PC World's cloudy backup failed when exposed to ransomware The shortcomings of consumer-grade backup services in protecting against the scourge of ransomware have been exposed by the experiences of a UK businesswoman. Amy W, who runs a small business in the Newbury, Berkshire area, was convinced that the KnowHow cloud was the only backup technology she'd ever need1 when she bought a …
If the machine was for business use, then the lost data may well have been hundreds of text files (orders, invoices, etc.) or financial data files etc. and only occupied a few hundred MiBs. Not everyone has extensive video collections. I am also told that some lucky people have fibre and reasonable upload speeds.
I'm trying to figure out why renamed encrypted files would overwrite the originals on the backup, from my experience with ransomware it rarely leaves the originals and you'll have tons of .abc .locky etc files instead.
Additionally as you've said the staff themselves seem to be making this up as they go along - back up of all unchanged files would make no sense.
Personally I use Crashplan and manage how retention, versioning etc is done through the utility, that's partly because I'm utterly paranoid about losing stuff and it's the only cloud based backup I currently trust, even then I still have a local backup of *everything* anyway. Crashplan has saved me a couple of times though.. local drives do get stolen during burglaries :-/
"I'm trying to figure out why renamed encrypted files would overwrite the originals on the backup, from my experience with ransomware it rarely leaves the originals and you'll have tons of .abc .locky etc files instead."
This puzzles me as well.
Also, my (very limited) experience of recovering a ransomed PC was that the malware, in that case Tesla3, wrote out the encrypted versions and then deleted the originals so that the encrypted version didn't overwrite the original. It would be possible, of course, in the case of a disk with little spare room that the space released by one "deleted" file would be overwritten by a subsequent encrypt. If not something like Photorec can recover the files from free space of the original disk. Because of this the best advice that can be given is: kill the PC immediately and do not reboot except from something like Trinity Rescue with a USB drive attached to which recovered data can be written.
"I'm trying to figure out why renamed encrypted files would overwrite the originals on the backup, from my experience with ransomware it rarely leaves the originals and you'll have tons of .abc .locky etc files instead."
It depends on the specific ransomware. As mentioned here http://www.theregister.co.uk/2015/11/09/cryptowall_40/ last year, Cryptowall 4.0 introduced changing the filenames, but earlier Cryptowall (and cryptlocker) versions didn't. The first instance of it I was it wasn't even obvious an infection had happened other than the files couldn't be read (someone else on the network had been infected, and they've received the notification and kept quiet). So assuming it was one of the earlier versions she was infected with, the file names would have remained the same and would be able to overwrite the original ones.
ive dealt with quite a few crypto infections.
not all of them rename the files or the extention.
so your cloud backup solution happily uploads the latest (now encrypted) version of the file over the top of the unencypted one.
if you use dropbox (which some people still insist is a "backup tool" it then downloads that onto every other connected machine.
if you use carbonite, they have a dedicated team who can see when the infection hit (as many more files than normal are changed very quickly). they can then roll back the ENTIRE backup to before it hit. you rebuild your pc in the meantime. then they call you and saty, yes, you can restore, and all your unencrypted data comes back down the pipe. its bloody marvellous.
i believe that with dropbox pro they can also do this.
free dropbox you can see earlier versions of files, but theres no way to roll back the entire backup, so you would have to do it for every single file, which would be tedious...
Finally, "Amy W, who runs a small business in the Newbury, Berkshire area, was convinced that the KnowHow cloud was the only backup technology she'd ever need"
i mean for fucks sake. if you get pc world to do your IT then you are asking for it.
by the way, be very carful if you try and back up a truecrypt volume. by default, truecrypt is set to keep the date/time stamp on the file to the same regardless of if its been updated. also, the size of the file (usually) wont change as you set a fixed size for an encrypted volume. so the file is the same size, doenst ever get a new date stamp and so most backup products believe that the file has not changed. they back it up once when you first create it and never again...got caught out with that once. there is a setting in true crypt options to change the date/time stamp. i cant remember off hand where it is but its pretty easy to find in the options.
Correct me if I'm wrong, but didn't it start out to be at least sibling to a magazine on the TRS-80?
I have more to say, but I choke after saying that. I believe I was subscribed to it under an earlier name. It's somewhere between sometimes okay to the point where calling it idiotically stupid would be complimenting it undeservadly. People still subscribe to it, too. And follow their ads. And I'm not even trolling.
> if you get pc world to do your IT then you are asking for it
But if you know nothing about IT yourself, how do you assess whether that big high street outfit that seems to know what it's doing is actually any good ?
In reality, she was one step better than a lot of people, at least she (thought she) had a backup of some sort - how many people have no backup whatsoever ?
I've never seen a crypto virus that renames the extensions. All I've encountered append a new extension. For example .zip would be come .zip.zzz. Can you give an example of one that doesn't rename files?
At any rate - using an incremental forever backup solution with only 1 version is a bit silly and prone to fail, if you get a file corrupted you're screwed from restoring it.
If your stuff is important, then the onus is on you to make sure it is available. Need to send your Tax Returns ? You photocopy the document, or scan it, and send the original. The copy is to be properly filed so you can find it back if necessary. It is that mechanism that people just completely forget about when they sit in front of a keyboard. The Cloud is NOT a replacement for that procedure, it is an additional precaution. One that is only as good as the service offered.
