>Mouse wrote:
There is a ramsomware variant that encrypts the files but silently decrypts $
This depends on the backup-taking accessing the files in a way that
doesn't trip the decryption.
It also depends on nobody test-restoring from the backups, or at least
not sanity-checking the results if they do.
It also depends on being able to infect the OS and sit there for months
without anyone noticing.
As to how one can become infected, see http://www.theregister.co.uk/2015/08/$
This depends on the user - perhaps by proxy in the form of something
the user runs - executing content offered by the malvertising-serving
server.
Thus, defense in depth:
(1) Don't run things that execute live content without explicit,
specific approval by the user. Educate users as to the few cases when
giving such approval is sane.
(2) Avoid common OSes and ISAs, so that most malware (ransomware or
otherwise) can't run even if it gets through to the machine.
(3) Test-restore from your backups periodically.
Of course, most people will say they "can't" do one or more of those,
actually meaning they're not willing to pay the prices involved. Such
people need to realize that they will pay one price or the other, and
they'll just have to decide which prices they prefer. Personally, I do
about two and a quarter of the above: (1), 3/4 of (2), and 1/2 of (3).
The system which I use to develop programs and produce code
is used only to download e-mail and news groups. This seems to
have isolated the system to some extent.
As for (3), I don't understand how a test-restore would help.
I don't know if this is relevant, but I shut down my system
every night and boot the C: drive again in the morning.
After booting from DOS using a floppy disk, my backup
consists of using Ghost to make an image copy (compressed)
of all the files on the C: drive to the D: drive which is used
ONLY for that purpose. Even if the files have been encrypted,
I don't understand how a restore would detect that the files
are being encrypted / decrypted on the fly if a boot every
morning does not notice a problem.
As it happens, once or twice a year when I do need to access
the internet, I first do a backup of my C: drive, access the Internet
to make copies of the files that I want - PDP-11 stuff for RT-11,
obviously. Then just in case, I do a restore from the backup to
my C: drive. How would that be any different from just booting
the same C: drive each morning?
Jerome Fine
