Crypto-virus resistent backup

Introduction

Crypto-viruses encrypt your data. If it asks money (a ransom) to decrypt, we call them “ransomware”. They cannot can encypt your SQL Server databases, but because sql data and log files are in use by sqlservr.exe process, they first STOP your sql service, then they encrypt your databases. They also encrypt your DB backups and all other files accessible on file shares. You DO have a backup? Normal backup will NOT protect you from cryptovirus. Because we care for your data and security, we will show you how to protect yourself using free tools. It might take more then a few steps to configure, but it needs to be done only once and it pays off in every way. Read on.

Why “normal” backup is not effective?

Crypto-virus will encrypt your files. Once originals are encrypted, next time your backup runs it overwrites your backup with encrypted files, and both your backup and original files are encrypted, unreadable. Storage replication will also not protect the data for the same reason – an encrypted original will be replicated to the other location too. To prevent that, you need a backup that supports file versioning. With versioning, if original is encrypted and copied to a backup, you could revert to a file version before encryption. But usually the number of versions is limited (eg. to 30), after which the oldest version is deleted.

Second: smart crypto-viruses can flip-flop encrypt the same file repetitively more than 30 times, pushing unencrypted original version out of backup version history. Therefore, you need versioning that will not delete the oldest version until it is really old, e.g. more than month ago, no matter how many times the file is changed during that period. There are multiple ways to solve that. You just need to remember that limited number of versions is not good enough because of repetitive encryption. Cloud backup providers usually offer versioning, but you need to check is the number of versions limited, when repetitive encryption occurs will original file version be pushed-out after N iterations? Others cannot use cloud backup because their data is too big. For example, it takes 6 days to restore 1TB of data with 20Mbit/sec internet connection. Normal local network (LAN) speed is 1 000 Mbit/s and takes only 3h to recover 1TB of data. Compare that to 1 week (or months, depending on data size and connection speed) that would take to recover from the cloud. Cloud makes sense for smal arhives, or smaller part of your archive that is additionally backed-up to cloud, or big archives that can afford to wait a week or month to restore, or restore place is also in the cloud in the same datacenter so between backup and restore location is fast LAN connection. But first check if your cloud is resilient to repetitive encryption.

Third: crypto-virus will look for file shares and encrypt files it finds there. It will look for USB drives (the ones you save your backups to), and encrypt their content too, when you plug them into your PC. You have a backup on a remote file share? If you have write permission, your backup will also be encrypted and your data are not protected from Cryptovirus. You or anybody else (except one special account) should NOT have write permissions to a backup location. That cannot be done with windows permissions, because you are probably administrator on your computer, and therefore the cryptovirus also grabbed “administrator” privileges. And from there he can change windows permissions and encrypt your files.

Then how to be safe, how to protect your most valuable data?

What works?

These are characterists that backup must have to protect your data from cryptovirus:

• backup location YOU CANNOT WRITE to (but backup software can)
• file versioning resilient to repetitive encryption
• automatic (no human to forget to backup)

Some enterprise backup systems can do that, but they cost money. Veeam Endpoint Backup is free and easy to configure, but only “Volume level backup” mode is usable, and that backups entire partitions. If you want to backup only specific folders and not entire drive, “File level backup” option is super-slow, and unfortunately unusable. Unless you have a really small number of files. Here is the pic of Veeam Endpoint Backup options one can choose from:

Veeam has neat option to store credentials for accessing remote file share, which greatly simplifies things:

Veeam is super-easy to setup, and if you do not mind backing-up entire partition, it might be a free solution of choice for you.

THE SOLUTION with Free File Sync

What we need

• You need to have a device capable of file-sharing and configuring accounts and permissions. If you do not have such a file server, for home and small business use I recommend Synology 216J. They do not pay me anything, it is just a device that works, has security/permission configuration, and writes at 100 MB/sec. It is very small, silent, reliable and not expensive. Fits 2 x 3.5″ HDD you can put into mirroring mode (RAID1), and has 1Gbit/s network. We will use this one for configuring permissions on file share, but you can do similar with any SMB file server:

• Free File Sync – a free software
• Windows Task Scheduler – you already have that (included in Windows)

Create special “backup” account

On Synology (or other file server you use) create an account that will be used to write backups. That will be the ONLY ONE with write permissions on backup folder. The name “SpecialBackupAccount” is just an example, you will use some other long unique username and even longer password without any human words in it. You will never use it to login, but the backup software will:

Now configure file share permissions on backup folder for that account. Ensure NO OTHER account has write permissions. Note that my account “Vedran” has read-only permission on backup file share, and is NOT in admin group (cannot write to backup):

If I need to make some changes within backup folder, I do have a separate admin account on that NAS, but I am normally not logged in with that. I never use it from windows machine, and I use it only to login to web interface of NAS and do the changes using web UI file manager.