Until this kind of thing happens. The lesson, unfortunately, can be very painful.
As for PC World's so-called "backup", it never failed - it was never useful in the first place. That is also something she should have checked once in a while. The dates of the latest backup. If she had done so, she would have noticed that PC World does not offer a backup service, but a copy service. That might have tipped her off sooner that she needed a proper backup solution.
There I fixed that for you.
If your stuff is important, then the onus is on you to make sure it is Backed up to a backup device.
This lady went to the store to get Advice and a computer, was informed that this was the best backup solution available.
"This lady went to the store to get Advice and a computer, was informed that this was the best backup solution available."
The best backup solution available isn't worth a shower of shit if it's not tested periodically to make sure it's actually working properly.
If the advice she got didn't include that piece of knowledge then she really should have a case against them. Unfortunately I'll bet that all liability is excluded in an obscure clause in 4 point lettering kept in the electronic equivalent of a locked filing cabinet in the basement lavatory behind a sign saying "beware of the leopard"
Reading her semi-literate Facebook posting, it's obvious that she's not the sharpest tool in the box. Sadly, there are too many people who will buy over-priced junk from PC World, and will assume that the nonsense spouted by their salesmen is gospel.
Her errors:
Buying anything from PC World.
Trusting "anti-virus" snake-oil (when will people realise that it can't work? )
Believing that any "service" provided by PC World could be good enough for business use. "Military grade"? Hah!
Finally - the use of a (barely) domestic-grade OS and software for business.........
Don't disagree about the need to take responsibility for your own data. But we live in a marketing driven world, where IT pitfalls are blurred by PR-suits... IMHO Neither Cloud or Offline is the answer, there needs to be a third option. Because flooding / fire / theft / drive failure are still big issues too.
The sad thing here is, there is no super tech guru in the media that has the attention of the masses to warn people like Amy in advance. Instead marketing dollar spending by greedy Dixons-PCWorld type corporations can bury this story over time under the weight of PR spin...
This Reg article also sets a sobering tone for CloudFog:"All of which means that the world is learning that the cloud isn't yet the “drop-in replacement” for in-house IT that everyone was hoping it would be.":
http://www.theregister.co.uk/2016/03/22/cloud_security_harder_than_encrypt_everything/
Pascal,
I think you're being unfair to the victim here. She's a member of the public, not an IT pro.
The public put their trust in people to whom they've paid money (just like DWP does) and are not equipped to evaluate whether the advice they're given is right (DWP again!). Only when there's a failure on a scale big enough to attract widespread attention such as TalkTalk's break-in do they realise that their vendor reassurances are worthless. Apart from the fact that it's then too late they have the problem of knowing what advice they should take for the future.
I'm not disagreeing with you here but she's go to take on the lion's share of responsibility here. As usual they've never tested the backup and probably never even checked it once it was installed and "working". It's the usual lazy way of backing up data and most of us (myself included) only improve in this area once we've make a royal cock up of it in the past or seen someone close to us lose months of work.
You don't need to be an IT pro to check backups, no more so than you need to be a household security expect to set an alarm, but as with house alarms it's only one thing that may/may not work and it's best to remember that locking the door and checking you've got your valuables out of site is best. similarly with backup checking it's actually working and having a "oh shit I lost everything" plan is best.
"You don't need to be an IT pro to check backups"
Think about this for a moment. I assume you're a sysadmin. How often do your users come round to you to check your backups? She's the user, PCW are her sysadmins. Why should she even know about checking?
Personal story here. I had a gig to replace two non-Y2K-capable boxes. They'd been set up so that one of them did an NFS copy to the other, the warm standby, overnight (they were situated at opposite end of a large industrial site - a disaster large enough to affect both boxes would have given them more problems than the loss of both boxes). In the course of looking at the existing setup I discovered that the overnight window wasn't long enough to allow a complete backup. I've no idea how long they'd been without an effective warm standby.
"I'm not disagreeing with you here but she's go to take on the lion's share of responsibility here"
Applying the same logic to a mechanic replacing the brakes on your car, if you have an accident caused by shoddy advice and a bad job, you must bear the lion's share of responsibility for the accident?
Victim blaming is a very slippery slope.
"If your stuff is important, then the onus is on you to make sure it is available"
<snip>
Totally correct and yet utterly wrong.
This woman was not like us, she was a naive computer user. She sought help from PC World {sadly} and was advised that the correct thing to do was to install this cloud backup. How was she , a naive user to know of the pitfalls?
Personally i have some encrypted data in the cloud because it is fashionable, I have version control on every file, I have a backup (every two hours) to a hidden non shared area on the server, I have a backup to an external hardware encrypted drive and I mirror the server to another one away from home. oh and both servers are RAID five.
That is how i do it but then I am supposed to be a professional and I have never lost any data. This woman did her best and the advice she was given was wrong, ill informed and spurious, those of us in the know would expect nothing better from PC World.
"oh and both servers are RAID five."
