Ransomware isn’t the only reason to implement a good backup strategy – for home users as well as for businesses – but it’s a pretty good one, and these days you can’t afford a backup strategy that doesn’t take ransomware’s evil little ways into account.
In an article for Graham Cluley’s blog, David Bisson offers some pretty good advice, in a form that practically anyone can understand.
A few times I’ve seen it suggested that encryption of valuable data before ransomware strikes will somehow protect it against ransomware. Today I came across the same assertion again on Spiceworks, apparently suggested to a Spiceworks subscriber by a lecturer. Not a lecturer in IT security, I hope…
I guess whether there’s any truth in the assertion depends on what you understand by encryption.
- If files can be modified they can be encrypted: ransomware doesn’t check to see if a file is encrypted and throw its hands up in despair if it is, it simply adds another layer of encryption.
- If the media on which the files reside can’t be accessed without a password then presumably the files themselves can’t be modified while the media are inaccessible.
- However, if the media are accessible and write-enabled because the files are in use, the chances are that ransomware will be able to encrypt the files, irrespective of whether they are already somehow encrypted by the legitimate owner or user of the aforementioned files.
Much the same considerations apply to backups, of course. If the backup media are accessible while the ransomware delivers its unpleasant payload, there’s a ‘good’ chance that the backed up files will also be encrypted.
This article – Mac OS X ransomware: How KeRanger is a shadow of malware to come – The design of KeRanger demonstrates how attackers plan to make it even harder for victims of ransomware not to pay up – includes an interesting if confusing/confused comment from Timothy Wallach of the FBI:
“The best prevention for ransomware is to have thorough backups that are off the network, as well as encrypting your own data. That way if the bad guys encrypt it with their ransomware you still have it…”
It would be interesting to know if that’s exactly what Wallach said, since I’d rather like to know what he meant by ‘encrypting your own data’.]
Bob Covello posted an interesting article on Graham Cluley’s site on The new economics of data protection in a world of ransomware. He cites the case of 7ev3n, a more-than-usually greedy instance of ransomware demanding a hefty 13 bitcoins for the key to your encrypted data. Which is very much in contrast, by the way, to the £350 apparently demanded by the attackers who caused Lincolnshire council to shut down their systems for a few days, though the BBC reported the ransom demand as being for a heart-stopping£1m. A subsequent report by the BBC not only cited the lower figure, but asserted that the council had announced that it would not pay the ransom. It’s by no means impossible that demands will continue to rise if and when ransomware gangs get more into the idea of extorting businesses rather than (or at any rate as well as) individuals who may simply not be able to afford such sums. Come to that, a business may be less able to write off its data than an individual who may simply decide that his or her data is not worth paying so much for.
The core message of Covello’s article is simple enough. Even the most expensive backup and cloning options he cites look much more attractive than paying an estimated $5,000 in the hope of having the 7ev3n gang restore your data.
I wouldn’t agree with Marcin Kleczynski that
Even using backup systems isn’t an effective countermeasure because ransomware would actively look for different types of backup systems and encrypt them, too.
Nevertheless, it is worth remembering that ransomware does look for external storage and encrypt what it finds there, if possible. So you need to bear in mind:
- While external storage is connected, data stored there may be as vulnerable as data on your internal drives. Storage that is only connected when you need it to be is obviously safer than an always-on network or cloud drive. And don’t discount the value of backups of backups. This paper by my colleague Aryeh Goretsky is several years old and so predates the current upsurge in ransomware, but it does address the backup basics very clearly, and they haven’t changed much: Options for backing up your computer
- If you do have to restore from backup, you need to be sure that the malware is no longer on your system. (Part of the value of cloning.)