Ransomware [was Re: Backups [was Re: Is tape dead?]]

Jerome H. Fine jhfinedp3k at compsys.to
Wed Sep 16 20:41:38 CDT 2015 

 >Mouse wrote:

>>There is a ramsomware variant that encrypts the files but silently decrypts $
>>    
>>
>
>This depends on the backup-taking accessing the files in a way that
>doesn't trip the decryption.
>
>It also depends on nobody test-restoring from the backups, or at least
>not sanity-checking the results if they do.
>
>It also depends on being able to infect the OS and sit there for months
>without anyone noticing.
>
>  
>
>>As to how one can become infected, see http://www.theregister.co.uk/2015/08/$
>>    
>>
>
>This depends on the user - perhaps by proxy in the form of something
>the user runs - executing content offered by the malvertising-serving
>server.
>
>Thus, defense in depth:
>
>(1) Don't run things that execute live content without explicit,
>specific approval by the user.  Educate users as to the few cases when
>giving such approval is sane.
>
>(2) Avoid common OSes and ISAs, so that most malware (ransomware or
>otherwise) can't run even if it gets through to the machine.
>
>(3) Test-restore from your backups periodically.
>
>Of course, most people will say they "can't" do one or more of those,
>actually meaning they're not willing to pay the prices involved.  Such
>people need to realize that they will pay one price or the other, and
>they'll just have to decide which prices they prefer.  Personally, I do
>about two and a quarter of the above: (1), 3/4 of (2), and 1/2 of (3).
>
The system which I use to develop programs and produce code
is used only to download e-mail and news groups.  This seems to
have isolated the system to some extent.

As for (3), I don't understand how a test-restore would help.
I don't know if this is relevant, but I shut down my system
every night and boot the C: drive again in the morning.

After booting from DOS using a floppy disk, my backup
consists of using Ghost to make an image copy (compressed)
of all the files on the C: drive to the D: drive which is used
ONLY for that purpose.  Even if the files have been encrypted,
I don't understand how a restore would detect that the files
are being encrypted / decrypted on the fly if a boot every
morning does not notice a problem.

As it happens, once or twice a year when I do need to access
the internet, I first do a backup of my C: drive, access the Internet
to make copies of the files that I want - PDP-11 stuff for RT-11,
obviously.  Then just in case, I do a restore from the backup to
my C: drive.  How would that be any different from just booting
the same C: drive each morning?

Jerome Fine

More information about the cctalk mailing list