On your PC, with the windows account you normally use (my is “Vedran”) try writing to that remote file share folder. You should get error message like on this picture. If write succeds, you need to fix the permissions. Write error (access denied) is what we want! But you should be able to read the folder without any problem:

Now we are sure Cryptovirus won’t be able to write to a backup location even if it runs under my credentials and even if it has administrator privileges on my PC.

Setup backup using FreeFileSync

First make sure that “Fail-safe file copy” and “Copy locked files” is checked in Options. That will enable backup of files which are “in use”, and interrupted partial copy will not corrupt destination file:

Select folders on your PC that you want to backup, and pair them with remote file share folder on your file server. Here I have 3 folders: Documents, Pictures (Slike), and System. Make sure the type of copy is “Mirror”:

Let’s configure VERSIONING. Under synchronize options, select “Versioning”, and put a “%date%” label under folder path where you want old file verions to be stored, like in the picture. Old versions folder should also be located on protected remote file share folder where your backups are placed:

Do that for all folders you want to backup. I have three of them, and locations for versioning are these:

• \\nas1\Backup\old_versions\%date%\Slike
• \\nas1\Backup\old_versions\%date%\SISTEM
• \\nas1\Backup\old_versions\%date%\Dokumenti

That makes one version per day at most, but it can be configured to a finer level too, eg. hour or minute. File->Save As Batch Job file, e.g. “Backup.ffs_batch”. We will use that file later.

Create account on your PC

Now we create a local SpecialBackupAccount on our PC. We will run backup software on our PC under that account. It must have the same username and password as remote account on NAS we created in previous steps. Put it in “Backup Operators” local windows group, to be allowed to run within a scheduled task. That account will have write access to backup folder on the file share. If you have idea how to remove this step and it works – I would love to hear it:

Schedule the backup

This step is crutial. It not only automates the backup, but also makes backup software running under the only account that can WRITE to backup shared folder. Open Windows Task Scheduler and create a new scheduled task that is running under our newly created local windows account:

As “action” you need to select FreeFileSync.exe with argument of ffs batch file (*.ffs_batch file) we created in previous steps:

In “Triggers” tab you can create a “Daily” task with “Repeat task every”=”8 hours” for example.

In “Settings” tab of the scheduled task check “Run task as soon as possible after a scheduled start is missed”:

Make it run as often as you need. For me, twice a day is enough, but you can schedule it to run as often as you like.

Verification

Run the scheduled task manually and verify that backup files are created. Change a file and see that the previous version is in “old version” subfolder, similar to this:

You could optionally add a job on NAS to delete versions older than X days, but that can also be done manually on occasion.

That’s it! Enjoy the security.

Conclusion

Ransomware is vicious these days and attacks are more and more frequent. It is possible to protect your data efficiently using free tools and some hardware (file share server) you might already have. Save yourself not only a money for ransom, but also the nervs and time your business is down until bad guys decrypt the files, if ever. Protect yourself. In addition to this method, you can use a versioned cloud backup for specially important parts.

You are more than welcome to comment and share your thoughts on the subject. Add a suggestion or your experience with a Cryptovirus. Let us know did this helped you. Thanks!

LIST OF USEFUL TOOLS

Veeam Agent for MS Windows (formerly Veeam Endpoint Backup) – free is limited to 1 backup job schedule. “Partition Backup” mode can backup one or multiple partitions, works at block-level, and incremental backup detects only changed blocks even in big files. Super-useful if you have big files that changed only a small part, eg. vhdx files of your virtual machines. It compresses and optionally encrypts the backup. Restore is possible at both partition and file level even if backup is done at block level.

Free File Sync – free, no limits

Cobian Backup – free, no limits

CloudBerry Backup – fre{“type”:”block”,”srcClientIds”:[“3e539dd2-2b4b-4784-8fb2-886849705ae6″],”srcRootClientId”:””}e version is without compression

Cryptomator – free encryption of cloud drive (dropbox, gdrive etc). You see normal files, cloud provider sees garbage.

APPENDIX – NAS Snapshots

Scheduled NAS snapshots can additionally protect your backup files from cryptovirus ransomware. On Synology NAS you configure them through “Snapshot Replication” app installed through the “Package Center” – we do not have to create any replication copies if we do not want to, just internal snapshots. You can schedule eg. hourly snapshots of the file share with retention of last 8 hourly snapshots, last 7 daily snapshots and 2 weekly snapshots (keeps 14 days old snapshot, one snapshot per day for last 7 days, and last 8 hourly snapshots).

You can also make snapshots visible as a subfolder “#snapshot” inside the file share, if you tick option “Make snapshot visible”:

Snapshots take space only for differences, which is very minimal amount of space and is a highly recommended, inexpensive additional layer of protection from cryptoviruses.

It is also useful to disable SMB1 protocol, for security reasons:

Synology hardening – a quite solid guide:
https://www.itsmdaily.com/how-to-secure-synology-nas-against-exploits-malware-cryptolockers/

Official Synology security hardening guide:
https://kb.synology.com/en-global/DSM/tutorial/How_to_add_extra_security_to_your_Synology_NAS