Protecting Myself Against Ransomware
December 15, 2021 2:49 PM Subscribe
I've been reading about how even companies who use backups can still be devastated by ransomware attacks, since the backups themselves may contain infected files (and other reasons). I wondering if this holds true at the user level too.
My wife's district was the victim of a ransomware attack and beyond the difficulty of going at least two weeks with the network out of service, they're being told they may lose ALL their saved data (i.e. lesson plans, worksheets, presentations, etc.).
I'm pretty good at backing up most of my stuff in both Dropbox and Google Drive, but I'm wondering if that essentially insulates me from the risk of losing everything, or is there a chance that my files (mostly pdfs, Word, and Excel - no .exe files) would somehow be infected and re-infect the network once it's back. Is it even possible that work files I backup to my home machine could somehow corrupt my personal files as well?
For as much as I know about all this, it seems the answer is no to both of those questions, but I'm hoping for a more definitive answer from someone who knows more than me.
My wife's district was the victim of a ransomware attack and beyond the difficulty of going at least two weeks with the network out of service, they're being told they may lose ALL their saved data (i.e. lesson plans, worksheets, presentations, etc.).
I'm pretty good at backing up most of my stuff in both Dropbox and Google Drive, but I'm wondering if that essentially insulates me from the risk of losing everything, or is there a chance that my files (mostly pdfs, Word, and Excel - no .exe files) would somehow be infected and re-infect the network once it's back. Is it even possible that work files I backup to my home machine could somehow corrupt my personal files as well?
For as much as I know about all this, it seems the answer is no to both of those questions, but I'm hoping for a more definitive answer from someone who knows more than me.
So, the way a ransomware attack works is like this:
1. Attacker gains access to a computer (variety of methods from e-mail phishing to code execution vulnerabilities in software that is running on the computer)
2. Attacker uses their ability to execute commands on the computer to encrypt some or all of the files on the computer. That means the 1s and 0s that all your files are made of get scrambled up, so if you tried to open them, they’d look like random garbage. However, it’s not really random, because with the right digital “key” they can unscramble the files, but it’s impossible* without it.
3. The attacker contacts the computer owner and offers to send them the key in exchange for $$$.
So, the reason backups can be vulnerable to this is that if the user doesn’t notice the problem between when the attacker does it and when their next scheduled backup happens, the backup files can be overwritten with the garbage scrambled data, meaning you really need that key.
A properly managed backup will protect against this, by warning before replacing a large amount of data, for example.
So, to your question - If your work computers are hit with a ransomware attack, could backing up the encrypted files infect your home computer, or reinfect the computer after the attack is over?
Short answer is no. The encrypted files don’t have any capabilities, they’re just scrambled. However, whatever method the attacker used to gain access to the computers in the first place needs to be discovered and patched. So, if there is malicious code involved, that’s a concern, but it wouldn’t typically be in your encrypted word documents or pdfs. Merely syncing encrypted files to the cloud or your home computer or back shouldn’t have any negative side effects.
I wouldn’t worry about contagion from a ransomware attack. However, it’s worth thinking about how to protect your backup in that situation. For example, does your backup keep at least one older version of each file? Dropbox does for a short period of time (unless you pay extra). I don’t know about Google Drive. Note that Dropbox is in a gray zone where it’s not exactly “backup” software, but it has more functionality than just cloud synching. Dedicated backup services/software will provide more finely tuned and robust methods of keeping your data safe against things like ransomware attacks.
posted by Salvor Hardin at 5:14 PM on December 15, 2021 [1 favorite]
1. Attacker gains access to a computer (variety of methods from e-mail phishing to code execution vulnerabilities in software that is running on the computer)
2. Attacker uses their ability to execute commands on the computer to encrypt some or all of the files on the computer. That means the 1s and 0s that all your files are made of get scrambled up, so if you tried to open them, they’d look like random garbage. However, it’s not really random, because with the right digital “key” they can unscramble the files, but it’s impossible* without it.
3. The attacker contacts the computer owner and offers to send them the key in exchange for $$$.
So, the reason backups can be vulnerable to this is that if the user doesn’t notice the problem between when the attacker does it and when their next scheduled backup happens, the backup files can be overwritten with the garbage scrambled data, meaning you really need that key.
A properly managed backup will protect against this, by warning before replacing a large amount of data, for example.
