Local backup protection -- Backup, Eject and, later, re-Scan

[Xander]

Just thinking about Cryptolocker and how things probably won't get easier from here on out. As I've been encouraging home users to be backing up to a local drive, I've started telling them to unplug it when not in use. Realistically, this will mean they will get forgotten and backups won't happen.

A few synapses fired and I thought of this from a script:
1 a 'scan for hardware' command get sent, discovering the drive
2 backup software runs
3 an 'eject' command is sent, logically disconnecting the external

Brainstorming, so I don't know that you can do this but I don't see why you couldn't. Nirsoft's NirCMD supports an eject command and I think you'd need to specify a letter for the drive as a precaution. I suspect there's probably a way WMI(?) to push a hardware re-detection.

Assuming all is possible, think this would work?

 

[brandonkick]

It's a good idea in theory.

The real danger, I think, is in the user backing up infected data over the good backup.

I guess not though, if you started with a good master backup and did incremental backups afterwards with a full backup every Nth backup.

I could see this starting to chew up disk space though. You'd need to set a clean up schedule...

 

[Slaters Kustum Machines]

Great idea, the re-scan I think would be the trouble. I know if you eject a drive but leave it physically attached then click re-scan in Device manager it will not find the drive, so I'm curious as the the fix for that.

 

[FremontPC]

Very cool, Alice! Thanks!

 

[Xander]

Intriguing. I'm playing with Devcon right now. Got one of my flash drives identified as "@USB\VID_0930&PID_6545\5B860E0002BE" but removal is failing and it's not in use in any way.
Any ideas what would cause it to fail?

 

[FremontPC]

Related, two possibilities here from ScottGus1 and Zeus:

http://social.technet.microsoft.com...afely-remove-a-usb-drive?forum=w7itprogeneral

 

[nlinecomputers]

Isn't the better solution to sell online backups with versioning?

 

[FremontPC]

If you have absolute trust in the cloud. I tend to think of it as a last chance and only for user data.

Local is cheaper and quicker, especially for those with slow upload. Def faster to get it back from local.

On the whole, I see crypto going more after specific data rather than something as as huge as a backup. Too much overhead otherwise. Crypto can pop off little docx, etc without raising eyebrows by dragging down the system too much. How many times did we hear of Crypto victims that didn't have backups? If they did have backups, that's a fish that got away. It's simply a numbers game for them, with distribution becoming so cheap.

 

[Xander]

Better? Up for debate. Ideally - they'd have both local and offsite, IMO. Cloud isn't important if people can get a local backup stored offsite. One of the small businesses I look after has two backup drives and the office manager takes the backup drive home and swaps in the other so there's always one drive that's not onsite. Protects them in case of fire. (We're not in a hurricane/earthquake/etc prone area).

 

[nlinecomputers]

Cloud isn't important if people can get a local backup stored offsite.

Which home users rarely if ever do. Yes cloud has it's risks but it is better then nothing and easier to get going for this kind of user IMO. And if you pick a service that allows you to seed the first backup that takes away the bandwidth issues for the most part. Most such files will not change much, pictures and so forth that simply need to be preserved.

 

[nlinecomputers]

If you have absolute trust in the cloud. I tend to think of it as a last chance and only for user data.

Local is cheaper and quicker, especially for those with slow upload. Def faster to get it back from local.

On the whole, I see crypto going more after specific data rather than something as as huge as a backup. Too much overhead otherwise. Crypto can pop off little docx, etc without raising eyebrows by dragging down the system too much. How many times did we hear of Crypto victims that didn't have backups? If they did have backups, that's a fish that got away. It's simply a numbers game for them, with distribution becoming so cheap.

Problem is how soon will it be when the next version of Crypto just deletes the backups. If I was running such a scam that is what I would do.

 

[FremontPC]

Good point, Xander.

Now, not being much of a programmer/script kind of guy myself, a couple of things did pop into my head.

Hide the partition.

Remove the drive letter.

How difficult either would be, I have no idea.

Turn off write caching and find some way to power down the drive when it's not needed?

 

[FremontPC]

"Problem is how soon will it be when the next version of Crypto just deletes the backups."

Which of course might well hose the backup even if you tried to undelete.

I think Xander's approach cuts the chances for that, but cloud is a good (though expensive) last chance. This assumes they are as good at restoring as they are at accepting your payment.

 

[ccritchie]

Take a look at Rebit - it's a cloud/onsite hybrid solution. It backs up critical files to the cloud (with minor versioning - previous 3 versions), and it does a local file level backup, along with incremental system image backups, to an attached USB drive. The advantage is that you can restore the entire system drive in the event of a drive failure or virus infection. Also, the backup system is proprietary, so at this point Cryptolocker and similar ilk can't touch it. Affordable for home users, and they have a decent reseller program (ACRBO discount).

 

[JustInspired]

I've been looking at protecting backups from Cryptolocker but on a network share. See this thread http://www.technibble.com/forums/showthread.php?t=54356

In the case of local hdd or external usb backups could you run the backup as another user and set security permissions on the folder to only allow the special non-logged-in user?
This is what I have been experimenting with in the thread I linked to above.

 

[Xander]

That's an interesting angle on it. Since you implemented this, have you had any systems infected with CL and where the networked folder was immune?

 

[Xander]

This just showed up on my FB feed: