Avatar of mkramer777
mkramer777Flag for United States of America asked on

Is a system image backup less susceptible to ransomeware?

I use AOMEI to backup a handful of computers (I use a system image)  I see that the backup file ends with .adl for the extension.  I have seen ransomware infiltrate a network and corrupt all .docx and .xlsx files so they cannot be opened. Would the same thing happen to an AOMEI .adl file or is that less susceptible to ransomware?



RansomwareNetworkingSecurity

Avatar of undefined
Last Comment
Philip Elder

8/22/2022 - Mon
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Yes they would encrypt and also some delete all backups!
ASKER
mkramer777

so ransomware knows every extension of every kind of software and ecrypts them?  

You are a Veeam expert, do my Veeam backups get screwed up as well with ransomware. Anyway to prevent this if I get hacked other than having a cloud backup and a second NAS backup for VM's in another location?

ASKER CERTIFIED SOLUTION
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
mkramer777


OK.  So what are your recommendations for safeguarding against this?  I have all servers using Veeam for backups.  The backups go to a QNAP and then the Qnap goes to another office QNAP in another city.
What are your reccomendations?   

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Philip Elder

Since you already have Veeam, set up a Scale-Out Backup Repository (SOBR) that includes a Cloud Tier. I suggest BackBlaze B2 and set immutability to one of the buckets.

Put your first set of backups in that first bucket and save the number of weeks into it as is needed.

Then, have another job that backs up, or copies backups, into a non-immutable bucket for long term storage.

It's simple and cost effective.

Perps are gaining a foothold _inside_ the network, running a scope, and then executing a set of processes to delete backups, the backup server, and then go after the main data repositories.
Seth Simmons

I have all servers using Veeam for backups.

you can use a target with immutable storage like linux or a cloud provider that offers it

something air-gapped is the most effective as it is completely disconnected from everything
rotating backup with some sort of removable media that can be removed and thus inaccessible without physical access
ASKER
mkramer777

I have BACKBLAZE account connected to my QNAP. I have never been able to get a backup to complete.  The size is 2TB.  Our upload speed I'm assuming is not adequate.  Any idea on how to accomplish this other than getting faster bandwidth?


I also use a bit cumbersome backup strategy of swapping out external hard drives every week to backup the contents of the QNAP to the drive.  I take this offsite to my home each week.  Better than nothing I guess if other strategies fail.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Lee W, MVP

The people attacking you with Ransomware don't want you to be able to recover!  If you could, why would you pay them?

These people who make the ransomware malware do their homework and so they know most backup formats.  If you leave the backup online (as opposed to disconnecting it from the network), they will either encrypt it or delete it.  It benefits them to do this.  They don't care about you and aren't going to make it easy for you to avoid paying!

Even if a particular strain of ransomware today doesn't hit your particular backup, there is NO GUARANTEE the next guy won't!  

You're not safe unless you make sure you have offline backups and/or cloud based backups.  It really is that simple.


ASKER
mkramer777

Why are cloud backup not susceptible to ransomware?

Lee W, MVP

They are not susceptible to ransomware infecting YOU.  If the could backup provider gets hit, they could be affected.  Cloud backups are not generally done over SMB connections.  Ransomware encrypts all files it can read normally over a network.  Cloud backups are not transmitted in the same manner your files in your office are.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Lee W, MVP

It's also not unheard of for ransomware to lay dormant on your system for weeks or months so that ALL your backups are infected as well - restore them and they just re-encrypt everything.  This is one reason to ensure you keep older backups as well as newer ones (Grandfather, father, son style).
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

I have BACKBLAZE account connected to my QNAP. I have never been able to get a backup to complete.  The size is 2TB.  Our upload speed I'm assuming is not adequate.  Any idea on how to accomplish this other than getting faster bandwidth?


I also use a bit cumbersome backup strategy of swapping out external hard drives every week to backup the contents of the QNAP to the drive.  I take this offsite to my home each week.  Better than nothing I guess if other strategies fail.

is that 2TB for the total backup job, break up the jobs into smaller payloads, jobs, CBT increments will then be smaller if you have low bandwidth.
David Johnson, CD

do a local backup and then a backup copy to the cloud..

