of hours my system is back up and working with all software. I have found this takes far less time than trying to clear an infection.

Is all this 100% - well of course not but it is about as close as I feel I can get without looking at very expensive solutions

Collapse -
Can a malware affect an unmounted drive?

In reply to: Yes - No - Maybe

Can a malware affect an unmounted drive?
I'm using Acronis to back up my system, it allows me to run pre-backup command and post-backup command.
So what I´ve being thinking is to mount the drive only when the backup task is going to run, and then unmount immediately it after the backup finishes.

Collapse -
Given how nasty these apps can be.

In reply to: Can a malware affect an unmounted drive?

I would not trust it given the nasties out there.

Collapse -
Someone asked how.

In reply to: Given how nasty these apps can be.

Simple, call the OS to write a sector on the unmounted drive. You don't need it mounted to read and write sectors, just connected.

Collapse -
If It is Mountable

In reply to: Can a malware affect an unmounted drive?

As Bob said, you can never know these days. But think about this: if YOU can mount the drive maybe someone else can, plus a lot can happen while you are in the middle of your backup with the drives mounted. I would not be surprised if people are backing up files that have already been modified by malware or ransomware. It always is best to have many archives and not just ONE backup of the file. Grandfather, father, son,....

Collapse -
During the time it is mounted, it is vulnerable

In reply to: Can a malware affect an unmounted drive?

As Hforman said, during the backup, the malware will be attacking it. It will not be polite and wait for you to finish your backup.

Also, by that time, you're backing up encrypted files, anyway. Make sure you have multiple copies that go back for a couple of weeks, so that you can grab older copies if the current backups are already corrupt.

Collapse -
Thanks

In reply to: During the time it is mounted, it is vulnerable

Thanks for your answers. Good to know that any device attached to a PC or connected to the network will be vulnerable to the attack. So, Il'l keep a backup drive physically unplugged from the PC and be sure to check if the system has been infected before plugging any storage drive. Thanks again.

Collapse -
It's getting bad. Crytowall 3.0 is out. And

In reply to: Can my backup hard drives be affected by ransomware?

http://krebsonsecurity.com/tag/cryptowall/ for more but most of the time it's something we do to install the bad thing. That is, the MOST INTERESTING INFECTIONS I SEE TODAY are on client PCs that torrent. Second in line are those that download from any site.

-> All your work may be small enough to fit on a few memory sticks? I know my photo collection is on a 32GB drive which is updated and well, my backup plan is a multi layered system of USB HDDs, memory sticks, Dropbox and every few months set of DVDs for the photo collection. DVD media is cheap and will survive a major wipeout if that ever happened.
Collapse -
Remote access and anti-malware

In reply to: Can my backup hard drives be affected by ransomware?

The first thing to do is disable remote access to your computer. Open "Control Panel" , select "Administrative Tools", open "Services" and expand to full screen.

Select these entries in turn, and right click them; select "properties" and set to Disabled.

1) Remote Registry
2) Remote Packet Capture Protocol
3) Routing and Remote Access

Set "Remote Desktop Services" to Manual.
Return to control panel and select "System" . Select "Remote Settings", and uncheck the box "Allow Remote Assistance connections to this computer" .

Below that, in Remote Desktop, select "Don't allow connections to this computer" .

Now you need a good anti-malware program. Download and install" Malwarebytes Anti-Malware" , and also get their Anti-Exploit. It is worth getting the paid version.
I also recommend " Zemana AntiLogger", again, the paid version.
You mention Norton and McAfee; if you already have them, get rid of them. Both are resource hogs and neither are reliable. There are tools available to eliminate them completely from your system as they are persistent and notoriously difficult to uninstall.
Browser :- For 64 bit systems I would recommend "Cyberfox"

Hope that helps.

Post was last edited on December 4, 2015 1:13 PM PST

Collapse -
I never pay for anti-keyligging.

In reply to: Remote access and anti-malware

You can prevent screen capture and keylogging in an SSL session completely with IBM's end point security product that is free called Rapport. It is the only one I've tested that prevents all six points of the anti-keylogger test kit. AKLT.

KeyScrambler is sufficient and free as well See CNET reviews.

Collapse -
First protect yourself and then have a backup

In reply to: Can my backup hard drives be affected by ransomware?

First prevent any attack from happening. It might be a good idea to open emails in a virtual machine . Any file that I'm using immediately I store on a cloud service like Dropbox. I have never had a ransomware problem, but I imagine that you can restore to a previous file in Dropbox. All other files that I'm not working on get stored on a different hard drive which gets backed off to an offline hard drive once a week. Therefore if I get hit by ransomware, I will just wipe the hard drive and restore the operating system and then connect the offline drive. When you get hit with ransomware, do not connect an external drive. Wait until your system is clean. Don't pay these guys, it will only encourage them to continue.

Collapse -
Dropbox

In reply to: First protect yourself and then have a backup

"...but I imagine that you can restore to a previous file in Dropbox" Dropbox syncs folders and files on your pc with copies in the cloud. Infected files would be synced also. And if you use Dropbox on multiple pc's, I would thing they would all be vulnerable.

Collapse -
Is their service that good?

In reply to: Dropbox

I can't imagine trying to get Dropbox to restore from backup, but maybe the user can do it from their end? Plus, I wonder how you determine the infection date? The newer variants lurk in the files for a while before setting off and starting the attack. How far back is the infection resident, is my point I'm trying to make. It seems to me using cryptoprevent posted elsewhere here is part of the answer too.

Collapse -
History of the Infection

In reply to: Is their service that good?

