A Heads Up

[dik]

This is not a structural issue. It's a warning to others. I don't need any 'off topic' comments.

A couple of days back, I was hit by a ransomware virus that encrypted all my files, including the three backup drives that were attached to the computer. Fortunately I can recover nearly all my work (for the last 30 years) because I replaced my HDD with a new 16TB drive and had a full backup. This was just by accident that the loss wasn't much worse.

Future backups will include disconnecting backup drives from the computer when not in use as well as using some form of cloud storage.

I'm still working through it and still have to recreate some of my work. It's the dumbest, I've felt in years. Just a heads up... I'm pretty careful, but got 'hit'.

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[skired]

Really sorry to hear this. Create a second backup of your uninfected backup before you start using it so you have a clean one in case of reinfection.

 

[Celt83]

dik we had this happen several years ago it is a massive pain, it may not lead anywhere but recommend reaching out to the FBI or equivalent in your region they used to have a division looking into the ransomware attacks.

 

[dik]

That's the first thing I did... then copied the backup to the machine I'm working on. I have some critical 'unencrypted' files that were missed by the ransomware... they were in subdirectories on the desktop. I'm concerned about transferring these to my new setup, and may copy them to one of my laptops as a test. Fortunately I have 3 desktops (one an old one with Win 7 on it. It was assembled when M.2 drives first came out; I had to import the M.2 drives from Australia because they weren't available in NA) and none of them are connected to eachother.

I'm 'scared' of introducing anything to my current machine.

I'm not even certain that reformatting the infected machine will 'clean' it... it should but I'm not 100% certain. I'm still rebuilding my project directories from my eMail. Some stuff will be lost.

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[milkshakelake]

This kind of problem almost shut down a company I used to work for. So now I use Goodsync (also heard good things about Syncthing and a few other programs) to sync and backup. The backups are one way and staggered on two geographically separated servers (owned, not rented) with backups daily, weekly, monthly, bimonthly, annually, etc. I also use OneDrive as a secondary cloud backup, and physical hard drives which get unplugged for tertiary backup. This results in one file taking up at least 5x its normal storage. Will look into sequential type backups in the future, which only back up the changes on top of a base file instead of having a complete copy. It cost several thousand to get all this set up, but like dik said, cost wasn't an issue. The data is too important. Fortunately, I don't have to worry about legality of having old versions of files.

@dik The only thing potentially left over after formatting (assuming using a third party tool, not the infected OS) would be a BIOS/UEFI firmware rootkit on the motherboard. There's software to check for that; probably would go with Linux just to check it and then switch back to Windows for production.

 

[dik]

Thanks... the BIOS was where I was going to start. The use of Linux was my son's approach... he's already checked the copies of 'good' files left on the encrypted machine.

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[CrabbyT]

Thanks for the reminder, Dik - I'm sorry to hear you lost your files. Personally, I recommend a few things.

1) Download Macrium Reflect Free and periodically create images of your hard drive. If you ever lose your data, or if your hard drive breaks, you can load the Macrium image onto a new drive and move forward like nothing ever happened. It literally makes a bit-for-bit clone of your drive, thus making it very easy to restore.

Link:

https://www.macrium.com/reflectfree

2) Store your backup images in a drive that isn't connected to your computer. Like the cloud, or on a external SSD whose sole function is to store backup images. Personally, I like to keep a backup of my backup.

3) You can get 1 TB of cloud storage through

https://www.wasabi.com

for $5/month.

4) Update your antivirus software.

 

[dik]

CrabbyT... from Macrium...

I think I have a copy of Macrium that came with one of my SSDs, or something... I don't recall which, but it's a matter of finding it...

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[Enhineyero]

Hi Dik, how did the hackers get into your system? via email? downloaded attachment? browser?

I work on a network server that is backed up (daily) off site to a data warehouse. Its all managed by my IT guy. Not sure if this is enough protection.

 

[CrabbyT]

I think I have a copy of Macrium that came with one of my SSDs, or something... I don't recall which, but it's a matter of finding it...

It's actually free for commercial use and can be downloaded at

https://www.macrium.com/reflectfree

It's a beautiful tool. I use it whenever I upgrade a hard drive. Plug in the new drive, clone the existing drive, unplug the existing drive, hit the power button. Real easy.

 

[dik]

Very likely something I downloaded. I tend to be a bit of an info junkie... I'm changing that a bunch...

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[dik]

I'm just about through this. It could have been a lot worse, and I've learned a couple of valuable lessons, and had developed a couple of 'not so good' habits. It could have been a lot worse; I could have lost over 30 years of engineering records. It was just by luck that I didn't.