So, to your question - If your work computers are hit with a ransomware attack, could backing up the encrypted files infect your home computer, or reinfect the computer after the attack is over?
Short answer is no. The encrypted files don’t have any capabilities, they’re just scrambled. However, whatever method the attacker used to gain access to the computers in the first place needs to be discovered and patched. So, if there is malicious code involved, that’s a concern, but it wouldn’t typically be in your encrypted word documents or pdfs. Merely syncing encrypted files to the cloud or your home computer or back shouldn’t have any negative side effects.
I wouldn’t worry about contagion from a ransomware attack. However, it’s worth thinking about how to protect your backup in that situation. For example, does your backup keep at least one older version of each file? Dropbox does for a short period of time (unless you pay extra). I don’t know about Google Drive. Note that Dropbox is in a gray zone where it’s not exactly “backup” software, but it has more functionality than just cloud synching. Dedicated backup services/software will provide more finely tuned and robust methods of keeping your data safe against things like ransomware attacks.
posted by Salvor Hardin at 5:14 PM on December 15, 2021 [1 favorite]
Yes, it holds true at the user level too.
Backups do not always help. Using the current LOG4J issue as an example, there is credible evidence to suggest that this was being scanned for back at the start of December. Even if you went to remediate this on the first day that the general public was aware of it, there's some chance that you could have been exploited prior to that point, and if you didn't have backups and a willingness to restore to a November restore point, you could easily have been breached.
Infection vectors can be unusual or even astonishing -- this is what's happened with LOG4J, in fact -- so there is no particular reason to think that there won't be future file-based attacks that are stealthy, with a long window before discovery. PDF's, Word, and Excel have all been infection vectors in the past, and are expected to be in the future again.
Making proper off-line backups of your important data is a critical bit of protection against ransomware and infection. As someone who does IT stuff professionally, I take all important personal and business documents and data, which are already stored on a ZFS based storage system with extensive 10 years worth of snapshots (highly resistant to ransomware/infections), and archive them on a yearly basis to DVDROM, stored offsite in a safe deposit box. This is the checkpoint of last resort, and makes it very difficult to truly lose anything important. The ZFS system is rsync'ed to another ZFS system elsewhere, with its own snapshot policy. This makes it really robust, and it becomes much easier to identify when changes have been introduced, and to roll them back.
Google Drive and Dropbox are not going to be particularly secure, and due to the way that they are commonly used, will tend to be vulnerable to various kinds of attacks.
For the average person, consider picking up some USB hard drives that are large enough to hold all your important stuff. Perhaps every three months, take everything you have that's important, and copy it all onto one USB drive. Put it in a box, tape it up, and hold onto it for a year or two. Keep rotating through four or six drives, so that you can always go back a year or more to recover data. It is much harder for ransomware to affect content stored offline in this manner.
posted by jgreco at 5:17 PM on December 15, 2021 [5 favorites]
Backups do not always help. Using the current LOG4J issue as an example, there is credible evidence to suggest that this was being scanned for back at the start of December. Even if you went to remediate this on the first day that the general public was aware of it, there's some chance that you could have been exploited prior to that point, and if you didn't have backups and a willingness to restore to a November restore point, you could easily have been breached.
Infection vectors can be unusual or even astonishing -- this is what's happened with LOG4J, in fact -- so there is no particular reason to think that there won't be future file-based attacks that are stealthy, with a long window before discovery. PDF's, Word, and Excel have all been infection vectors in the past, and are expected to be in the future again.
Making proper off-line backups of your important data is a critical bit of protection against ransomware and infection. As someone who does IT stuff professionally, I take all important personal and business documents and data, which are already stored on a ZFS based storage system with extensive 10 years worth of snapshots (highly resistant to ransomware/infections), and archive them on a yearly basis to DVDROM, stored offsite in a safe deposit box. This is the checkpoint of last resort, and makes it very difficult to truly lose anything important. The ZFS system is rsync'ed to another ZFS system elsewhere, with its own snapshot policy. This makes it really robust, and it becomes much easier to identify when changes have been introduced, and to roll them back.
Google Drive and Dropbox are not going to be particularly secure, and due to the way that they are commonly used, will tend to be vulnerable to various kinds of attacks.
