Is a system image backup less susceptible to ransomeware?
I use AOMEI to backup a handful of computers (I use a system image) I see that the backup file ends with .adl for the extension. I have seen ransomware infiltrate a network and corrupt all .docx and .xlsx files so they cannot be opened. Would the same thing happen to an AOMEI .adl file or is that less susceptible to ransomware?
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Yes they would encrypt and also some delete all backups!
ASKER
so ransomware knows every extension of every kind of software and ecrypts them?
You are a Veeam expert, do my Veeam backups get screwed up as well with ransomware. Anyway to prevent this if I get hacked other than having a cloud backup and a second NAS backup for VM's in another location?
You are a Veeam expert, do my Veeam backups get screwed up as well with ransomware. Anyway to prevent this if I get hacked other than having a cloud backup and a second NAS backup for VM's in another location?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. So what are your recommendations for safeguarding against this? I have all servers using Veeam for backups. The backups go to a QNAP and then the Qnap goes to another office QNAP in another city.
What are your reccomendations?
Since you already have Veeam, set up a Scale-Out Backup Repository (SOBR) that includes a Cloud Tier. I suggest BackBlaze B2 and set immutability to one of the buckets.
Put your first set of backups in that first bucket and save the number of weeks into it as is needed.
Then, have another job that backs up, or copies backups, into a non-immutable bucket for long term storage.
It's simple and cost effective.
Perps are gaining a foothold _inside_ the network, running a scope, and then executing a set of processes to delete backups, the backup server, and then go after the main data repositories.
Put your first set of backups in that first bucket and save the number of weeks into it as is needed.
Then, have another job that backs up, or copies backups, into a non-immutable bucket for long term storage.
It's simple and cost effective.
Perps are gaining a foothold _inside_ the network, running a scope, and then executing a set of processes to delete backups, the backup server, and then go after the main data repositories.
I have all servers using Veeam for backups.
you can use a target with immutable storage like linux or a cloud provider that offers it
something air-gapped is the most effective as it is completely disconnected from everything
rotating backup with some sort of removable media that can be removed and thus inaccessible without physical access
ASKER
I have BACKBLAZE account connected to my QNAP. I have never been able to get a backup to complete. The size is 2TB. Our upload speed I'm assuming is not adequate. Any idea on how to accomplish this other than getting faster bandwidth?
I also use a bit cumbersome backup strategy of swapping out external hard drives every week to backup the contents of the QNAP to the drive. I take this offsite to my home each week. Better than nothing I guess if other strategies fail.
I also use a bit cumbersome backup strategy of swapping out external hard drives every week to backup the contents of the QNAP to the drive. I take this offsite to my home each week. Better than nothing I guess if other strategies fail.
The people attacking you with Ransomware don't want you to be able to recover! If you could, why would you pay them?
These people who make the ransomware malware do their homework and so they know most backup formats. If you leave the backup online (as opposed to disconnecting it from the network), they will either encrypt it or delete it. It benefits them to do this. They don't care about you and aren't going to make it easy for you to avoid paying!
Even if a particular strain of ransomware today doesn't hit your particular backup, there is NO GUARANTEE the next guy won't!
You're not safe unless you make sure you have offline backups and/or cloud based backups. It really is that simple.
These people who make the ransomware malware do their homework and so they know most backup formats. If you leave the backup online (as opposed to disconnecting it from the network), they will either encrypt it or delete it. It benefits them to do this. They don't care about you and aren't going to make it easy for you to avoid paying!
Even if a particular strain of ransomware today doesn't hit your particular backup, there is NO GUARANTEE the next guy won't!
You're not safe unless you make sure you have offline backups and/or cloud based backups. It really is that simple.
ASKER
Why are cloud backup not susceptible to ransomware?
They are not susceptible to ransomware infecting YOU. If the could backup provider gets hit, they could be affected. Cloud backups are not generally done over SMB connections. Ransomware encrypts all files it can read normally over a network. Cloud backups are not transmitted in the same manner your files in your office are.
It's also not unheard of for ransomware to lay dormant on your system for weeks or months so that ALL your backups are infected as well - restore them and they just re-encrypt everything. This is one reason to ensure you keep older backups as well as newer ones (Grandfather, father, son style).
I have BACKBLAZE account connected to my QNAP. I have never been able to get a backup to complete. The size is 2TB. Our upload speed I'm assuming is not adequate. Any idea on how to accomplish this other than getting faster bandwidth?
I also use a bit cumbersome backup strategy of swapping out external hard drives every week to backup the contents of the QNAP to the drive. I take this offsite to my home each week. Better than nothing I guess if other strategies fail.
is that 2TB for the total backup job, break up the jobs into smaller payloads, jobs, CBT increments will then be smaller if you have low bandwidth.
do a local backup and then a backup copy to the cloud..
The one word that is important is immutability . this means that there are measures in place that do not allow the file(s) to be altered in any way by the user/administrators
The one word that is important is immutability . this means that there are measures in place that do not allow the file(s) to be altered in any way by the user/administrators
You need an offline backup if you want to be secure. A cloud backup is still online. If they have access to your network access credentials, and can reach your cloud service, they can still encrypt a backup in the cloud. The only backup they can't reach are the offline backups, because they're offline, not connected to anything.
