Member_2_7970390
asked on
Backup strategy against ransomware and what to do when infected
We had a user whose laptop was infected with ransomware, and that led me to look into the solution to it, and our backup system.
Fortunately, he was not connected to the company network, so the files were only locked in his laptop.
Free ransomware removal tool from TrendMicro, and someone else did not work.
1. What is the best removal tool?
I am looking into Sophos. They have Enterprise Malware Removal Tool that can take care of Ransomware. We use their anti-virus software, so theirs caught my eye.
2. What is the best backup strategy?
I had a IT admin friend, and his system got infected. He spent $30K to get his files back from the servers, and what was interesting was that the ransomware did not manifest itself right away. It was like 2 or 3 days later.
Right now, my servers are backed up fully every night to a USB drive. I have only 3 servers. No incremental or differential. I'd like to know how people backup a couple of terabyte data these days. Tape systems were used in the past, and each day manually or automatically different tapes were used. Do people do this even in 2018? I only used it 10 years ago.
https://www.amazon.com/EX4100-Expert-Network-Attached-Storage/dp/B00TB8XN2E
These can have multiple full backups, and each time are they totally offline from each other? I hear that Ransomware can go into other resources in the same LAN. Then I need a backup system that can backup multiple generations (like daily), and they need to be completely offline. If Ransomware can infect the backup drives either via USB or LAN, then that is a problem.
Of course, one way is to have 5 separate USB drives for Monday through Friday, and cycle it each week. Is there a better way?
Fortunately, he was not connected to the company network, so the files were only locked in his laptop.
Free ransomware removal tool from TrendMicro, and someone else did not work.
1. What is the best removal tool?
I am looking into Sophos. They have Enterprise Malware Removal Tool that can take care of Ransomware. We use their anti-virus software, so theirs caught my eye.
2. What is the best backup strategy?
I had a IT admin friend, and his system got infected. He spent $30K to get his files back from the servers, and what was interesting was that the ransomware did not manifest itself right away. It was like 2 or 3 days later.
Right now, my servers are backed up fully every night to a USB drive. I have only 3 servers. No incremental or differential. I'd like to know how people backup a couple of terabyte data these days. Tape systems were used in the past, and each day manually or automatically different tapes were used. Do people do this even in 2018? I only used it 10 years ago.
https://www.amazon.com/EX4100-Expert-Network-Attached-Storage/dp/B00TB8XN2E
These can have multiple full backups, and each time are they totally offline from each other? I hear that Ransomware can go into other resources in the same LAN. Then I need a backup system that can backup multiple generations (like daily), and they need to be completely offline. If Ransomware can infect the backup drives either via USB or LAN, then that is a problem.
Of course, one way is to have 5 separate USB drives for Monday through Friday, and cycle it each week. Is there a better way?
ASKER
Hi, masnrock,
Thank you for your comment. The whole purpose of asking professionals like you this question is to find out what the best way to have offline backups. Also, what are the prevention tools that you use or recommend? I'd like to have actual names of software and equipment.
Yes, prevention is the biggest key, but not all users are careful. Things happen.
Anti-malware tools cannot detect and block every possible ransomware that is developed and revised every day.
Could you give me more specific options for solution?
Thank you for your comment. The whole purpose of asking professionals like you this question is to find out what the best way to have offline backups. Also, what are the prevention tools that you use or recommend? I'd like to have actual names of software and equipment.
Yes, prevention is the biggest key, but not all users are careful. Things happen.
Anti-malware tools cannot detect and block every possible ransomware that is developed and revised every day.
Could you give me more specific options for solution?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If the tape devices are not used in terabyte era (that is good know, thanks!), then NAS is the only option, apart from daily separate external drives.
1. Can ransomware reach out to other servers on the same network, and lock up their files?
2. (4 to 8)-Bay Network Attached Storage like the one I put the link for - is each bay totally manageable separately (online / offline), therefore unreachable from ransomware?
1. Can ransomware reach out to other servers on the same network, and lock up their files?
2. (4 to 8)-Bay Network Attached Storage like the one I put the link for - is each bay totally manageable separately (online / offline), therefore unreachable from ransomware?
Anything that is reachable with a fully qualified path name (FQPN) can be corrupted. So, if server1 can see \\server2\MyFolders and MyFolders gives write permissions to the process executing the ransomware, then yes, your other server is vulnerable. And, if you are using DFSR, it will also happily duplicate corrupted files.
Your NAS drive will show up as a mapped drive and therefore, is corruptible, if online, unless writes are restricted to certain accounts which are not busy executing the ransomware.
Your NAS drive will show up as a mapped drive and therefore, is corruptible, if online, unless writes are restricted to certain accounts which are not busy executing the ransomware.
Can ransomware reach out to other servers on the same network, and lock up their files?
This depends entirely on who gets infected, what their access rights are, and what how the malware works. Bottom line: MAYBE.
Are you backing up your VMs?
This depends entirely on who gets infected, what their access rights are, and what how the malware works. Bottom line: MAYBE.
Are you backing up your VMs?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you guys for all the tips. Here are my overall thoughts at this moment. Of course, prevention side is just as important.
1) Having 5 external disks may be the best method, because it would work like a tape and 4 other disks are completely offline. It make take a day or two, or more, to manifest itself (locking up the files on the server)
2) No one really mentioned a NAS storage with multiple bays that each bay can be separately configured to be online or offline. So I can assume they don't exist...
3) Tape backups are expensive for terabyte era, therefore not suitable for smaller companies.
4) Ransomware spreads out only within the limit of the infected user's access right. Properly granting write access is a big key.
Here is my question, with 4) in mind: How can I make a "backup user" and limit all other users' access to the backup file?
Let's say you buy a 16TB NAS backup system. and each day 3TB is backed up so you have different versions of backups. Then...
- Create a "backup user" in AD and assign him the access right of backed-up folders.
- Configure the backup software and schedule the backups.
Do I need to buy a backup software? Can I do this with built-in Windows server (2012R2) backup service?
>Fred Marshall
That is very interesting. Do I do write a script? Does it need to be PowerShell, and then have Task Scheduler run it? I need to look into it.
Now on the prevention side -
> Wayne Herbert
1. Never heard of Layer 7 protection - I have SonicWall FW without protection subscription. Would it work in the similar way if I bought the subscription? Would it filter emails as well? Or they are two separate things?
2. OnlyMyEmail - Can this be an option if you don't even have an in-house email server? We use a hosted service, so I can't customize the setting.
Lastly, is there a recommended email server provider that has a very good filtering system?
Thank you!
1) Having 5 external disks may be the best method, because it would work like a tape and 4 other disks are completely offline. It make take a day or two, or more, to manifest itself (locking up the files on the server)
2) No one really mentioned a NAS storage with multiple bays that each bay can be separately configured to be online or offline. So I can assume they don't exist...
3) Tape backups are expensive for terabyte era, therefore not suitable for smaller companies.
4) Ransomware spreads out only within the limit of the infected user's access right. Properly granting write access is a big key.
Here is my question, with 4) in mind: How can I make a "backup user" and limit all other users' access to the backup file?
Let's say you buy a 16TB NAS backup system. and each day 3TB is backed up so you have different versions of backups. Then...
- Create a "backup user" in AD and assign him the access right of backed-up folders.
- Configure the backup software and schedule the backups.
Do I need to buy a backup software? Can I do this with built-in Windows server (2012R2) backup service?
>Fred Marshall
That is very interesting. Do I do write a script? Does it need to be PowerShell, and then have Task Scheduler run it? I need to look into it.
Now on the prevention side -
> Wayne Herbert
1. Never heard of Layer 7 protection - I have SonicWall FW without protection subscription. Would it work in the similar way if I bought the subscription? Would it filter emails as well? Or they are two separate things?
2. OnlyMyEmail - Can this be an option if you don't even have an in-house email server? We use a hosted service, so I can't customize the setting.
Lastly, is there a recommended email server provider that has a very good filtering system?
Thank you!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am of the opinion that the vast majority of email service providers that include spam services are crap. I have turned off Office 365 protection and use OnlyMyEmail.I cannot speak for OnlyMyEmail, but I do agree that O365 has *horrible* spam filtering. Even from discussions I've seen with Microsoft, a lot of still even still gets missed. The intelligence end is definitely lacking. AppRiver probably has one of the better host-provided spam filters I've seen, and even that one I felt could still use tuning.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Provided due advice
The best tool against ransomware is prevention, which includes a mixture of spam filtering, tool improvement (AV and malware), user education, and minimizing areas open to exploitation.