For the average person, consider picking up some USB hard drives that are large enough to hold all your important stuff. Perhaps every three months, take everything you have that's important, and copy it all onto one USB drive. Put it in a box, tape it up, and hold onto it for a year or two. Keep rotating through four or six drives, so that you can always go back a year or more to recover data. It is much harder for ransomware to affect content stored offline in this manner.
posted by jgreco at 5:17 PM on December 15, 2021 [5 favorites]
there is no particular reason to think that there won't be future file-based attacks that are stealthy
My company got its first ransomware attack back in 2018 but we didn't notice until last month, because the ransomware was automated and only managed to touch a tiny corner of our data that nobody had looked at since 2018 (almost certainly this was some type of automated ransomware). We restored from backups and everything was fine, because our backup process does not delete anything and this ransomware attack worked by renaming files to filename.abcdef (except abcdef was a more random string) and deleting the originals. Presumably this is so the person being attacked will notice and pay the ransom (whereas if the file is replaced, you may not notice for quite a long time if ever).
If the ransomware had been stealthier we might never have noticed. I think there may be an argument that too much stealth is bad, in the sense that the longer you stick around to collect on ransomware the more opportunities you have to get caught (modulo your exposure to risk; certainly many RaaS gangs have little fear of being caught by law enforcement). Increased stealth probably also serves to trade off the predictability of the income stream for longevity (assuming the ransomware vulnerability is patched, if people discover their files are compromised much later there's still drip of money coming off the old spigot). It's an interesting question, and I don't know the answer to any degree of certainty, but I think there might be some very good reasons why more stealth might be quite undesirable.
posted by axiom at 8:50 PM on December 15, 2021 [2 favorites]
My company got its first ransomware attack back in 2018 but we didn't notice until last month, because the ransomware was automated and only managed to touch a tiny corner of our data that nobody had looked at since 2018 (almost certainly this was some type of automated ransomware). We restored from backups and everything was fine, because our backup process does not delete anything and this ransomware attack worked by renaming files to filename.abcdef (except abcdef was a more random string) and deleting the originals. Presumably this is so the person being attacked will notice and pay the ransom (whereas if the file is replaced, you may not notice for quite a long time if ever).
If the ransomware had been stealthier we might never have noticed. I think there may be an argument that too much stealth is bad, in the sense that the longer you stick around to collect on ransomware the more opportunities you have to get caught (modulo your exposure to risk; certainly many RaaS gangs have little fear of being caught by law enforcement). Increased stealth probably also serves to trade off the predictability of the income stream for longevity (assuming the ransomware vulnerability is patched, if people discover their files are compromised much later there's still drip of money coming off the old spigot). It's an interesting question, and I don't know the answer to any degree of certainty, but I think there might be some very good reasons why more stealth might be quite undesirable.
posted by axiom at 8:50 PM on December 15, 2021 [2 favorites]
So, the way a ransomware attack works is like this:
1. Attacker gains access to a computer (variety of methods from e-mail phishing to code execution vulnerabilities in software that is running on the computer)
2. Attacker uses their ability to execute commands on the computer to encrypt some or all of the files on the computer. That means the 1s and 0s that all your files are made of get scrambled up, so if you tried to open them, they’d look like random garbage. However, it’s not really random, because with the right digital “key” they can unscramble the files, but it’s impossible* without it.
3. The attacker contacts the computer owner and offers to send them the key in exchange for $$$.
The nastiest ransomware has a couple of additional steps. As well as encrypting files on the computer it's running on, it searches all that computer's local network connections for file servers that the computer has write access to, and starts encrypting files on those too; and it also searches the local network for other running computers that contain vulnerabilities it can exploit to install and run itself on those as well.
That first step is what leaves always-online backup setups vulnerable to ransomware, because the ransomware will happily encrypt the backup files as well, thereby making them impossible to restore from. If the backup strategy is just a naive always-on always-duplicate-everything thing designed to guard against local hardware disasters and not much else, this can be enormously damaging. But honestly, that particular backup strategy is a clear sign of administrative incompetence.
To stop it from happening, you can keep most of your backups offline (i.e. disconnected from the computer they're backing up) most of the time, connecting them only when what's on them is of no further use and it's time to replace it with a newer backup. If you're using that strategy you'd want a rotating set of offline backup media as jgreco advised above.