What you say is important. With any backup scheme, you should always consider how far back in time you can go. It is NOT just about restoring the HDD after it gets wiped or destroyed. It may be for restoring files that you didn't know were deleted or messed-up in some way. As for Dropbox, I say this about ANY online service: Please read the Terms of Service and the Privacy Policy in case they want to use your data for their own reasons, such as, advertising.

Collapse -
Dropbox has versioning

In reply to: Dropbox

That's not quite correct. Yes Dropbox does sync live. However dropbox provides versioning so even if all your dropbox fiules get encrypted, you can restore them all to a previous version.

Not only that, dropbox will email you if a large number of files are deleted or changed in one go.

Collapse -
Backup plan

In reply to: Can my backup hard drives be affected by ransomware?

Hello there,

Firstly yes if ransomware gets active on your PC/Laptop all currently connected drives and the data on them are endangered!
So to prevent the loss of work data, precious memories and other important data, you have to follow a strict backup and disaster recovery plan.
But that is now something everyone can and will tell you his own opinions regarding this matter.
So here are some best practices you can adapt to your situation.
- create a backup time plan and an accordingly backup strategy
    examples:
    --- a weekly complete backup and 6 daily incremental backups
    --- a monthly complete backup and 3 weekly incremental backup
    --- something in between the aforementioned strategies, it really depends on your data and how valuable you see them
    --- just backup all datafiles / pictures on multiple drives / usbsticks /cloud  (this is probably             how you are currently back up your data and it is also fine, like I said it depends)
- keep an offline backup (one or more) outside your house, this also takes care of unforeseen disasters like fire, flooding and so on

How to prevent ransomware destroying your hard work:
First and foremost use an restricted user account it's easier for malware to infect your system when it has admin rights
keep your antivirus software / OS up to date
don't open unknown attachments - NEVER!
optionally keep yourself informed about security related questions like forums on cnet Wink  or sites like secunia, cve, cert but these get very technical and are not for the faint of heart.

You can use a 'virtual' OS / sandbox to access your mails and confirm their harmlessness
you can use for example sandboxie to prevent mails that start programs messing up with your system or for a more complete system encapsulation use your OS inside VirtualBox, VMWare etc. nothing that happens inside should affect your real system.

Disaster recovery:
You secured your system but somehow malware/ransomware did its job
First don't panic!
If you registered the emerging risk early on you can check the Internet for solutions / kill the program before it completes its evil work
if your drive got encrypted and the system is beyond usability, wipe clean the disks and restore your last backups / reinstall your OS and copy back the files
depending on your backup strategy you lose a day's work but that is still better then complete loss of all files and paying the blackmailer

Please take all advice with a grain of salt as 100% security can and will never be achieved, it's just on us to strike a compromise between comfort ans security

I hope I could help you 
So long
RJ

Collapse -
Well done

In reply to: Backup plan

Excellent post. I wish image backups were made more accessible to basic users rather than file based backups which are extremely susceptible to these attacks now that the playing field has changed so much in the past 2 years.

Collapse -
I use a cloud backup service

In reply to: Can my backup hard drives be affected by ransomware?

In a nutshell, if you can see the drive in the left pane of Windows Explorer, then it's vulnerable to ransomware. So, that includes secondary internal drives, external USB hard drives, external ESATA drives, thumbdrives, network drives, and even FTP sites that you used Explorer to log in to. Also, even if you just plug in an external drive for a few minutes, to back up to, the ransomware can see this and might immediately start scanning it for files to encrypt.

I've spelled out my backup strategy in the past. The short version is:

I have a NAS that I back up to locally, for speed. This drive *is* vulnerable to ransomware.

Therefore, I also have a subscription with a cloud backup service. There are a few that are well-regarded, such as Backblaze and Carbonite. I chose Crashplan, because I edit amateur sports videos, which are bulky. Crashplan was the most economical for that kind of bulk.

Dropbox, and I think most of the other cloud drive services keep multiple versions of files stored there. So, you could get at a version of the file from prior to the ransomware encryption. But, those services tend to not be economical for full backups.

Drake Christensen

Collapse -
Can my backup hard drives be affected by ransomware?

In reply to: Can my backup hard drives be affected by ransomware?

YES !!! Of course they can, if they are plugged into your USB port. Once you are finished with your external drive, unplug it. I keep all the information and files I would not want hijacked on an external drive. I scan it sometimes too, even for that short time that I have it plugged in with Hitman, MalwareBytes, and or Norton, nothing is safe !!!

Collapse -
Mac OS Update wiped out back up via wireless. Have no idea

In reply to: Can my backup hard drives be affected by ransomware?

Updated OS on Mac Pro laptop... Left my wireless back up completely blank. Have no idea how this happened. 2 years ago.

Collapse -
Yes. But there are exceptions

In reply to: Can my backup hard drives be affected by ransomware?

The key way to avoid ransom ware destruction of data, I have found, is to have image backups created incrementally across a network. Using a NAS such as a synology or a QNAP and software like veeam(virtual machines)or shadow protect (physical) you can create daily reverse incremental backups that you can granularly restore from.
But you must maintain these resources without having any computers directly mapped to them using it as a drive. Ransomware, depending on the Strain will attack everything it has direct permissible access to from the infected machine. This does not, with current strains, affect network resources not connected as a mapped drive or cloud file storage(Dropbox, box, one drive etc.)
That being said having a image type of backup especially when utilizing cloud file storage is a must since most of the restore functions rely on file name to track changes. In the case of Dropbox being infected by cryptowall, which encrypts file names, you have no reference for what files are now encrypted with out a side by side comparison pre infection. This I highly recommend image based daily backups of computers with full access to the cloud storage to maintain continuity in the event of any infection.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.