Skip to main content

Would a Crypto-Trojan also encrypt a tib file on external drive?

Thread needs solution
Beginner
Posts: 5
Comments: 11

There is a lot of rumor in the press about crypto trojan programs coming hidden in mail attachments which encrypt any data-file on the PC even on network attached cloud drives as reported this week.

What does that mean to my daily  USB-backup tib files on external HDDS wich are permanently connected to the PC?

How can I prevent fraude- encryption of backup files- except by switching the HDD.s off after backup- or disconnecting. which would be pretty unmanagable?

Any good advice?

0 Users found this helpful
Legend
Posts: 73
Comments: 16441

Reinhard, there will always be the possibility of trojan type programs being able to encrypt files held on any accessible drives attached to the infected computer system, including cloud drives such as Dropbox, OneDrive etc.

The key here is in protecting your system from becoming infected rather than trying to prevent that infection from spreading across the system.

There are a number of steps that can be taken to protect against infection, most of which are common sense and practice!

  1. Ensure that passwords used are not trivial or easily guessed or repetitively used across multiple applications / systems etc.
  2. Restrict use of Administrator level authority where it is not necessary.
  3. Keep all applications, programs and operating system fully updated with the latest available fixes.
  4. Never open unsolicited email attachments nor click on links in the same without being 100% certain of their veracity - if in doubt - DON'T!
  5. Keep security applications, Firewall, Antivirus, Antispyware etc updated daily.
  6. Employ tools such as CryptoPrevent, Malwarebytes Anti-Exploit to block access to protected folders such as C:\Users\[name]\AppData hierarchy folders.
  7. Keep backup copies of critical files in a secure place offline from the system they originate from.
  8. Use sandbox technologies (Sandboxie, Comodo Virtual Sandbox etc) when browsing to suspect web sites or running suspect applications to prevent the same from altering vital system data.
  9. ....

See: http://www.thewindowsclub.com/prevent-ransomware-windows and
https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/

Hope this is of help.  Steve

Forum Star
Posts: 60
Comments: 1413

Reinhard, a ransomware program does not need to encrypt your backup tib files.  All it really needs to do is corrupt the backups, and this would be very easy to do.

Steve Smith wrote:
    Ensure that passwords used are not trivial or easily guessed or repetitively used across multiple applications / systems etc.
    Restrict use of Administrator level authority where it is not necessary.

I would like to expand on these 2 comments...

Following are my recommendations:

Your computer should have two, or more user accounts, even if you are the only user.  Only one account should have Admin privileges.  This account should be used to run ATI, install software, update software, and other tasks that absolutely require admin privildges.  Absolutely no e-mail accounts allowed in this account.  Keep internet surfing to a minimum while in this account.

All other accounts should have regular user privileges.  Use these accounts for e-mail, surfing, daily computer use...etc.

When setting up your ATI backups, you should log into your admin account.  Navigate to your backup drive, using Windows explorer.  Create a top level folder for the backups.  Ideally, this folder would not be shared with any other accounts.  But as a minimum, the folder should be write protected.  So if any other account tries to access the folder, or write to the folder, or delete files in the folder, Windows will popup a window asking for Admin password.  To check out your new folder, log into a regular account, and try to access the folder, if you get a popup window asking for the admin password, then your folder is set up properly.

Once you have verified your folder is protected, you can then setup your backup tasks.

One other item I would add to Steve's list is...never disable User Account Control.

http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/

Above is a link describing CryptoWall 4.0, which I believe is the nastiest one there is.

Hope this helps.

Regards,

FtrPilot

 

Beginner
Posts: 0
Comments: 1

Hi FTRPilot,

I have a question for you?

I recently got infected with a crypto trojan that not only encrypted my files, but erased my TIB files from the external usb backup drive.

I tried recuva to undelete the tib file, the file was there but only 0 bytes, useless.

Luckily I had another older backup on another drive and was able to restore.

Do you think that using a NAS (ie qnap) device would be better since you have to use user autentication with a password to access the network share?

This authentication is configured in the Acronis TI backup plan and the credentials are not saved in the windows credential manager.

Thank you.

Best regards

Forum Hero
Posts: 62
Comments: 7493

Certainly a better option, but not fool proof.  At least if you setup a NAS share with a unique usrname and password that is not the same as the Windows logon, the risk is reduced.  However, from my experience, once Acronis runs the task, the connection to the share remains open in Windows anyway and disconnects after some arbitrary amount of time (which I'm not sure that is set as).  The only truly safe method is to backup compoletely offline using the recovery media and put that on a storage medium that is only attached for the purpose of the offline backup and recoveries and completely outside of the host OS.  

Forum Star
Posts: 60
Comments: 1413

Taft, the short answer is yes a NAS offers additional security because of the additional login required.  You should NOT map the shared folders to a drive letter.  As you state...login credentials stored by ATI and not stored in Windows credentials. 

You should have multiple accounts on the NAS.  The NAS account that stores the backup should only have access to one shared folder.

Personally, I have multiple regular user accounts on my NAS, each with access to their own shared folder. The NAS only has one admin account, and I only access that account through the NAS operating system software...making sure none of the NAS logins are stored in Windows credentials.

I hope this helps, I am glad you had the old backup to recover from.  Thanks for sharing your unfortunate experience...I hope others can learn from it.

Regards,

FtrPilot