Any thoughts on this ransomware that's going around? Suposedly any drive connected to the PC is at risk. I was wondering if a good ploy to protect my backups in my external enclosure would be to 'remove' the disk using a utility like 'HotSwap'. The drive now becomes invisible at the command level and when I want to access it again, run 'diskpart' then 'rescan' - or do the cunning dogs also have that covered.
Hey attar, I don't have time to go over what I do but the following is basically what I do... Look it over and I'll have some time to go over my plan with you maybe this week.. I have never thought about Hot Swap but maybe I'll give it a good look at. QUOTE: Re: How to protect against CryptoLocker (ransom) type Trojans Posted: 10-Jan-2015 | 2:44PM • Permalink Something that might work is to keep the USB WD Drive volume unmounted until you run the backup job. I'm not sure, but I've read elsewhere that ransomware encryption variants won't access unmounted drive volumes. I don't know if some ransomware variants will mount volumes that were previously unmounted. Since you're running a Raid array, I'm not sure how this would work but I think it would work the same way as a single USB backup drive. I used to run an internal Raid 1 array on my Desktop PC but removed it since it doesn't protect against malicious intrusions (malicious content will be mirrored to the companion drive). For example, a script using "Diskpart" could be run to mount a backup volume before running the backups and then unmount the volume when the backup job completes. That would allow the backup drive to remain connected (USB, etc) to the parent PC when not in use. One example would be something like this, where you could run the script manually before a backup job begins or run it unattended from Windows Task Scheduler a couple of minutes before a scheduled backup job begins. Create a CMD batch file containing this: cd \ diskpart /s C:\Users\your_name\Desktop\mount_drive.txt Then, create a notepad/txt file on your Desktop with the same name as above (mount_drive.txt) that includes this: select volume # assign letter=x exit After the backup job completes, an "unmount" script can be run similar to the previous script: select volume # remove letter x: dismount exit Here's an example screencap of what's currently mounted on my PC using Diskpart. Volume 5 is a Flash Drive with the letter "f" volume on the drive. I used manual commands to simulate what can be automated with a batch file, repeating some of the "list" commands to illustrate the "*" mark indicating that Diskpart has selected the correct drive. Microsoft DiskPart version 6.1.7601 Copyright (C) 1999-2008 Microsoft Corporation. On computer: JEFF-PC DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 D DVD-ROM 0 B No Media Volume 1 System Rese NTFS Partition 197 MB Healthy System Volume 2 C NTFS Partition 931 GB Healthy Boot Volume 3 E Videos NTFS Partition 465 GB Healthy Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy Volume 5 F FLASH STICK FAT32 Removable 15 GB Healthy DISKPART> select volume 5 Volume 5 is the selected volume. DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 D DVD-ROM 0 B No Media Volume 1 System Rese NTFS Partition 197 MB Healthy System Volume 2 C NTFS Partition 931 GB Healthy Boot Volume 3 E Videos NTFS Partition 465 GB Healthy Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy * Volume 5 F FLASH STICK FAT32 Removable 15 GB Healthy DISKPART> remove letter f: dismount DiskPart successfully removed the drive letter or mount point. DiskPart successfully dismounted and offlined the volume. DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 D DVD-ROM 0 B No Media Volume 1 System Rese NTFS Partition 197 MB Healthy System Volume 2 C NTFS Partition 931 GB Healthy Boot Volume 3 E Videos NTFS Partition 465 GB Healthy Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy * Volume 5 FAT32 Removable 15 GB Healthy DISKPART> assign letter=f DiskPart successfully assigned the drive letter or mount point. DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 D DVD-ROM 0 B No Media Volume 1 System Rese NTFS Partition 197 MB Healthy System Volume 2 C NTFS Partition 931 GB Healthy Boot Volume 3 E Videos NTFS Partition 465 GB Healthy Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy * Volume 5 F FLASH STICK FAT32 Removable 15 GB Healthy DISKPART> Just my opinion, the best method for protection against malicious occurrences is to have redundant backups on devices that are disconnected from the parent PC except when backup jobs are processing. I am using a continuously-connected USB HDD for my unattended scheduled specific-item backups but that's for recovery scenarios that don't include encryption ransomware incidents. I have 3 backup copies on a couple of Flash drives and an external USB HDD that contain my most important items on my PC. These drives are separate from multiple full-HDD backup options and are disconnected from my PC except during the actual file copying process. I use a "file copy" script to copy my items over to the backup drives to minimize the time that the drives are connected to the PC. END QUOTE Look that over and I'll get back with you to let you know just what I'm doing...... 2oG
Yes, that's the idea - except I thought I was being original. Another line of thought might be removing the disk letters from the backup disks and using a script to locate the drive by it's name - "Slim" or "HP" since the name stays with the drive the designated letter notwithstanding. I already use that method in a script to clone my C drive to a backup in a caddy.