After several near misses and a catastrophe* I have come to the conclusion that if one has only three drives then RAID 5 is a waste of time and leads one into a sense of false security. With today's large discs >4TB the time to rebuild a RAID 5 array after a single disc failure is longer than the MTBF of the drives themselves, thus there is a real possibility that one can have a second drive fail during the rebuild and thereby causing an unrecoverable error condition in the RAID.
Personally I take the hit on disc space and with only three drives set up RAID 1 (mirroring) and a warm spare.
One should use RAID 6 (at least) if one has more than 3 drives and some version of RAIDed and mirrored drives if you have 6 or more.
(*R-studio was a godsend allowing me to reconstruct a virtual RAID from the "ashes" of my failed array!)
"If your stuff is important, then the onus is on you to make sure it is available"
That's nice, but many people who DO care, rely on technology they know nothing about, ending up with solutions touting buzzwords like "Military Safe" or some such bull crap.
Is the onus on them to suddenly become data security experts? Because that's what you're expecting...
PC world's cloud backup is a white labeled version of Livedrive... The client app is so/so ... I've had clients on it for years. It has got better over the years but its not great when it gets out of sync... and we all know what consumers do when the computer says "error" - yes, they ignore it!
Frankly, this sounds like the most probable explanation. A cloud backup may fail to complete for a variety of reasons. A likely cause is that the size of the data becomes too large for the backup window.
If a professional server backup fails to complete, alarms sound and operators and system managers rush round trying to solve the problem. In a home office environment, it could be easy to miss, or to misinterpret, warnings from the backup program.
Backup and anti-virus software on Windows often seems to suffer from over-engineered UI syndrome: the standard UI isn't flash enough to pull in the punters, so they make it look like something else. After 30 years working with computers I expect to be able to understand most software, but my wife's copy of BitDefender induces a kind of brain-fog.
The answer is both. Having looked at the website (http://knowhow.com/article.dhtml?articleReference=5545&country=uk/). There doesn't appear to be an keep the files if they are changed for 30 days, just if the file has changed upload the changed file. This is a backup, ie if your PC goes bang you can restore all your files as they were when the PC goes bang, not how they were 30 days ago
However if you delete a file it will keep it for 30 days after you deleted it
"What happens when I delete a file from my computer?
If you delete a backed up file from your computer, this will be removed from your online backup once the Knowhow Cloud software scans the backed up folders. If you accidently deleted a file or folder and need it back, you have up to 30 days to recover it. To do this:
Go to the Desktop
Click on the small arrow on your taskbar where you'll see the Knowhow Cloud icon
Right-click on the icon and select Open Control Centre
Select the Restore tab
Navigate to the file or folder and then click on Restore"
There is a third option which is that she isn't giving us the full truth either.
The sentence "Yesterday an email came through which i opened (it was from what looked like a completely standard email address) a virus flooded my laptop instantly corrupting all my files"
Seems to be missing the words "...email address) after I opened the attachment a virus..."
Yeah more to this than meets the eye.
This stuff takes hours or days to take effect. It doesn't just encrypt everything in 20 seconds and then goes "You pay now!!"
It runs till its done and then announces itself. She would not have known till then.
I've had customers bring their machines to me that have had it running for two weeks and just ignored the warnings from the AV that actually said something was up.
They both screwed up but to be honest the major weak point was her just not being savvy enough.
the newer crypto strains will also sit on your machine for a while doing nothing.... waiting for you to plug in your usb backup drive (people still use them!) .
then it encypts the usb backup disk.
then it encrypts your primary
then it ransoms you.
oh, but ive got a back up.....ooops.
versioning backup system all the way....
" after I opened the attachment a virus..."
Or, more likely and for "convenience", she has enabled full HTML rendering, including external source in her email client. Convenience trumps security every time for users.
Most people don't care or know about how a tool should work or how important it is to keep your tools in good condition, especially if that means having to spend time learning about things not directly related to the job or which may cost money now rather than later when things break.
Just look at the numbers of people driving around with lights not working, fan belts slipping, SatNavs or phone stuck the windscreen in inappropriate and downright illegal view obstructing positions. If they can't handle simple, obvious and in-your-face problems like that why would we expect them to deal with more complex and ethereal computer security and backup systems?
If you say to someone "are you opening an email that contains full HTML rendering, including external source in your email client?" and they understand that then yeah they probably should have known better. But pretty sure in a non IT environment they are just going to say what?
Email is just a message thing, people don't get it can be delivered in different formats, have embedded code etc.
To them its a electronic letter like the ones you open at home, without running it through a scan and opening it in a negative pressure environmental container, whilst wearing a level 4 biocontainment suit, I mean its only Anthrax.
Back in the late '80 there was a trojan horse virus called " PC Cyborg Trojan". This encrypted your hard disk, but nothing was visible for 90 reboots of your PC. Then an ransom would appear asking for $189 to be sent to a PO Box, you would then be sent then unlock code for your PC.
Which still wouldn't explain having just 2 restore points available. Either the laptop didn't have any changes for 30 odd days or the 'backups' didn't happen for that long. Or maybe the service is just broken.
Either way flushing older copies from the cloud is idiotic. I nominally keep about 3 weeks worth of daily snapshots but the software doesn't delete anything unless I'm adding a new image, they shouldn't just disappear even if your product has "30 days" in the name.