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[dik]

From a project this morning... they could only get 11 of the 12 bolts in (4x3 matrix)...

First close call from encrypted data... so far, so good.

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[CrabbyT]

I'm wondering if I should add a ransomware clause to my contracts.

 

[IFRs]

Is there any value in encrypting the files on your drive (if that keeps them from the invaders)?
Is there any value in using BitLocker on the drive?

 

[XR250]

Is there any value in encrypting the files on your drive (if that keeps them from the invaders)?
Is there any value in using BitLocker on the drive?

I imagine the hackers could care less about the actual data - encrypted or otherwise. They just want to keep dik from being able to access it.

 

[CrabbyT]

Is there any value in encrypting the files on your drive (if that keeps them from the invaders)?
Is there any value in using BitLocker on the drive?

Encrypting your data is more of a precaution for situations where you need to protect information. If the files are encrypted and your computer gets stolen, they won't be able to extract the data unless they have the password.

I don't believe that Bitlocker does anything to protect against ransomware. There are programs available that will backup your computer to the cloud so that you're not completely boned if your data gets ransomware'd or if your hard drive gets jacked.

 

[IFRs]

For backup I use two separate NAS Raid drives, IDrive to the cloud, online project management file storage, GDrive and two separate 2Tb M.2 USB drives.
IDrive and one NAS happen every night
The other NAS is quarterly.
One of the M.2 drives is daily, the other is weekly
We also use Sharepoint
The online project management file storage, GDrive are basically what I give to my customers (no live docs - mostly pdfs)

My guess is that if (when) I am infected, everything will be toast if the hacker waits a week to spring their little trap.
Perhaps the best I can do is to archive the second NAS drives for a year and then recycle them.

My business has cyber crime insurance, it is pretty cheap, comes with experts and covers up to a million in costs. But, I think it mostly is intended to cover my customers if they are infected by me or my files.

 

[dik]

It might... it depends on the ransomware. I had 3 portable USB M.2 SSDs attached. It encrypted nearly all my data files. I assume searching for common file extension names for data. It left the 100+ SMath files on the desktop. If you encrypt the entire system, data and apps... I dunno. If it goes by extension and cannot recognise the extension, it may leave it alone. If it goes by something other than the extension, it may encrypt the encrytption.

Some lessons have been learned... I've cut down on my browsing a lot (I'm still a bit of an info junkie, but a lot more careful). My backup consists of a 16TB mech drive and two M.2 SSDs, which are only attached for a short time daily when I make a backup. My temporary backup that holds all current work of the day is a 256GB USB thumb drive, which I copy everything to, when it's done (temporary). I use a full blown copy of Bitdefender anti-virus (Suggested by my one son).

Still to do, is to install a copy of Macrium Reflect and put my whole system onto a backup mirror. The guys on the sister site 'Tek-tips' were quite helpful. I've also saved one of the encryped HDs to send to my son. He's computer savvy and runs a website. I could have lost 30 years of files... I was very lucky... I only lost a few files, nothing significant, yet, and only by luck. I had switched backup HDD from a 10TB to a 16TB just a week earlier and the 10TB backup was nearly up to date.

The little Sandisk USB thumbdrive has a UBC A and C end... the others are USB C.

-----*****-----
So strange to see the singularity approaching while the entire planet is rapidly turning into a hellscape. -John Coates

-Dik

 

[IRstuff]

I'm not sure that encryption is the solution, since a halfway well-written malware should simply look for any files on the drive and encrypt them for ransom. Here are some ways to make the process harder:

> Air-gapping, if it's not connected to your computer, the malware can't get to it

One option is to have two backup drives that are backed up one at a time, which ensures that there will always be one drive that's not connected at any time​

> Hiding your critical partitions that are not accessible in the normal file system

This one is hard, discipline-wise, but is easier to do than the preceding, since it could be scripted to turn off drive letters.​

> Running your internet activities in a virtual machine with no access to the actual physical hardware

This is somewhat cumbersome, since it basically is like running two different computers on the same hardware​

> Ensuring that your internet active account is a non-administrative account

If you don't do too many software installations, this might be manageable​

Of course, each one is painfully annoying, and you should do as I say and not as I do ;-)

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529 Entire Forum list

http://www.eng-tips.com/forumlist.cfm

 

[human909]

Plenty of other good forums and websites that give good advice on this issue.

Air gapping is pretty much the easier and best solution for home use. Backing up to "the cloud" probably is pretty up there too. Sure you are reliant on a third party but most of those third parties operate pretty robust systems.

I have a home RAID5 to which I backup daily. I have two airgapped copies done every other month.