Having a backup system designed to maintain multiple point-in-time snapshots of every backed-up file will also work. But just as in the multiple offline media strategy, you need to be able to restore versions of things that existed before the ransomware attack, and it might be quite some time before you notice a ransomware attack.
There's really no point in ransomware propagating itself into an online backup set, though of course that might well happen by accident if you're using something that makes automatic backups as soon as it sees new files appear on your computers. The only benefit for the ransomware in doing so would be the hope that somebody might restore the ransomware itself onto their computer in the process of recovering backups made before it struck; but if you have access to backup sets made before the ransomware even arrived, you also have access to backups it would never have had an opportunity to write itself out to in the first place.
The reason that ransomware can devastate even organizations that do keep regular, well-maintained, well-tested backups is that restoring from backups is always going to be somewhat disruptive. And there will, in general, always be some delay between a new version of a file existing on a computer and that same version propagating to a backup set. For example, if an organization was relying on backups made nightly, ransomware could potentially cost that organization an entire day's work and for most orgs that will come out to be a lot of work.
If the ransomware has been quietly beavering away for weeks before being discovered, the backup sets are also going to contain a mixture of original and ransomware-encrypted files and create a mess that will require time and effort to sort out.
But if your wife's district is being warned that they might lose everything, I daresay that whoever was in charge of setting up their backup strategy has not done a very good job. It's 2021. Ransomware is not a new idea any more, and any backup strategy not robust enough to deal with it is simply not fit for purpose.
posted by flabdablet at 1:50 AM on December 16, 2021 [2 favorites]
1. Attacker gains access to a computer (variety of methods from e-mail phishing to code execution vulnerabilities in software that is running on the computer)
2. Attacker uses their ability to execute commands on the computer to encrypt some or all of the files on the computer. That means the 1s and 0s that all your files are made of get scrambled up, so if you tried to open them, they’d look like random garbage. However, it’s not really random, because with the right digital “key” they can unscramble the files, but it’s impossible* without it.
3. The attacker contacts the computer owner and offers to send them the key in exchange for $$$.
The nastiest ransomware has a couple of additional steps. As well as encrypting files on the computer it's running on, it searches all that computer's local network connections for file servers that the computer has write access to, and starts encrypting files on those too; and it also searches the local network for other running computers that contain vulnerabilities it can exploit to install and run itself on those as well.
That first step is what leaves always-online backup setups vulnerable to ransomware, because the ransomware will happily encrypt the backup files as well, thereby making them impossible to restore from. If the backup strategy is just a naive always-on always-duplicate-everything thing designed to guard against local hardware disasters and not much else, this can be enormously damaging. But honestly, that particular backup strategy is a clear sign of administrative incompetence.
To stop it from happening, you can keep most of your backups offline (i.e. disconnected from the computer they're backing up) most of the time, connecting them only when what's on them is of no further use and it's time to replace it with a newer backup. If you're using that strategy you'd want a rotating set of offline backup media as jgreco advised above.
Having a backup system designed to maintain multiple point-in-time snapshots of every backed-up file will also work. But just as in the multiple offline media strategy, you need to be able to restore versions of things that existed before the ransomware attack, and it might be quite some time before you notice a ransomware attack.
There's really no point in ransomware propagating itself into an online backup set, though of course that might well happen by accident if you're using something that makes automatic backups as soon as it sees new files appear on your computers. The only benefit for the ransomware in doing so would be the hope that somebody might restore the ransomware itself onto their computer in the process of recovering backups made before it struck; but if you have access to backup sets made before the ransomware even arrived, you also have access to backups it would never have had an opportunity to write itself out to in the first place.
The reason that ransomware can devastate even organizations that do keep regular, well-maintained, well-tested backups is that restoring from backups is always going to be somewhat disruptive. And there will, in general, always be some delay between a new version of a file existing on a computer and that same version propagating to a backup set. For example, if an organization was relying on backups made nightly, ransomware could potentially cost that organization an entire day's work and for most orgs that will come out to be a lot of work.
If the ransomware has been quietly beavering away for weeks before being discovered, the backup sets are also going to contain a mixture of original and ransomware-encrypted files and create a mess that will require time and effort to sort out.