True, however its a lot harder to have an off-line backup when its in the cloud, since you cant unplug your bit and stick it in a safe or send it to a family member.
Cloud makes people lazy as its suddenly someone else's problem and people stop thinking about data integrity.
Tape, spinning rust, memory sticks, DVD etc - all still really useful for off-line backup as its really hard to infect / encrypt something that is disconnected and powered off !
I think the problem here is that off-line backup requires somebody to do something; either plug in or unplug something. It's generally done for the first week or so and then gets forgotten as people just don't see the value in doing it. That value only becomes evident when they are hit with the virus.
Not so hard really is you organise your time properly.
My Development PC does an incremental backup every day to a local (network) NAS using Acronis.
The weekly full C: drive is also sent off to the NAS. This has 8TB of spinning rust. I go onto it every couple of months to purge a few things.
Then I get a text reminder to plug in a 2TB HDD to the device at 3pm on a Friday. A scheduled job then takes a backup of everything. I have four Disks that are rotated for this job.
Why Friday afternoon?
simple really as it is POETS day and a Pint or two becons.
Then every baseline backed up (git repo) and is then sent off to a Linux (intel Nuc) for safekeeping.
You can't have too many backups but then I'm old enough to remember taking backups of my source code on Paper Tape. I still have the repair kit somewhere.
"True, however its a lot harder to have an off-line backup when its in the cloud, since you cant unplug your bit and stick it in a safe or send it to a family member."
I suppose you could have two separate cloud vendor backups and try to remember to sync them separately and independently and not have the clients running constantly. Maybe have a third one running constantly for that HDD crash, stolen laptop scenario.
> Cloud makes people lazy as its suddenly someone else's problem and people stop thinking about data integrity
Anon for what should be obvious reasons - the boss might read this.
At the moment there's a push on at work to move everything to "the cloud". Some of it is actually "cloud", some is just "hosted services" and the only difference from a decade ago is better connectivity and lower prices !
And yes, a big part of it is to be able to "fire and forget", to make "someone else" responsible for security, updates, backups, etc, etc. I can't think what could possibly go wrong !
http://www.theregister.co.uk/2016/01/25/office_365_imap_outage/
http://www.theregister.co.uk/2016/02/22/office_365_outage/
http://www.theregister.co.uk/2015/11/30/euro_network_gobbles_googles_cloud/
http://www.theregister.co.uk/2015/12/11/typo_in_case_sensitive_variable_name_caused_google_cloud_outage/
http://www.theregister.co.uk/2015/09/28/whoops_there_goes_my_cloud/
This reminds me on a (not so) old saying:
"When a customer owes a bank a $100,000 and can't pay, it's the customer's problem. When a customer owes the bank $10,000,000 and can't pay, it's the bank's problem"
At some point the owner has to take responsibility for their own data - and that includes testing of the backup / archive functionality.
(icon selected for what happened to her data - "nuke it from the cloud, it's the only way to be sure...")
"At some point the owner has to take responsibility for their own data"
Which, to the best of her knowledge she'd done - by going to what presented itself as a professional service.
"and that includes testing of the backup / archive functionality."!
I repeat the question I posed earlier. I assume you're a sysadmin. How many of your users come to you to check that you're testing backups?
You're talking about what sysadmins do, not users. She's a user. Is that so difficult to understand?
ive posted this already, but its aposite here.
the newer crypto strains will also sit on your machine for a while doing nothing.... waiting for you to plug in your usb backup drive (people still use them!) .
then it encypts the usb backup disk.
then it encrypts your primary
then it ransoms you.
oh, but ive got a back up.....ooops.
versioning backup system all the way....
It's PC World... The same place one of my users took one of the company laptops for a "check up" and left with a blank laptop and a sizable bill. Unfortunately I can readily believe that they inflated the capabilities of their backup system to sell it to someone, and at the end of the day she's clearly a non-technical user, how would you expect her to know? Hell I've worked with very clever people who still preferred to type things on an electronic typewriter so the only piece of kit they had to work with was the MFP!
As I've said to plenty of first liners loosing patience with users in the past - if you can do open heart surgery as well as the person on the other end of the phone, then by all means lose your patience. They know how to do their job, the IT bit is our job.
Every time I've had to deal with one of these ransomware nasties, the malware sat silently in the background happily encrypting everything without the users knowledge. Only once all accessible files have been encrypted does the user get the "we haz all your filez" pop-up which demands the ransom.
There's no way it could have instantly encrypted all of her documents immediately after opening the dodgy email....
"There's no way it could have instantly encrypted all of her documents immediately after opening the dodgy email...."
This is true. What probably happened was all sorts of oddities which panicked her. When that happened to my cousin-in-law she did the right thing - maybe by chance - and switched off. In this case it's difficult to say what happened but I do wonder if she tried to do the recovery with the virus still active and got her recovered files encrypted - or tried to do a backup and backed up the encrypted files, or both.
I don't understand why people keep banging on about backup and archive. When ever I look at products all the marketing/documentation goes on endlessly about all the backup functionality, and say nothing about how I use the backup to restore. I can make a clone copy, I can make a mirror copy, I can make a full backup or I can make a incremental backup. Great, wonderful, but how does that help me restore?
