SecureCopy and Ransomware question

Hello everyone,

I have a question regarding these ransomware malware going around.  Let me tell you briefly about the setup

We have two identical file servers running Windows 2012 Storage Server.  First one, let's call it FS1 is the primary file server which the users connect to via AD scripts.  On the second one, FS2,  I run two software programs, both of them for backup purposes, BackupExec 14 and Dell's SecureCopy.  How it works
1. BackupExec agent is installed on FS1 and all files (around 4 milions) are backup to disk on FS2
2. Two main folders called  USERS and GROUPS are sync from FS1 to FS2 at night using SecureCopy.  All files flags (permissions, last date access,  etc) are preserved

In case of complete failure of FS1, we simply edit the AD scripts to point to FS2 USERS and GROUPS shares. Although there will be some work lost since the last SecureCopy sync , that will give us time to restore or reinstall or fix FS1.  

Now what's going to happen if a ranswomware gets on FS1 USERS and GROUPS shares  despite the fact that  we think we beefed up both servers with the latest and greatest anti-malware tools ?  Most likely they will get encrypted and MIGHT affect (contaminate) the files on FS2 during either BackupExec process or SecureCopy sync .  We want to prevent this and stop the infection at the source, which is FS1  
We noticed that SecureCopy has a Special Handling option called "Allow copy of encrypted files as unencrypted if encryption fails"  (See attached picture)   So what is saying in the pop-up that ]SecureCopy attempts to encrypt a file on the target (FS2) using EFS when it copies a file which is encrypted on the source  

So we assume that a file is encrypted with ransomware.  If this SpecialHandling option is not enabled then SecureCopy

1. Attempts to encrypt the file at the target (FS2) when encrypted at the source .
2. File on source FS1 already encrypted by something else different from EFS so the encryption attempt at the target FS2 (EFS) will fail because the file encrypted by ransomware cannot be modified
3.  The pop-up says "If SecureCopy is unable to encrypt the file on the target the copy will fail, unless this option is selected "
4. Following 1-3 above, I think that the copy process will fail and that is exactly what we want, not to spread the infection

Not sure if someone came across with this scenario but i would like your opinion regarding this logic (could be totally wrong..)

Cheers
SecureCopy.jpg
BibecuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rindiCommented:
That option would make no difference to ransomware encrypted files. The only good ways to defend against this is to have more than one good backups, always make sure that the backup disks are removed after the backups is finished. Also make sure the users only have standard rights, and not admin rights on their PC's, and educate them so that they use the internet and email with care. Although a good AV product is a good precaution, it is by no means fail safe. User education is by far the best precaution.
0
McKnifeCommented:
I don't think this will work, but try it. Encrypt a file somehow, for example with 7zip and see what happens. I guess it will only work with efs.
0
David Johnson, CD, MVPOwnerCommented:
There is a huge difference between and EFS encrypted file and ransomware encryption. and securecopy will not know the difference between a normal file and one that has been encrypted via ransomware. All one can do is remove the ransomware and then restore from a previous backup
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Thomas Zucker-ScharffSolution GuideCommented:
See my articles on ransomware for a complete treatment. But in essence,  you need to heed the advice of previous experts, backup!
http://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html

http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BibecuAuthor Commented:
Thank you all for taking the time to respond and share your thoughts/experience.  As suggested by McKnife, I will try to encrypt a file with a 3rd party tool and see what's happen when moved to FS2 via SecureCopy

Cheers
0
McKnifeCommented:
Yes, do that, will be quickly done.
Bibecu, allow this side note to the other experts:
The points were shared - this is ok. But there's one who got much more than the others, while others got 125xgrade multiplier A (4),=500, he (Thomas) got 1000.

Simply by mentioning your own article, you get 500 bonus points. Say, do you consider this fair pointing? I am against the pointing system, altogether, but if ee wants to keep it, then they should do it right, you should not get bonus points just for mentioning your article. What do you all think?

Tzuckerscharf, nothing against you/your article, it's just the pointing system.
0
Thomas Zucker-ScharffSolution GuideCommented:
@McKnife

I understand your concerns and agree with your assessment.  I have said previously and will gladly repeat, that my primary reason for writing articles is to be able to refer to them in answers.  I don't really care about the points.  I try to write fairly informative articles that can be used to solve various problems.

EE has more than a point system problem.  I have been advocating for a better article writing system.  Currently the only way to collaborate on an article is to post in a group and ask for suggestions or to send emails to specific members.  Neither option is a solution.  The first ransomware article I referred to above, had input from other users, but they had to be attributed in the article instead of getting joint authorship.

The points system needs an overhaul (even after the one they gave it), and the article system needs help as well.  Not to mention the article writing tool is a dinosaur from the last century (you have to keep a copy of every article in both Word and PDF format before publishing because the tool invariably loses your article.  This site should be using WordPress with PressForward and some other plugins, it would make everything so much easier.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
File Sharing Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.