Ransomware: mount/enable destination USB Disk as Pre-command and unmount/disable as Post-command?
With ransomware getting more sophisticated and (reportedly) even starting to attack backups on connected USB drives, it has been recommended (Windows Secrets newsletter, March 7, 2016) that users should "keep your backups offline most of the time". Ideally, one should unplug a USB backup HDD when a backup has been completed, then plug back in just before the next backup.
I run six backups overnight (three backups duplicated to two separate external HDDs). It is not practical for me to remember to disconnect the HDDs in the morning and reconnect them the following evening. Even if they were only connected overnight, that is still a fairly sizable window for ransomware to be able to get at them.
So my question is: can we make use of the Pre- and Post-commands, in some way to "mount" an external HDD immediately prior to a backup, then "unmount" (or "dismount"?) it when the backup completes?
The only thing I have found so far in my research that comes remotely close is the Windows DEVCON set of commands. This is part of the Windows Driver Kit (WDK) which has to be downloaded. Looking at the commands available, it appears that the "DISABLE" and "ENABLE" commands might do the job, although it is suggested that one of these may require a reboot when used - depending on the circumstances. In any case, it seems (so far) that DEVCON may be a bit beyond my capabilities and perhaps a bit overkill (if suitable here at all).
I am not even sure whether "unmounting" a USB drive in this way would be effective against ransomware. But assuming that it might work, has anyone looked at this and been able to get a working Pre-/Post-command script running?
Any advice appreciated. Thanks in advance,
Windows 7 Pro 64 SP1
Take a look at this external post:
There are also applications thay may be able to do this as well. I have not tried any personally though.
You are wise to be concerned.
Note...ransomeware is not going to encrypt your backup (tib) files. It will try to corrupt them, which would not be hard to do if it gets access to them. Physically removing or mount/unmount are great ideas. However, you should also be using file permissions to protect your backup files. I strongly recommend running ATI from a separate account. That account should not be used for surfing, blogging, or e-mail. The folders used for the backups should only be shared with the ATI account. That way, if malware does infect the account setup for surfing, blogging, and e-mail, and the malware attempts to access the backup folders, as a minimum you would get a popup warning asking for administrator password.
If you are able to mount and dismount using pre & post commands, please share your success here. Others will be grateful, me included.
Thanks for the superuser link. It looks interesting. A lot of study and experimenting ahead ...
The USB Safely Remove application appears to "unmount", but not "mount" again - so of limited use for my needs. If you know of any other applications please let me know. I am amazed that no one seems to have done this before!
How does ransomware restore corrupted .tib files (if you pay the ransom)? Or does their decryption key (assuming they bother to honour the ransom paid) also "uncorrupt" such files?
Using a different user account to do backups sounds interesting, I will look into that.
If I succeed in getting Pre-and Post-commands to mount/unmount, I will be sure to let this thread know (and post details).
Thanks for your advice.
The current versions of Cryptowall does not encrypt the files per se. It creates an encrypted copy of the file, then permanently deletes the file. Early versions of CryptoWall didn't permanently delete the files, it just deleted them, so, often the files could be restored using the latest windows restore point. The objective is to encrypt enough of your files to get you to pay the ransom.
An up to date backup (tib) that is not corrupted is your last line of defense against ransomware. The point I was trying to make is that ransomware does not need to encrpyt your backup (tib) files. It just needs to corrupt them so you cant't use them.