Windows 10 has an unnerving habit of throwing up a screen following certain updates that says “all your files are right where you left them“. Quocirca has not been alone on first seeing this, in thinking it might be a ransomware message. Microsoft has said it is planning to change the alert following user complaints.
Real ransomware does just as the Windows message says; it leaves your files in place, but encrypts them, demanding a ransom (usually payable in anonymous bitcoins) for the decryption keys. Ransomware is usually distributed via dodgy email attachments or web links with cash demands that are low enough so that users who are caught out will see coughing-up as the easiest way forward. Consumers are particularly vulnerable, along with smaller business users who lack the protection of enterprise IT security. However, in the age of BYOD and remote working, users from larger organisations are not immune.
Ransomware is usually sent out en-masse, randomly and many times. So, traditional signature-based anti-virus products become familiar with common versions and provide protection for those that use them. In response, criminals tweak ransomware to make it look new and avoid file-based signature detection. To counter this, anti-virus products from vendors such as Trend Micro (which has built-in specific ransomware protection) detect modified ransomware by looking for suspicious behaviours such as the sequential accessing of many files and key exchange mechanisms with command and control servers used by would be extorters.
Avoiding infection in the first place is the best course of action. However, should the worst happen, there is of course another sure way to protect your data from ransomware that has been around since electronic storage was invented – data backup. Simple: if a device is encrypted by ransomware, clean it up or replace it and restore the data from backup. Data loss will only be since the last recovery point, and if you are using a cloud storage service to continuously backup your data the data loss should be minimal. Or will it?
The trouble is with online cloud storage services is that they appear as just another drive on a given device; this makes them easy for an authorised user to access. Unfortunately, that is also true for the ransomware which has to achieve authorised access before it can execute. So, following an infection data will likely be encrypted both locally and on the cloud storage system, which just sees the encryption of the file as another user driven update. So is this back to square one with all data lost? Not quite.
Whilst cloud storage services from vendors such as Dropbox and Google are not designed to mitigate the problem of ransomware per se, the fact that they provide versioning still enables a recovery of files from a previous state. As a Dropbox user Quocirca took a closer look at how its users could respond to a ransomware infection.
Dropbox is certainly diligent about keeping previous versions of files; by default, it goes back about a month keeping hundreds of versions of regularly used files if necessary. The user, and therefore the ransomware, cannot see previous versions without issuing a specific request to the Dropbox server. Following an infection, every file will have an immediate previous version that is untouched by the ransomware. Good news, clean up or replace the device and restore your files. However, this may take some time!
With the standard Dropbox service each file has to be retrieved in turn. Dropbox does provide a service for customers who get hit by ransomware for the retrieval of entire directory trees and its API provides file-level access and version history which programmers and other software applications can use to automate the process.
This is certainly a better position to be in than having no backup at all and the benefits of continuous copying to the cloud are one of the surest ways of protecting data against user device loss, theft or failure. Ultimately Dropbox is protecting its customers from a potential ransomware infection, and anyone relying on a similar continuous cloud back up service should check how their provider operates.
It also underlines the benefit of having a secondary backup process, for example to a detachable disk drive. This would save having to contact a third party for help when all your files have been encrypted by ransomware. The bulk of a file system can quickly be copied back to a cleaned or new device and just the most recent files recovered from the cloud. However, if you do that, then remember to actually detach the drive, or just like your cloud storage, it will appear as just another device and ransomware will be able to set about its evil work on your secondary back up as well.