Stop wagging the dog. What is needed is a recovery solution, not a backup solution. Users/ordinary everyday people want/need a solution that will help them restore discs/files/folders back to the way they were at a specific date.
If you want my money, tell me, in detail, how your product/solution will help me to RESTORE my discs/files/folders when disaster strikes. I don't care about backup options, I care about the RESTORE options.
A good restore process can't help you if the data's not there and it's only there if you've considered the backup process and strategy. I want to know if restore works, if it's fast and easy. I want to know that and a whole lot more about the backup side of it because it's ultimately about the data, not the software.
Paul,
Again, No, No, No! Stop wagging the dog and start wagging the tail. Backup strategy is not the issue. RESTORE is the issue.
If the backup strategy does not allow me to restore my discs/files/folders as I want/need, then the backup strategy is wrong. The restore strategy dictates the backup strategy, not the other way around.
As we all know, backups are immensely important and if got wrong, huge amounts of time and money can be lost. Backup products are a de-facto insurance policy against data loss in my opinion.
I'd be interested to know what PCW's procedures are for the sale of this type of product. Do they (a) sell it and let people get on with it or (b) provide a full installation and configuration service. For each option is there a level protection a PCW customer is entitled to if their recommendations turn out not to be reliable. In the finance industry, the banks have had to pay out billions of pounds for mis-selling and giving bad advice. I wonder if the same could apply to this type of situation?
There will be absolutely no evidence that PC World promised anything. Software sales for decades is the only time you can sell something that doesn't work and don't have to refund it.
Of course PC World will say that it performed as described in the technical detail.It probably even did just that.
They'll never admit responsibility despite what some bearded goon in the shop might have promised.
I've designed and sold cloud backups since before they were trendy, and in most cases they were sold as a fix for a damaged or stolen laptop, NOT for corruption or malware. Because that was what the customers wanted 'Recovery in the event of a forseeable disaster'. The PC World system fixes that. In fact their system was one I looked at and rejected due to lack of versioning.
As has been pointed out earlier, this isn't really a backup though, it's an archive. It certainly isn't disaster recovery either.
How often do we see the same tool providing archive, backup and DR though..... Depressing isn't it...
People need to learn about 'Horses for Courses'.
PC World is a shop that sells Computers and related Hardware and is part of a chain that sells White Goods & related hardware.
They are a retail outlet that has grown quite large and diversified into Computer Retail (mainly Domestic & Small Business end of the market.).
They are NOT a Computer Company that any business of size would choose to get advice from for 'Business critical processes' such as Backup and/or Recovery.
They are guilty of treating this Small Business customer the same as the Domestic customers.
Simple and cheap Backup systems are easy to sell to the 'Mug' customers that know no better but as this tale shows does nothing for a small business that unfortunately are disproportionately impacted by the useless service.
Always treat any information received from PC World as subject to confirmation/clarification.
[To be fair: Applies to ALL retail outlets for ALL goods as there is a built-in bias by definition ... to state the obvious]
That is to say you will often get the 'Sales pitch' they have learnt without real knowledge of what they say. (This has been tested 'many a time and oft' by the more IT aware customers [Google is your friend on this])
This is not an attack on the Sales People as they are there to 'Sell', it is their job!!
You should always ask yourself are you getting advice that is impartial and if possible verify the 'advice' with someone who is more knowledgable.
*Remember PC World is a Retail location not a Computer Consultancy.*
PS.
I like many others do still buy from PC World but know what I want and pay the premium for convenience when I have too. I just never ask for advice in an area that I am more knowledgable.
I know I don't know it all but I generally have a small advantage on the average Sales person in a shop and will investigate areas that I have interest in *before* going to the shop.
While I agree with your advice about 'horses for courses', its just too impractical for the likes of Mom, Girlfriend, Friends, rest of family etc...
PCWorld is part of a larger group that thrives on throwing money on marketing... And... we live in a marketing driven world, where IT pitfalls are routinely blurred by PR-suits...
So where are the tech media gurus to warn users like Amy or Mom? Unless its Twitter or Facebag, tech just isn't deemed sexy enough, so the mass media never cuts through the bullshit (even BBC Click is too pollyannic with advice). The core problem here, is that brand is king, and truth is dead!
"They are a retail outlet that has grown quite large and diversified into Computer Retail (mainly Domestic & Small Business end of the market.)."
Not quite correct. They started out as a specialist computer retailer - in Croydon IIRC. They grew into a chain and were then taken over by a bigger chain.
"PC World ... I just never ask for advice in an area that I am more knowledgeable."
Was in there a few weeks ago wanting a flat-bed microwave (e.g. for cooking lasagne in a rectangular dish too big to rotate). They only had one small one and zillions of conventional revolving-turntable ones. The salesperson there suggested just buying a bigger revolving turntable one and using it without the turntable. Duh. Apparently she'd never heard of food poisoning from unequally cooked food. As you say, they are just there to sell you stuff and may have negligible knowledge of what they are selling or how appropriate it is for your expressed requirements.