But if your wife's district is being warned that they might lose everything, I daresay that whoever was in charge of setting up their backup strategy has not done a very good job. It's 2021. Ransomware is not a new idea any more, and any backup strategy not robust enough to deal with it is simply not fit for purpose.
posted by flabdablet at 1:50 AM on December 16, 2021 [2 favorites]
You've received many excellent answers. The overall "disaster recovery" contingency plan should account for such an eventuality, and as we've seen all over the place, most smaller government IT offices don't take cybersecurity seriously, or lack the resources to do so. And many users simply don't take cybersecurity seriously. They surf the web unprotected using work computer, or download pirated stuff at work because they lack the bandwidth at home, or some crap like that. Or they accidentally opened spam with a malware link. You get the idea.
There is also sometimes very little incentive for the rank and file to follow cybersecurity policy. It's inconvenient, and there is no penalty since responsibility is hard to track. And if work is lost, it's just "job security" (with a hefty dose of sarcasm). Some simply don't care about the fancy-schmancy computer stuff, leaving all to the IT, not seeing they have a part in the overall cybersecurity. As the cliche goes, you are only as strong as your weakest link.
We are not quite yet at the stage where the storage system can recognize ransomware attacks because the original files got changed or deleted, and because storage we have is finite, and one of the easiest ways to cull files is to dump the old backups, and if ransomware wasn't detected in time... But as others have explained, a proper combination of online AND offline backup strategy as well as periodic scan of the network for malware or ransomware should be standard practice, rather than leave it until the OMG What do I do now moment.
Also keep in mind that your wife's IT may have been exaggerating a little to drive the point home: this is SERIOUS jeopardy to data integrity.
Can it happen to you personally? Possibly. But if you take proper precautions then chances are minuscule, esp. if you also have a proper backup plan in place so disaster recovery will be relatively painless.
posted by kschang at 7:47 AM on December 16, 2021 [1 favorite]
There is also sometimes very little incentive for the rank and file to follow cybersecurity policy. It's inconvenient, and there is no penalty since responsibility is hard to track. And if work is lost, it's just "job security" (with a hefty dose of sarcasm). Some simply don't care about the fancy-schmancy computer stuff, leaving all to the IT, not seeing they have a part in the overall cybersecurity. As the cliche goes, you are only as strong as your weakest link.
We are not quite yet at the stage where the storage system can recognize ransomware attacks because the original files got changed or deleted, and because storage we have is finite, and one of the easiest ways to cull files is to dump the old backups, and if ransomware wasn't detected in time... But as others have explained, a proper combination of online AND offline backup strategy as well as periodic scan of the network for malware or ransomware should be standard practice, rather than leave it until the OMG What do I do now moment.
Also keep in mind that your wife's IT may have been exaggerating a little to drive the point home: this is SERIOUS jeopardy to data integrity.
Can it happen to you personally? Possibly. But if you take proper precautions then chances are minuscule, esp. if you also have a proper backup plan in place so disaster recovery will be relatively painless.
posted by kschang at 7:47 AM on December 16, 2021 [1 favorite]
Response by poster: Thanks to all of you for your responses. I'm usually pretty happy with what I get on this site, but this has been the most thorough and comprehensive set of answers yet.
posted by robverb at 8:13 AM on December 18, 2021
posted by robverb at 8:13 AM on December 18, 2021
This thread is closed to new comments.
The most useful thing you can do is use a versioned backup system - something like backblaze, which I'd strongly recommend - which lets you say "restore from a week ago, before this happened". The other advantage of this, is it just happens automatically - you don't have to drag your files there, the system does it for you. The big reason these are generally superior to just dragging files to something like google drive/dropbox, is that (a) they are "write only", meaning that the files can't be deleted/changed under you, and (b) if bad files _are_ backed up, you can get the version from before that happened - usually 90 days of retention is common.
If you're on mac, Time Machine is also this.
Before that, I used a system called duplicati, which actually did that with gdrive/dropbox, however the issue with that can be that because those systems aren't "write only", the ransomware can encrypt the files on your dropbox, especially if it's exposed as a windows drive - in that case, I had it go to a dropbox folder that was NOT otherwise on my computer, which would work well. The advantage of this, of course, is you don't have to buy another service.
All of that said, if you don't keep the dropbox/gdrive where your backups are mounted on your PC, you're generally reasonably safe. But I would caution you against trusting "i just drag the files there", because in my experience when the rubber hits the road, something is _always_ missed in those cases.
posted by jaymzjulian at 5:10 PM on December 15, 2021 [5 favorites]