Can my backup hard drives be affected by ransomware?

Sadly while I was at my church office a few weeks ago an email arrived from the website company who hosts our website which I administer.
I got sloppy and didn't copy the address, paste into notepad to see the entire url, and clicked on the link.
BOOM.......it was ransom ware which, before I could barely react, encrypted the entire hard drive INCLUDING backups, emails, everything with text.
We run a proprietary program which is the record keeping system for all our members which, somehow, escaped encryption (I had an 11 month old backup off site) but wouldn't have been the end of the world. Just curious it wasn't hacked as well.
I had recently updated that computer to WIN 10 and had an idea to check the windows.old folder but, sure as heck, THAT had been encrypted as well.
The ransom was $700 in bitcoin but that was NOT going to happen so I did a square one re-install of WIN 10 which included a thorough hdd format.
Has anyone actually PAID the ransom?
What assurance is there they wouldn't pull if off again?

We recently had a ransomware episode in California where a medical facility had their entire bunch of systems encrypted. Unfortunately, this included critical systems where patients were undergoing surgery at the time (bad design?) Due to time constraints, they did pay the ransom and got their systems unlocked.
There is no insurance that they would not "pull it off again" (maybe if a warranty came with the unlock keys). There is an issue that, if the system could not be unlocked and word spread about this one specific instance, not too many will pay the ransom. As for getting the thing again.. well, if you got it the first time, I guess you can run the same program you ran the first time and get the infection a second time. Would the same keys work to unlock the system? Don't know.

though you may think you are clean, you really need to go to one of those websites that checks for malware and have them check a few logs for you to make sure you are clean. ransomware does not always immediately activate. sometimes it is just sitting there waiting. Also, who knows what else may have been uploaded to your computer that may currently be collecting info about you.

see the following and scroll down to mitigation.

https://en.wikipedia.org/wiki/Ransomware

a couple of sites that will check your logs for malware are - just post in their malware section.

http://www.techsupportforum.com/
http://www.bleepingcomputer.com/forums/

If this were truly a fake alert, you could get away with closing the browser and running CCleaner, properly configured to delete all temporary files and hopefully startup injections too. I've defeated many an attack of such malware that way. I run as a limited user, so unless there is a vulnerability in an application or the operating system they won't be able to take over the computer - however, if a limited user can encrypt his files, then chances are a truly dangerous cryptolocker malware could do it too. It never hurts to hit Ctrl-Alt-Del, and end all desktop processes with Task Manager, clean with CCleaner, and re-boot and pray. Disconnecting the Ethernet or booting to safemode with no networking could help mitigate this, if the malware is not too sophisticated. CryptoPrevent at bleepingcomputer could prevent the whole mess in the first place.

As an alternative to safe mode, one could run a rescue disc like Kaspersky's Rescue Disc 10 and blow the malware out of the water before it can do more damage. You would have to reconnect the Ethernet so the rescue process could update - it is doubtful the malware could re-activate in this environment, so I assume it is safe to try. If things have already taken place, and your files have been encrypted; this won't help that at all. You would either have to follow the disaster recovery sections on this from bleepingcomputer(dot)com or wipe and reinstall the operating system and restore from backup - hopefully a backup that is not also infected.

It could just be a matter of the home page being changed.

Always think of the simple solutions first. I tend to over complicate things and I have to push myself to the discipline of KISS - and I'm sure we all know what that acronym means!

I knew I shouldn't have posted this early in the morning and I do know how to spell 'layers'. Hopefully, CNET will someday add a post posting editing capability.

I guess we've all become just too dependent on spell check which doesn't apply to titles here.

to confirm your name for the crypto-prevent utility; many people are put off by that developer name, but it is genuine and considered the industry standard for ransom-ware prevention. It can be found on bleepingcomputer(dot)com

Had a lot of trouble getting in touch with anyone at DropBox for Customer Support. My entire account was hacked and was unable to get my documents back, and no luck getting in touch with DropBox Support.

reading on Krebs on Security, that password protection didn't save some victims on NAS storage networks, or even cloud based storage. ( one exception was Carbonite). I suppose I could be wrong - I am getting "old timers" disease after all.

