| Backup and ransomware Was: alg5 accidentently deleted a folder and emptied trash [message #313834] |
Tue, 08 March 2016 02:16  |
g3-5-list
Messages: 45
Registered: April 2014
Karma: 0
|
Member |
|
|
On Mar 7, 2016, at 3:12 PM, Bruce Johnson <johnson@Pharmacy.Arizona.EDU> wrote:
"In the light of the advent of Mac ransomware, however, I’m starting to think that maybe keeping backups disconnected might be a good thing; if you get a ransomware infection, all mounted volumes are going to be affected, which would include a Time Machine volume. "
If I use CCC to update a clone backup more frequently than every 72 hours, when I discover I’ve been "ransomwared” won’t it be too late, i.e., the clone will have been contaminated too, right?
“…what would a poor boy do?” —Genesis
--
--
You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs.
The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml
To post to this group, send email to g3-5-list@googlegroups.com
For more options, visit this group at http://groups.google.com/group/g3-5-list
---
You received this message because you are subscribed to the Google Groups "G-Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to g3-5-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
|
| Re: Backup and ransomware Was: alg5 accidentently deleted a folder and emptied trash [message #313846 is a reply to message #313834] |
Tue, 08 March 2016 10:44  |
Bruce Johnson
Messages: 319
Registered: August 2012
Karma: 0
|
Senior Member |
|
|
> On Mar 8, 2016, at 12:16 AM, 'TRGPN WebMaster' via G-Group <g3-5-list@googlegroups.com> wrote:
>
> On Mar 7, 2016, at 3:12 PM, Bruce Johnson <johnson@Pharmacy.Arizona.EDU> wrote:
>
> "In the light of the advent of Mac ransomware, however, I’m starting to think that maybe keeping backups disconnected might be a good thing; if you get a ransomware infection, all mounted volumes are going to be affected, which would include a Time Machine volume. "
>
>
> If I use CCC to update a clone backup more frequently than every 72 hours, when I discover I’ve been "ransomwared” won’t it be too late, i.e., the clone will have been contaminated too, right?
Well, IF this is your only backup, it would require taking more steps to restore the data:
Nuke and pave the Mac with a clean install of the os. Download something like MalwareBytes for Mac <https://www.malwarebytes.org>, clean up the backup disks and then restore the old data.
Pretty much what we did (only with Windows) for the prof here who got hit with Locky; fortunately Locky didn’t encrypt the system restore points that "Previous Versions” creates.
I’ve also read more about the Mac ransomware since and it appears that it tried, but was unable to encrypt Time Machine volumes; I’m not sure this was because of any special things apple’s done (only the process backupd can write to a Time Machine volume, I’m not sure how hard or easy it would be to replace or override backupd to use it to corrupt a backup.) or simply because it was poorly written, and relies mainly on a user’s panic at losing everything to extort them.
--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
Institutions do not have opinions, merely customs
--
--
You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs.
The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml
To post to this group, send email to g3-5-list@googlegroups.com
For more options, visit this group at http://groups.google.com/group/g3-5-list
---
You received this message because you are subscribed to the Google Groups "G-Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to g3-5-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
|
| Re: Backup and ransomware Was: alg5 accidentently deleted a folder and emptied trash [message #313892 is a reply to message #313834] |
Tue, 08 March 2016 18:20 |
Valter Prahlad
Messages: 87
Registered: September 2012
Karma: 0
|
Member |
|
|
Il giorno 08/03/16 08.16, "G3-5 List" ha scritto:
> If I use CCC to update a clone backup more frequently than every 72 hours,
> when I discover I¹ve been "ransomwared² won¹t it be too late, i.e., the clone
> will have been contaminated too, right?
Well, yes and no.
As long as the backup happened BEFORE the malware started encrypting your
HD, the backup would contain the malware (Transmission 2.90 in this case),
but its data would remain clean, NOT encrypted.
The encryption happens only (AFAIK) when the malware is active and running,
not just because the malware is on a disk.
Hence, you could clean your Mac's HD, remove the malware from the backup,
and restore the backup; and everything should be fine.
Of course I would keep an eye on which Transmission version I would be
running.
As others have noted, backup disks can easily be compromised by malware when
they are connected 24/7. As long as a a disk is on its own (not connected),
no software can alter its content whatsoever.
A good backup strategy would be having an always-connected backup disk (e.g.
using Time Machine), and another disk for periodic backups (e.g. once a
week), maybe stored offsite.
This strategy would offer the safety of both an up-to-date backup, and a
backup safe from whatever is happening to your computer right now (be it
malware, a thief, fire, etc.).
--
--
You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs.
The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml
To post to this group, send email to g3-5-list@googlegroups.com
For more options, visit this group at http://groups.google.com/group/g3-5-list
---
You received this message because you are subscribed to the Google Groups "G-Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to g3-5-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
|
|
|
|
Members
Search
Help
Register
Login
Home