Any file can be encrypted. It doesn't matter what extension or format a file is. A file is a file is a file. It's all data. It's all the same to the encryption program. Files are just opened under file handles. You don't actually need an extension to identify its type. It's just easier to identify with an extension. Older Macs used to not use extensions and had a different way to identify the file type. They eventually adopted the Microsoft way to have compatibility and reduce some complexity so Mac users can share files to Windows users.
Any file can be encrypted. It doesn't matter what extension or format a file is. A file is a file is a file. It's all data. It's all the same to the encryption program. Files are just opened under file handles. You don't actually need an extension to identify its type. It's just easier to identify with an extension. Older Macs used to not use extensions and had a different way to identify the file type. They eventually adopted the Microsoft way to have compatibility and reduce some complexity so Mac users can share files to Windows users.
1) You asked, "Is a system image backup less susceptible to ransomeware?"
No.
If you backup encrypted files, makes no difference if you backup these files one by one or as a system image.
2) You asked, "so ransomware knows every extension of every kind of software and encrypts them?"
Ransomware has no consideration of file extension.
Ransomware, at least variants I've come across, first encrypt all non-system files, then system files, then rewrite the boot record, so you see the clock + the clock resumes every boot.
3) To expand @Andrews comment, "Yes they would encrypt and also some delete all backups!"
The Ransomware Rule is simple.
"Any file you can dir/ls, will be encrypted."
So if you're running backups, then depositing them on a locally accessible disk (dir/ls can see them), then they're gone... well... unless you pay, which I wouldn't recommend.
Many a Ransomware conversation I've had starts with the conversation...
"But I have backups... I make them every night... Just restore one..."
Problem is... a backup is only a backup if it's kept remote... so no command line dir/ls can show the filename...
4) Remember the only way to recover from Ransomware is to do a full backup restore, then avoid the behavior that lead to the Ransomware infestation... which is almost surely... clicking on an email attachment or rarely, installing a thumb drive on a machine...
Full data restore is the only cure for Ransomware.
No.
If you backup encrypted files, makes no difference if you backup these files one by one or as a system image.
2) You asked, "so ransomware knows every extension of every kind of software and encrypts them?"
Ransomware has no consideration of file extension.
Ransomware, at least variants I've come across, first encrypt all non-system files, then system files, then rewrite the boot record, so you see the clock + the clock resumes every boot.
3) To expand @Andrews comment, "Yes they would encrypt and also some delete all backups!"
The Ransomware Rule is simple.
"Any file you can dir/ls, will be encrypted."
So if you're running backups, then depositing them on a locally accessible disk (dir/ls can see them), then they're gone... well... unless you pay, which I wouldn't recommend.
Many a Ransomware conversation I've had starts with the conversation...
"But I have backups... I make them every night... Just restore one..."
Problem is... a backup is only a backup if it's kept remote... so no command line dir/ls can show the filename...
4) Remember the only way to recover from Ransomware is to do a full backup restore, then avoid the behavior that lead to the Ransomware infestation... which is almost surely... clicking on an email attachment or rarely, installing a thumb drive on a machine...
Full data restore is the only cure for Ransomware.
ASKER
Almost seems like going back to a rotating set of usb drives connected to my QNAP that copies the contents every night and than taken off site is an option. Along with cloud.
Almost seems like going back to a rotating set of usb drives connected to my QNAP that copies the contents every night
You could but I don't see that as being necessary
We have customers setup backing up to QNap NAS storage
Unless the NAS is used for anything other than "Just storage" Ransomeware is generally only going to infect what it has access to from the source initially infected device/PC - (Network shares, mapped drives etc)
We've got backups on going to dedicated partitions
Network shares on the NAS are on their own dedicated partitions
When a server backups, the share is activated and mounted , and unmounted and deactivated upon completion leaving no access from the server to the share
Nightly backups are rsynced to off site servers
We have a last mile up here (Edmonton, Alberta). Doing cloud for immutable backup storage is difficult for many of our clients because there is no bandwidth available for the upload.
So, we rotate their backups.
Creating security barriers helps too.
Veeam server is not on the production domain. It's firewall is hammered down. RDP inbound only from one IP or maybe two. DUO for 2FA to help keep it secure. Those are just a few of the steps to help keep the backups safe.
So, we rotate their backups.
Creating security barriers helps too.
Veeam server is not on the production domain. It's firewall is hammered down. RDP inbound only from one IP or maybe two. DUO for 2FA to help keep it secure. Those are just a few of the steps to help keep the backups safe.
ASKER
When you say "we rotate backups" what are you talking about? Tape? External hard drive?
Back in the day we had a server go blotto. Their backup setup was two HP DAT libraries and BackupExec. BUE failed us there. Plus, the person responsible for rotating the DAT magazines turned sheet white when we asked for them to go get them.
They hadn't been rotating them like they were supposed to.
So, we took over all backup management and rotation at client sites for a fee that also included a quarterly full bare-metal or hypervisor restore.
It also gets us into our client sites where we manage the backups. It almost always ends up with us being asked to help with things so augments the on-site billable/chargeable time.
They hadn't been rotating them like they were supposed to.
So, we took over all backup management and rotation at client sites for a fee that also included a quarterly full bare-metal or hypervisor restore.
It also gets us into our client sites where we manage the backups. It almost always ends up with us being asked to help with things so augments the on-site billable/chargeable time.