Unfortunately, the average customer may not have the relevant knowledge to know when they are being fed bullsh*t or sales spiel. I suppose it comes down to buyer beware, but (unfortunately) not everyone is as cynical around salespeople as I am.
Q1: Any of the Ransomware variants show up in Task Manager... If not, are they using $Hidden processes or obfuscated as windows subsystems (i.e. svchost etc)?
Q2: Does running a profiler like SysInternals-ProcMon, help? If you set Winrar to backup your entire hard drive etc, it has a noticeable effect with greater hard drive activity and a slowdown in performance (even running in the background). So is ransomware running at low priority yielding to the OS and other tasks to help keep it hidden?
Q3. Saving M$-Office files without file-extensions... Does this offer a shred of protection? (Lets say you're giving out advice to friends / family who you know always ignore errors and only update AV / anti-malware at Christmas, if ever)?
1. It really depends on the malware. Some appear as normal processes and can be killed, some block the Task Manager from opening.
2. You can probably detect the activity using tools or just noticing some slowdown, but most users don't sit at their desks watching Sysinternals utilities all the time.
3. You may be able to trick malware by saving files without an extension but that's going to be a really annoying workaround: users may think they're saving without an .ext but really, the file has an extension and Windows is just hiding and thus you've not really achieved anything; or all your files will be truly extension-less and unrecognized by applications.
C.
"users may think they're saving without an .ext but really, the file has an extension and Windows is just hiding "
This little gift of Windows is part of the problem. cat_piccy.jpg is really cat_piccy.jpg.exe and Windows lied to you.
1. Malicious software is trivially hidden in Windows. Even the "administrative tools" can be easily fooled.
2. What system "slowdown" would you ever spot in Windows? It's always slow and processes seem to take random times to complete since the scheduler works in very mysterious ways!
3. Forget it. "Office" has type tags at the start and end of files, and the latest version automatically appends extensions!
I'm not a member of this IT priesthood; just an old geezer who's used computers since the days of CP/M & DOS. I've endured that thru Mac 6.1 thru OS-X, DOS thru Win7 (skipped ME, Vista, & refuse Win10), and I'm posting this with Debian 8.3 "Jessie"... so I'm old but not ignorant.
All this prattling on about blaming the victim for being clueless is much like blaming the mugging victim for getting lost/distracted and wandering into the wrong part of town. I can hear the cops (plods in Blighty) now berating the lady for her foolishness. "Any heads-up person knows better than that, Ma'am ... you NEVER go into that part of town!"
Look at what the non-tech-enlightened user faces: MicroSoft shafting them with non-disclosed intrusions, controls & unwanted upgrades; a Marketing tsunami that overwhelms all attempts to browse, do email, and get work done; so-called retail "professionals" charging premium prices to deliver crap counsel and unsuitable product, and a Government-ignored evil empire swarming through one's online connection to suck bank accounts dry, steal one's identity, and destroy one's computing investment.
So go ahead, be the haughty Priesthood that condemns the supplicant for being unable to chant the liturgy in Latin ... and then wonder why former users and paying customers no longer trust the entire fecked-up shambles that's become of your world, and decides to move on to something safer, more trusted, and less demanding.
It's all well and good to endlessly debate whose fault it is, but when you happen to look up, all your customers will have deserted your cathedral.
Just feck off ... the whole damned lot of ye.
Much as I can empathise with your view, it is a little unfair to castigate all the IT people.
There are many people who are able and willing to give good advice but that is very unlikely to be the one who is selling you the 'bag of magic beans'.
The problem is one of computers are now a cheap commodity and everything surrounding them is expected to be cheap or even free.
You would not expect to get good advice about doing your accounts from a complete stranger for free, yet you expect good advice regarding your IT for free from a complete stranger. (who may be biased for obvious reasons)
Small businesses invest in understanding how to do their Accounts/VAT/Marketing etc, why not do the same for the IT side.
Good advice from people who have worked in the industry for a while and have worked through the B***s**t marketing and sales pitches is available if you look but may cost you some time and money in the process. It is worth it at the end of the day and should be seen as a reasonable business cost.
In terms of non-business users it is also possible to do some research to learn about Computers on the Internet, not to mention community programmes to provide Basic IT skills etc.
It is all out there if you look. Computers are not like owning and using a wired Telephone of old, it impacts all parts of our lives and cannot be simply treated as a blackbox you do not need to understand beyond learning how to use Twitter & Facebook.
Everyone wants to get the benefits without investiing any time to understand what they are dealing with and the + & - points of owning/using a computer. e.g. most people have no understanding of how computers impact on your privacy or others and seem to be quite happy to wish it all away for the simple pleasures of publishing their lives in realtime for all to see & many to abuse.
Do I have sympathy with people that have been bitten by the negative side of owning/using computers, of course.
But it could be avoided if a little effort was made to understand the 'beast' and how to tame it.
I know this will be downvoted but it does not change the fact that knowing how to use your 'Tools' is still valid even when the 'Tools' have changed beyond imagination. :)
There is NO 'IT Priesthood' preventing the gaining of this knowledge more like a lack of wanting to make the effort as it takes too much time/effort or stops me from 'Selling more Widgets' or eats into the time I want to spend in the Pub etc etc.
