When Transmission had an infected release a couple of months ago, I remember reading that the malware had in-progress features to encrypt Time Machine drives. It gets installed, waits a couple of days, locks up your hard drive and any backup drives that you connect, and there's nothing to do about it.
That's enough to hose 99% of users, even the ones following traditionally sufficient practices. You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
> You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
Or if your backup solution is—from the perspective of the computer being backed up—an append-only store. Like a box of tapes, or Tarsnap using restricted keys, or Arq pointed at a versioned S3 bucket, or a NAS exposing an iSCSI target backed by an LVM thin pool LV with automatic daily snapshots.
Sadly, as far as I know, no turn-key hardware "home backup" or "home NAS" product is in that category, though.
I've seen this in practice - the two person business with a file server, and a NAS they backed up onto. For the size of the business, they were doing everything right.
Every time I say this, someone chimes in and says that in their office, they air gap tape drives and do all sorts of things with storage snapshots. If you're an enterprise - great. A large proportion of "two laptops" businesses have no backups at all, or a "I selectively place important things in Dropbox" setup. This team went and bought a NAS and setup backups. Good on them. It was sad to see cryptolocker take down both desktops, and all backups on the NAS.
The email he received sent him to a website with a convincing looking download, which came up 0/55 on virustotal. He even told me he wouldn't have run an executable - but it was a Word document. It can be truly depressing to see who cryptolocker affects sometimes.
Fortunately, there do exist several inexpensive and user-friendly incremental cloud backup solutions. For a few bucks a month you can back up everything to Cloudflare or Backblaze and be fine even if your primary copy and recent backups all get hosed.
I've contemplated setting up a small home server with write-only shares for backups, but ended up not doing it because of the cost and time. If there were a reasonably priced off-the-shelf product for this, I'd recommend it to everyone I know.
On the other hand, if there were an off-the-shelf product for this, it would probably have unpatched security issues two weeks after you bought it, and if it were in common use you'd see ransomware targeting it. Tough problem to solve if you're not running and maintaining your own devices.
I suppose tarsnap or S3 would be the way to go, I'm just not that into cloud backups. Maybe it's time to get over that.
> if there were an off-the-shelf product for this, it would probably have unpatched security issues two weeks after you bought it
I'm waiting for the NAS "appliance" that's actually running CoreOS, and then just relies on running the :latest tag of some popular Docker image (and not a fork of it that they'll forget to update eventually; the original upstream image), plus a bit of config-file glue generated into a shared volume from a web-UI service running in another container. (Bonus points if the second container is only started up, for an hour at a time, when you press a button on the NAS, WPS-style.)
Such a design is essentially the same as shipping the device's OS as "firmware" with auto-updates, but for the fact that the vendor themselves isn't anywhere within the path of creating or distributing those updates. Which, in the end, makes all the difference.
> You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
Or doesn't mount to the source computer(s) at all.
My active machines push backups to intermediate locations, and the true backup locations pull from there and create snapshots. Status information used to verify the backup process is passed back the other way. The active machines don't (in fact can't) authenticate with the main backups and vice versa, reducing the likelihood that someone hacking into one can easily compromise the other at the same time.
I wouldn't expect the man on the street to muck around setting this up though, but many cloud backup solutions effectively do this if they don't have an easy "delete snapshot" API call or similar. I'm surprised that the "soft offline" backup side of it isn't marketed more actively. Maybe no one thinks they can adequately explain the benefit to the man on the street without putting them off by it being a little more complicated than a simple file copy.
The problem is, the file can get locked and still be available for backup. Smart enough malware will send an encrypted version when accessed over LAN while local access is unimpeded for some time. There is a reasonable chance that your backup will end up with encrypted files. This is why you need more than one.
That only matters for content created after the malware was installed though, assuming the backups' snapshot interval is reasonable. The malware doesn't usually hang around very long, does it? If it's detected while it can still hide, it still has the decryption keys.
No, they (usually) work similar to PGP/GPG, i.e. each file is encrypted with a different AES key and the AES key is encrypted with a public RSA key. The original AES key for a particular file is immediately deleted from memory after the file is encrypted and the private RSA key (needed for decrypting the AES key that is stored in the file) only ever gets delivered to the system if the ransom is paid.
That's enough to hose 99% of users, even the ones following traditionally sufficient practices. You're only safe if you have offsite backups with drives that didn't mount to your computer recently.