He asked his son at home to come up with a FREE anti-malware solution. The kid found one but it turned out to be the one that was ransom-based. That is, it claimed it found something but it refused to clean it or let you use the "dangerous" computer until you paid them money. Rebooting obviously didn't help. He brought the PCs in (they were provided by work) and I had a helluva time getting them into safe mode and being able to remove this a/v software. At least it didn't encrypt files. (It was ransom-ware but more on the side of "FakeAV". The part that was interesting was that the major a/v software vendors declared this "fake" to be malware and the malware makers sued them, claiming that their product was legit software with a novel marketing method.

having a web-site reputation utility is helpful. Using Web of Trust or McAfee's SiteAdvisor can be of use to avoid bad connections. I prefer WOT because SiteAdvisor is the ONLY product that I can stand that McAfee makes - they will try to foist off all their other junk on you just for using the SiteAdvisor browser extension. WOT will also totally block a bad page if you attempt to visit it.

Using Comodo's DNS service that is given along with its Dragon browser or other free products will add another layer of defense.

I found Symantec's (even Norton's) reputation-based protection good; maybe too good. If you are a developer/tester you need to make sure that the files are all signed by the developer or the reputation service will delete the files on download. We had a meeting to discuss that with Symantec that didn't go very well.

Why do you recommend not doing incremental backups?

will lock all the backups whether they are incremental of not, so I'm not sure what he is talking about. However if he means use a different media each time and do a full backup, that makes sense, because only the last media disc, stick, cloud account that was used is ruined by locking it up with the ransomware. That can be a very difficult plan, but if you have a dozen or so DVD RW discs, and that will hold a full backup, that is an example of what he is talking about. Once you get hit by the ransomware, you can guess your last backup has the attack file on it. The smart malware writers lurk in the background long enough that incremental backups using the same media source will already be infected. The best cure is prevention by using CryptoPrevent found at bleephingcomputer(dot)com

The issue with using backups is that the infection could have happened weeks before that. If you do a full backup and then only incrementals after that, you may wind up with only ONE backup of a critical file versus several over time.
The important thing is to make sure your backup plan makes sense to YOU and your data and yet remains cost-effective. We had one bit of malware (lookup: Michelangelo Virus) that doesn't "spring" until the birthday of Michelangelo which could be up to a year away (then it says Happy Birthday as it formats your HDD). I've seen worse. Since this was replicated by floppy disk, I don't know if you would see much of it today. The important thing is to realize how the malware got activated. If it is because you executed a file or clicked on a web link, then you should be able to go back to just before the link or file activation and, well, just don't click on it. So a lot depends on what specific malware you are dealing with.

it can be almost impossible to root out all evil - but like you said, you just have to take account of what you are willing to risk, and how much to spend to protect your data. In my experience, I've had success simply restoring a very early image, and then isolating the back up files and computer from any network access for at least 24 hours; long enough to let the AV/AM solutions find the threat and expire the zero day odds, and scan the backup files. in every case, I was able to find the attack package sleeping in the backup files and remove it before restoring. I still consider that pot luck though. If you are a high value target, the recovery will be more than grueling, I'm sure.

elsewhere in this thread, someone said to do this with Dropbox. I've never used cloud based storage so can't comment - but it does seem very plausible this would work. In fact I think one of the victims wrote into a forum I frequent and said that was how they ended up recovering from a Cryptolocker attack.

Someone in this thread also mentioned they used dropbox and their files were "hacked". I wonder if you used a cloud drive and had a drive letter mapped to the cloud drive, if the cloud drive would get caught by the ransomware?

cryptolocker did find the cloud backup and compromise it. However, there was supposedly a way to restore a backup of the cloud files from the cloud server, and this worked --- supposedly. :/