Dealing with a RansomWare Attack

Good one for most cases. Since 1970, my first three principles of system administration have been: Backups, Backups, and More backups.

I'm a hoarder when it comes to hardware, so I've got plenty of backups for my two main (daily use) systems. Each morning, they back themselves up to an Ubuntu server (after I boot it up), using four different backup slots on a rotating basis. When a backup cycle is complete, as indicated by writing a timestamp file which is newer than the existing one, the Ubuntu server shuts down automatically and stays down until I start it the next morning. You can't corrupt a disk which is powered off.

My biggie is putting data on a drive separate from the operating system. Storing stuff in "My Pictures", etc., on the system drive is strictly forbidden. That allows me to take a backup image of each system, which, when restored, is sufficiently current to be useful.

Copies of the system images are stored on three different Ubuntu servers in directories which are not exposed to Windows systems as Samba shares. They are NFS mount points accessible only to the root user. That means no Windows-based file corruptor can see them, even if the systems were up for more than ten minutes per day.

With three day-staggered backup machines, each with four separate storage areas which are rotated daily. I have daily backups going back twelve days, so I should be able to find an uncorrupted copy.

If I do get hit, each drive (system and data) can be removed from the affected system and restored directly via USB (I have universal adapter cable), so any malware is eliminated from each drive with no chance to execute on drive C while D is being restored and vice versa. Last step would be to put the drives physically back into the system.

I'll bet there's a hole in that scheme somewhere, but it's beyond my limited imagination.

I'll try. <grin>

Well done. But it seems dependent on any malware not laying low for more than 12 days. Sometimes what happens is you get infected with one thing and then over time they invite their friends. Simply because you didn't know about a problem 12 days ago doesn't mean you were clean. And even then you still have to address how you got infected. That door may still be open.

I'd give consideration to documenting all your settings so you can do a "bare metal" rebuild from trusted sources.

As far as backup rotation, give consideration to "son father grandfather", Something like daily backups for a week, weekly backups for a month and monthly backups for a year. That gives you much greater "range" for deleted files without needing a ton of extra space. There are others to consider as well.

Something else I didn't see you address is off-site storage.


Just hope you haven't gotten hit with something that hides in the BIOS. I'm sure it's rare, but not unheard of. <g>

Good thinking, Russell.

I had an off-site provider, Secure Safe, which I liked a lot except for a bug which made uploading large files (I used encrypted zips in the cloud, never "bare" files) a nuisance. A software "upgrade" at their end changed the bug from annoying to intolerable. Now that my ISP is Comcast instead of Verizon (switch made this week due to rampant greed at Verizon), I have a cap of a terabyte per month. The aggregate volume of a complete backup set is about half a terabyte. I'd have to work out what's valuable enough for off-site storage, which is likely a lot less.

Re the generational backups, I may have a suitable alternative. Any given backup is modified by addition of new files and replacement of changed files. Those deltas are not large from one day to the next because this is a two-user home, not a business. I could write something to monitor the logs and alert me to an unusual number of changes. If a nasty hides by not updating the file date/time, it will never get backed up at all.

What I didn't mention is that deleted files get purged from a backup on a 13 day schedule, so any inadvertent deletions linger in backups for quite a while. I could also monitor the logs for an unusual number of purges.

Something I did not mention, which is extremely important: Be sure your backups are actually restorable. Some large businesses have learned this lesson expensively.