I think you totally overshot my point. You're still insisting that that the sheep are expected to defend themselves against the wolves. I'm trying to say that we sheep will go find ourselves another pasture ... one without packs of ravening wolves running unchecked.
Either the lot of you are sheep, yourselves unable to go up against the wolves, or you're a bunch of detached sheepdogs who don't see any point in getting together to deal with their increasing hordes.
Anyway, as long as the INDUSTRY thrives on such practices as opaque and dishonest EULA, software unfit for purpose sold with total "buyer beware" immunity, massive corporate interests enforcing monopoly positions with strong-arm tactics that embarrass Mafia dons, and malware launched as Government tools of surveillance and intrusion ... you are practitioners in an increasingly untrustworthy and rapacious industry.
So continue to defend it, and wallow in it, and blame the victims while denying that the computing environment, both off- and online, is getting more and more corrupted to the core as we watch. Well, maybe GCHQ or the FBI/NSA/CIA have openings for displaced IT workers. Or going totally over to the dark side, there's always MicroSoft, Adobe, or Google.
One of the companies that I deal with are reasonably IT-savvy. They made the move to FOSS after one malware event too many. They then got audited by the HMRC for VAT.
The tax numpties couldn't get their collective little pointy heads around the idea of using something other than Windows and so they called in the Fraud Squad on the basis that the company "must be hiding something"!
It's taken almost two years to prove to the VAT-man's satisfaction that they are as clean as a whistle!
"But it could be avoided if a little effort was made to understand the 'beast' and how to tame it."
The fact remains that she went to people who were supposed to help her.
Another poster mentioned front-line support & heart surgeons. Let's pursue that line of thinking and imagine that medicine isn't regulated. You feel ill. You roll up to someone at a good address with an impressive brass plate beside the door. You are you to know whether you're visiting a heart surgeon or an apothecary with a good address and a brass plate? You tell them your symptoms and accept their diagnosis and assurances in good faith; you've "made a little effort" but you don't have the required knowledge to tell whether it was the right effort and you didn't realise that you needed to do 1st MB to be able to tell the difference.
@Gray
You have a point but please realise that some of us who are saying that users shouldn't be blamed for not knowing what they need to know in order to know what they need to know* are also pros (or retired pros). Personally I'm shocked at the number of people here who expect that a SOHO user or whatever should be an experienced sysadmin.
The public should be better served. They should be better served by the platforms they're sold, they should be better served by the vendors and they should be better served by Government who have better things they ought to be doing than mass-surveillance.
*Yes, Sir Humphrey got there first.
@Doctor Syntax
Thank you, Sir, for your understanding comment. I don't mean to condemn the entire group (well, maybe ... a little!) but I got rather cheesed at the Priesthood condemning that poor lady who went for help to get set up properly, lost her data, and got royally dumped upon. I'm 75 ... I spend some of my time helping other Seniors here in the US with their home computers. It's a challenge! Not because of the befuddled, confused state of the users, but because of the insanely arcane, less-than-transparent, poorly-implemented state of the operating system and the software.
Here's a clue: I've wiped Windows off their machines (with their permission) and installed a desk-top friendly version of Linux. They get along with that just fine! I do counsel them about safe browsing, avoiding "click-itis", and backing up their user files. But they do just fine, and I check back frequently to see how they're doing. With one old gentlemen who needed his Windows system, I've had nothing but grief and repeated call-backs. I get paid lunch as a service fee. I've threatened to break his fingers if he doesn't stop clicking "free offers" in every web page he opens ... but hey, we're old and stubborn, and we'll do it our way. He's a Silver Star medal WW-II vet, one of the few still alive, so I can't get too upset with him. But Windows is NOT his friend. It's a malware magnet.
I see another U.S. hospital has just been knocked offline by a ransomware attack. I suppose it's their fault for not having a sufficiently funded IT staff, or for letting the doctors and admin staff have access to the facility's computers.
If MicroSoft would devote as much resources rallying the US government to help clean up the situation as it does ramming Windows 10 down our throats ... if they would immediately stop using their security patch system as a malware delivery system to the point I've turned OFF all MS updates on my Win7 laptop ... if the U.S. government would wake up and begin to track down and prosecute malware hackers instead of acting as hired thugs for entertainment industry DRM enforcement ... and if Intel & AMD & Dell & Lenovo & Amazon & Google & all the others would wake up and begin to think of customer security rather than condoning Adobe-insane privacy invasions ... well, I'm not sure whether to cry, curse, or pull the plug on all this computer crap. You know, the benefits are looking pretty doubtful in view of all the risks!
If the IT pro community isn't going to get in the industry's face about these things, who is? My Congressman? Hell, that idiot is the biggest part of the problem... and he stopped listening to people like me a long, long time ago. We don't have enough money to buy a minute in his office. Thanks for listening. </rant>
Ask the BOFH, she's at fault - for trusting the marking literature, probably written by someone with a recent marketing degree who was working from post-it notes jotted down while talking to their boss, who'd discussed the product with the programmers boss at the pub the night before.