The one word that is important is immutability . this means that there are measures in place that do not allow the file(s) to be altered in any way by the user/administrators
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
serialband

You need an offline backup if you want to be secure.  A cloud backup is still online.  If they have access to your network access credentials, and can reach your cloud service, they can still encrypt a backup in the cloud.  The only backup they can't reach are the offline backups, because they're offline, not connected to anything.  

Any file can be encrypted.  It doesn't matter what extension or format a file is.  A file is a file is a file.  It's all data.  It's all the same to the encryption program.  Files are just opened under file handles.  You don't actually need an extension to identify its type.  It's just easier to identify with an extension.  Older Macs used to not use extensions and had a different way to identify the file type.  They eventually adopted the Microsoft way to have compatibility and reduce some complexity so Mac users can share files to Windows users.



David Favor

1) You asked, "Is a system image backup less susceptible to ransomeware?"

No.

If you backup encrypted files, makes no difference if you backup these files one by one or as a system image.

2) You asked, "so ransomware knows every extension of every kind of software and encrypts them?"

Ransomware has no consideration of file extension.

Ransomware, at least variants I've come across, first encrypt all non-system files, then system files, then rewrite the boot record, so you see the clock + the clock resumes every boot.

3) To expand @Andrews comment, "Yes they would encrypt and also some delete all backups!"

The Ransomware Rule is simple.

"Any file you can dir/ls, will be encrypted."

So if you're running backups, then depositing them on a locally accessible disk (dir/ls can see them), then they're gone... well... unless you pay, which I wouldn't recommend.

Many a Ransomware conversation I've had starts with the conversation...

"But I have backups... I make them every night... Just restore one..."

Problem is... a backup is only a backup if it's kept remote... so no command line dir/ls can show the filename...

4) Remember the only way to recover from Ransomware is to do a full backup restore, then avoid the behavior that lead to the Ransomware infestation... which is almost surely... clicking on an email attachment or rarely, installing a thumb drive on a machine...

Full data restore is the only cure for Ransomware.
ASKER
mkramer777

Almost seems like going back to a rotating set of usb drives connected to my QNAP that copies the contents every night and than taken off site is an option. Along with cloud.


Your help has saved me hundreds of hours of internet surfing.
fblack61
kenfcamp

Almost seems like going back to a rotating set of usb drives connected to my QNAP that copies the contents every night

You could but I don't see that as being necessary

We have customers setup backing up to QNap NAS storage

Unless the NAS is used for anything other than "Just storage" Ransomeware is generally only going to infect what it has access to from the source initially infected device/PC - (Network shares, mapped drives etc)

We've got backups on going to dedicated partitions
Network shares on the NAS are on their own dedicated partitions

When a server backups, the share is activated and mounted , and unmounted and deactivated upon completion leaving no access from the server to the share

Nightly backups are rsynced to off site servers
Philip Elder

We have a last mile up here (Edmonton, Alberta). Doing cloud for immutable backup storage is difficult for many of our clients because there is no bandwidth available for the upload.

So, we rotate their backups.

Creating security barriers helps too.

Veeam server is not on the production domain. It's firewall is hammered down. RDP inbound only from one IP or maybe two. DUO for 2FA to help keep it secure. Those are just a few of the steps to help keep the backups safe.
ASKER
mkramer777

When you say "we rotate backups" what are you talking about?  Tape? External hard drive?


Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Philip Elder

Back in the day we had a server go blotto. Their backup setup was two HP DAT libraries and BackupExec. BUE failed us there. Plus, the person responsible for rotating the DAT magazines turned sheet white when we asked for them to go get them.

They hadn't been rotating them like they were supposed to.

So, we took over all backup management and rotation at client sites for a fee that also included a quarterly full bare-metal or hypervisor restore.

It also gets us into our client sites where we manage the backups. It almost always ends up with us being asked to help with things so augments the on-site billable/chargeable time.