CryptoLocker has been in the news a lot recently. For those of you who haven’t heard of it, it is a Trojan Ransomware that’s specifically targeted to computers running the Windows OS (operating system). There are more variants or clones of this specific Trojan around today, and while not related to the original CryptoLocker, they all basically do the same thing. The name, CryptoLocker, is still used for the different variants, even though they are technically all called Ransomware.
These Trojans can encrypt a certain amount of computer files (mostly based on the file type). They then request a ransom (bitcoins) in exchange for the deciphering key. Even when you successfully remove this Trojan, the files will remain encrypted. If you don’t have a Cryptolocker backup strategy, you risk losing all your files. Worse, there are reports of people paying the ransom to get their files back, but still not receiving the deciphering key.
There are even some variants that will also encrypt your backup files and leave you empty-handed in the end.
Dropbox, OneDrive, Google Drive and beyond
Some people claim that using target cloud storage services such as Dropbox, OneDrive, Google Drive and others will save their bacon. The problem, however, is that most of those files will be synchronized (back and forth) the moment something changes. In the event that your files are being encrypted, the files will get uploaded and you lose access to them as well. Another issue is that attackers can now
A warning for the future: With the continued rise of the Internet of Things, big data and more connected networks, you will be seeing these types of attacks
How to avoid CryptoLocked backup files
Being in a situation where all of your important files AND backups are encrypted is not something you want to experience! In corporate IT environments, this should not usually be a problem because CryptoLocker variants are mostly run by the user. As long as the user has no write access to the location of the backup files (NAS share, Veeam Backup & Replication repository), the Trojan running under a user security context would be unable to encrypt specific backup files. Yes, users’ working folders will get encrypted, but you would then be able to roll back within minutes from the latest backup. Of course, as a best practice, you still would want to make sure that administrators are not using their high-privileges account on a daily basis.
The bigger problem, here, is with smaller shops and end users at home. In most cases, these both should have full rights on everything, which means that the Trojan can access files on their NAS, USB devices, file shares, home servers or anything else.
I could start a debate here by saying that even a home user should work with an account with less privileges to avoid the CryptoLocker having a free pass, but that isn’t likely to happen.
So what Cryptolocker backup strategy can you follow to prevent such Trojans from encrypting your Veeam Endpoint Backup FREE files?
1. Use a dedicated account to access the backup share
When you are using a share as the backup target, instead of connecting to it with your username and password, use your computer account. More information can be found here: http://helpcenter.veeam.com/endpoint/11/index.html?backup_job_share.html
Another option to avoid CryptoLocker is to set up a dedicated backup service account for each endpoint. Ideally, such an account should be created per machine that you’re planning to backup, and with dedicated access only to its own backup location.
2. Rotate your backup storage
Instead of saving your backup files to only one specific removable device (such as a USB hard drive), purchase and use the additional removable device in rotating scheme. This way, if your backup files get encrypted while the device is connected to your endpoint, you’ll still have another set of older backups on the other device. In any backup strategy, it is paramount that you have physical separation of backup files from the data source, and also that you have at least one read-only copy of backups. Rotated drives are the easiest way to achieve these requirements and Veeam Endpoint Backup FREE makes it super easy to use those rotated drives.
3. Put backups offline — Remove the removable device
In order to avoid CryptoLocker infiltration on your backup target devices, don’t keep them plugged in continuously. There is no reason to keep the device attached all the time if you use Veeam Endpoint Backup FREE, which makes it easy to create a backup schedule that’s based on a backup storage attach event. Just select the When backup target is connected option, and a backup will automatically happen when you plug in your backup target. It’s that simple. It’s also extremely convenient for backing up tablets and netbooks, since nobody wants to carry these around with a USB drive always sticking out!
The 3-2-1 rule
Ideally, every user should live by the 3-2-1 rule for backups. Number 1, meaning one copy of the backup stored off site, is especially important here. Even though it isn’t always that convenient for the end user to live by this rule, I still strongly recommend this practice. Your data will be much more secure by simply making sure that you have at least one read-only, backup copy stored somewhere on an offline storage, such as a removable media.
Ransomware attacks are on the rise lately. In many cases, it isn’t easy to recover from these type of attacks. Often, it is simply impossible to recover. One of my colleagues attended a CIO symposium last year and told me that an FBI cyber division representative speaking at the event listed three options if you get attacked by Ransomware:
- Call the FBI and they will try to assist.
- Roll back to GOOD, CLEAN, VERIFIED BACKUPS.
- Pay the ransom!
And, he added that you would be surprised by the number and size of companies they have had to tell to pay the ransom.
So, while having a good backup solution ready is a great layer of defense, make sure that you take necessary precautions discussed above to avoid the Trojan encrypting your backup files as well.
And, remember to test your backups!
See also (updated):