It sounds like the backup plan worked as advertised - but not as she'd understood (or been sold) it - it makes a backup, and keeps it for 30 days ... unless you overwrite it with a new backup.
A "backup" is not the same as a copy saved somewhere in the cloud. A copy of your data is NOT a backup.
"Ask the BOFH, she's at fault"
The BOFH is good for a laugh. But in real life someone who makes a purchase of a complex product should be able to expect advice, given after consultation, as to what meets her needs, not whatever's in stock or offers the biggest bonus.
We resell Livedrive and the main problem is that there isn't a way of restoring all your files even if they keep the relevant version information. What happens is that yes you can restore a file back to the previous version, or the one before, etc (going back 30 versions) BUT you can only do this one file at a time. If you want to restore the state to the version before the virus took hold and encrypted all the files... Well, you can't.
Furthermore we had an incident with the locky virus recently and we found that it had renamed the files before encryption. The renamed file names got uploaded and this doesn't seem to count the as a version. The old file name was lost from the supposedly secure backup.
And another thing, when we asked Livedrive if they could do a restore of a cloud "team folder" to a specific date, they refused.
Dropbox offer this as a service but Livedrive won't help
In fact every time we have asked Livedrive for help with bulk operations that they could easily do, like fixing corrupt data in their dedupe hashing tables, they said no, we could do it ourselves. When I had In the past pointed out that the task would take six months, they agreed that it was a "while" but refused to help.
They are like PC world, to be avoided.
The service has some great features but it's let down by poor implementation and no customer service
Who with a brain would use that? If you really have to carry around lots of data/applications etc. by micro SD chips - XD 64 GB is about 20 USD. Important data can't be encrypted anymore, unless you are a genius and write your own software, by using a home made computer chip. That is the new world we are living in. Companies should not allow employees to come to work with smartphones or tablets or other devices - and of course no Internet access at all.
My guess at one explanation that would actually make the seemingly contradictory claims all fit... perhaps this system does keep previous file versions that are under 30 days old. So, you have a file that uploaded months ago, then the encrypted one uploaded recently. That means the old file is over 30 days old and would not be retained. Of course the way it should work is that it'd keep that previous version for 30 days after it's been replaced, but none of these descriptions specifically say that.
With all of the resources online, I find it hard to fathom why people will accept important advice from one source and not try to verify that it's good advice. There are forums for everything and most questions about things like backing up your data has been thrashed out thousands of time. Not all of that advice is good either, but it might get you to think. I don't use cloud services and handle all of my own backups and archives. Off site backups go to mom's house. We are far enough apart that any disaster that would befall us at the same time is going to render having backups as not very important. Mom will sends me back the backup drives she has stored when I she receives the set I send her. I also have a key to her house and can retrieve the drives anytime I really need them subject to 5 or 6 hours of driving.
I've created my routine from lots of late night "what if.." thinking. I'm certain that I'm in good shape short of nuclear war or a sudden and violent re-shifting of the continents. I'm not so sure about a rapid shift of the magnetic poles. If the black helicopters come for me and swoop in at my old mums to get my back up drives as well, I won't be seeing daylight again for a long time (or ever), so again, not something that I can reasonably provision for.
"The back up servers as a matter of course run daily virus and malware scans however these files would not be identified as suspicious as they were not a virus threat themselves."
So can we infer from that, that the data the user backs up is not encrypted and is stored plaintext for anyone with access to the KnowHow servers to read? Brilliant.
This makes me sick. Can we setup a gofundme site to raise money so that she can get her files back? I'd give something.
Perhaps the malware was able to delete her older backups somehow.
All ransomware is known to issue a vssadmin /delete command. 100% of our servers and pcs have vssadmin renamed to be inactive.
As a backup admin, I can say that it's extremely common for end-users to delay dealing with similar problems for MONTHS until they realize they have an option to restore from backup, and at that point they expect a service that goes above and beyond the specified one. (which can sometimes be provided, because data expiration on the back-end takes longer than it should for many backup/storage solutions)
Otherwise - cryptoware is a trivial matter.
There's something that doesn't seem right. Most crypto viruses I've dealt with RENAME files (with a secondary extension), not just encrypt, and I don't see how a renamed file could "overwrite" the original. The files expiring, because 30 days passed looks like the more likely case.
Just in case she had teslacrypt 3 to 4.2:
http://www.zdnet.com/article/teslacrypt-no-more-ransomware-master-decryption-key-released/
TeslaCrypt no more: Ransomware master decryption key released
To anyone interested in the above issue... I personally suffered the same issue within my business last August and we lost a significant amount of data, which has brought a huge cost and strain to my business.
I complained to the Advertising Standards Authority and after several months, finally now my complaint has been UPHELD. Currys are to change their advertising and no longer exaggerate the performance of their product. The ASA ruled in in favour on several points. You can read the ruling here:
https://www.asa.org.uk/rulings/dsg-retail-ltd-a17-387762.html
I still can't leave the Knowhow Cloud service as we cannot transfer the encrypted files to another service, and need to retain access to their portal in case we need to recover individual files to old backups. So despite everything I am forced to keep paying the subscription.
Next stop will be court to seek financial compensation.
If anyone is interested in group action or taking the complaint further with me please do let me know.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
