Jump to content
Sign in to follow this  
  • entries
    9
  • comments
    35
  • views
    1,341

Ransomware and Backups

I have received several questions regarding the recent news story about Hollywood Presbyterian Medical Center in L.A. whose computers were infected with "ransomware".   For those unaware of the news story, here is a link to it.
 
http://www.reuters.com/article/us-california-hospital-cyberattack-idUSKCN0VS05M

Ransomware is malware (malicious software) that infects a computer and encrypts all of the user's files making them unusable until they are decrypted with a unique key.   Once the files are encrypted, a ransom demand is made.   This type of malware has been around since 1989 but gained popularity around 2013 with the popularity of BitCoin, an untraceable way to make payment to the extortionist.

So the question becomes how do you protect yourself from this type of attack.   I have a client that was attacked this way in 2014 and several lessons were learned.

First, you should know that this type of attack is not isolated to just Windows computers.   All computers that connect to the Internet use data encryption to protect your activity.   Whether you are logging into your bank account or shopping online, your computer is using encryption to keep your data safe.  In this case the data encryption is not use to protect you but rather to make your own files inaccessible.
 
Second, both Malware and Anti-virus protections programs, while helpful, do not give you 100% protection.   In the case of my client, he was using both an Anti-virus program and a Malware scanner.   Part of the problem here is that encrypting files is a completely normal activity for a computer and unless some unique attribute can be found, this malware appears as normal activity.   Another part of the problem that is until someone is infected and the Anti-virus/Malware software companies have time to figure out a detection, everyone remains at risk.   There is always a window of opportunity to be infected regardless of what software programs you use for protection.

In the case of the hospital in this news story, they paid the ransom of $17,000 and got lucky that the extortionist actually sent them the decrytion key after making payment.   It is just as likely the extortionist would demand more money or simply disappear leaving the files encrypted.

The only real solution is your backups.   I am not one to preach at people, nor use fear to motivate people.   What I offer here is my own person experience with a client that suffered this same attack.   

My client, a mortgage broker in California, contacted me once he got the ransom demand of $300 and was unable to get to any of his files because they were encrypted.  His business came to a complete stop.  He was told the ransom demand would double every day he failed to pay.   Going to the backup seems like a simple solution but in this case it was not.   The problem is that the backup files were on an external hard drive that was connected to the computer at the time the infection took place.   All of the backup files were also encrypted, making them equally useless.   Both business files and years of family photos were lost.   A few things were recovered from a backup I had made personally when working on his computer the year before but that was little consolation.  

Important Lesson Learned - If you backup your files to a device, such as a flash drive or external hard drive, YOU MUST DISCONNECT THE BACKUP DEVICE when you are not making the backup.   Your backup is the only safe when it is disconnected and separated from the computer.

My personal advice to my clients regarding backups is this:

You need to have multiple backups, I recommend 3.

1.  Have one near the computer but disconnected unless actually making a backup. This is your convenient backup.   Used quickly and done often.   Understand that this backup is at risk of being stolen, damaged or destroyed in the event of a break-in,  or local disaster such as a fire.   It is also at risk when it is connected to the computer.

2.  Have one outside of the home/office.  This protects you against anything that might happen to the backup that is near the computer or damaged while in use.   It needs to be in a separate physical location such as with a trusted friend.  It should not be in the same building or location as the computer except when making a backup copy.

3.  Have one online using a service such as Dropbox or a cloud based storage.   This backup is your final line of defense.   A physical device in your possession is always superior but a copy online gives you the advantage of being accessible from any place.   A backup online provides protection if the physical backup devices get damaged or stolen.   Due to the generally slow Internet speeds in our area, it can be difficult to keep large files stored online and slow to retrieve them.

One last bit of advice regarding backups.   If you use a software program to do your backups, realize you will likely need that particular software program installed on another computer to recover your backup if your computer is lost or stolen.   I recommend not using a software program that creates a single backup file, rather one that copies all of the files individually so they can be read on any computer without installing the same backup software program to retrieve them.

This ransomware type malware is on the rise and often is it not talked about due to embarrassment.   Heed the advice and check to be sure your backups will save you should you suffer the same fate as my client or the hospital in this news story.

All my best - Dan Porter

  • Upvote 2


7 Comments


Recommended Comments

 Uh, question...when I right click on my external hard drive in Windows Explorer, there is not an option to eject.  I hate to just unplug it...is there a way to eject first?

Edited by Dottie Atwater

Share this comment


Link to comment

There is an icon in your task bar that looks like a computer tower with a green circle with a check-box.  Click on it, and whatever is connected will appear.  It will say "Eject...".  This is the same thing you use to eject a flash drive before removing it.  If the icon is not showing, click the small up-pointing triangle in the task bar (mine is on the right side).  This allows you to choose which icons you want to be visible.  But you will still need to unplug the hard drive.

  • Upvote 1

Share this comment


Link to comment

As Judy states, there should be an icon in notification area.   This is the area near the system clock in the lower right corner.  Often you may need to click the little up arrow to view all of the icons since only a few are shown next to the clock.

56c76d2942d95_notificationarea.jpg.f71bc

If you are unable to find the "safely remove hardware" icon, it could be that the computer is currently set to hide this icon.   Depending on your version of Windows, doing a right click on the up arrow will allow you to get to the settings that show/hide the icons in that notification area.

For Windows 7, do the right click and then click on Customize
For Windows 10, do the right click, select Properties and then select Customize

If all else fail, you have two options.   One is to log off the computer before removing the device.   The other is to be a geek and run the following command.   It will cause the message to pop up that lets you safely remove the device.  

Click the start button, then click Run and then type the following and press enter
rundll32.exe shell32.dll,Control_RunDLL hotplug.dll

Share this comment


Link to comment

The "safely remove hardware" icon wasn't in my task bar but I found it and put it there. But my external hard drive is grayed out.

I ran the command and it did not let me eject the external hard drive. Guess it's the log off option.

I did a Print-Screen but it's not very readable.

 

Share this comment


Link to comment

I have been using the three backup system for years but I had a big problem according to Twin-----I never unplugged my devices. I do now.

 

Thanks

Share this comment


Link to comment
Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...