You're getting the idea.. You use the Volume # to find a drive with the letter removed, it doesn't change until you delete that drive (partition) and create a new one.... Hang in there, I'll give you some good stuff. 2oG
I used this to verify that the backup drive accepts incremental backups and that my backup drives go offline when the backup finishes. This bat file will have to be modified for each backup drive and run using Task Scheduler - (or manually - this is why it checks for an Admin) . 1 @echooff 2 3 :start 4 setrandname=%random%%random%%random%%random%%random% 5 mdc:\windows\%randname%2>nul 6 7 if %errorlevel%==0 (echo Administrator detected!!! 8 gotoend2) 9 10 echoMust be run as Administrator: try again 11 12 pause >nul 13 exit 14 15 :end2 16 @echooff 17 rd c:\windows\%randname%2>nul 18 19 hotswap! -s 20 21 echo enable all 22 timeout /t 5 /nobreak 23 HotSwap! p: -Q 24 hotswap! p:\ 25 26 timeout /t 5 /nobreak 27 HotSwap! q: -Q 28 hotswap! q:\ 29 30 timeout /t 5 /nobreak 31 HotSwap! r: -Q 32 hotswap! r:\ 33 34 timeout /t 5 /nobreak 35 HotSwap! h: -Q 36 hotswap! h:\ 37 38 timeout /t 5 /nobreak 39 echo all off 40 rem pause 41 for/f "delims=" %%a in('WMICPathWin32_volume where "Label='ndrive'" Get DriveLetter /format:list')do >nul2>&1set"SystemVolume_%%a" 42 SET_test=%SystemVolume_DriveLetter% 43 SET_result=%_test::=% 44 ECHO %_result% 45 if"%_result%" ==":="gototestit 46 echo %_result%: 47 48 AMBackup /b inc /s "%_result%:\C System Backup To N\C System backup To N.adi" 49 AMBackup /b inc /s "%_result%:\e disk backup\e disk backup.adi" 50 pause 51 Rem the following label command is only required ifa disk is being cloned: 52 Rem label %_result%: ndrive 53 HotSwap! %_result%: 54 exit 55 :testit 56 cls 57 Echo destination drive not detected: check connections and try again 58 pause 59 exit
Hey attar, I sorry for the delay. I really wanted to comment on this but my wife has been really sick and I been really busy.. I don't have a Raid array at home so have never tried anything like this. First of all: does it work? I see what you are trying but don't really understand all of it. lol Later tonight I will lay out what I am doing with my backups (I use the KISS factor) and maybe you will get some ideas from that.. see you later, 2oG
My external drives are used by a program called AOMEI Backupper to store daily backups of my C drive to drives N O P Q R (Mon, Tue, Wed etc on daily rotation). AOMEI is called from Windows Task Scheduler to create these backups. I also use a program called HotSwap! to take these drives offline or online. Instead of creating multiple batch files for each of the backup drives, I use two simplified generic bat files. The first file is scheduled to bring the external disks online a couple of minutes before the scheduled backups run. The second file is scheduled to take the external disks offline a few minutes after the scheduled backups end. I know the start time of the backups and from experience I can estimate when the backups are complete. The drives go on and offline as expected, the only niggle is that as they come online, 'Autoplay' pops up a window per drive. I get around that by using a registry file to suppress 'Autoplay' for all drives. When offline the drives are invisible to the system; neither DOS or the Management Console sees them. Here are the bat file listings: 1 brings the drives online, 2 takes the drives offline. 1. hotswap! -s timeout /t 10 /nobreak >nul cls echo drives N O P Q R are going online timeout /t 3 /nobreak >nul exit 2. echo wait... echo drives N O P Q R are going offline.... HotSwap! N: -Q hotswap! N:\ HotSwap! O: -Q hotswap! O:\ HotSwap! p: -Q hotswap! p:\ HotSwap! q: -Q hotswap! q:\ HotSwap! r: -Q hotswap! r:\ rem HotSwap! h: -Q rem hotswap! h:\ cls echo drives N O P Q R offline... timeout /t 3 /nobreak >nul exit
Hi attar, Over the past 15 years I have built hundreds of computers for customers that I usually rank as a “User” in ability, i.e., more knowledgeable than a Newbie but less than Advanced. Therefore, I work with them in order to set up their new computer and tailor it for their needs…. There is no “one size fits all” in a security plan, some want all Free programs, others don’t mind paying for them, others want to sync their phone and lappy, etc., etc. In my opinion, a backup strategy forms a crucial part of a layered security plan. Consider where you would be if your security strategy failed. If you’ve ever lost critical data to a malware infection, or had a hard drive crash, no doubt you already consider it of primary importance. Just slightly less important than your heartbeat! When you create a partition, a drive letter and volume number are assigned to it. Just remember that you can change or remove the drive letter/ name, but the volume number will never change. Therefore, you will always be able to locate that partition using the volume # no mater if it has a letter, a name or not. If you delete a partition, the volume # is gone but will be used when the next partition is created; therefore, you must keep up with it. lol When you assign a drive letter to a backup partition that will have the letter removed, then; in order to keep the drive letter from being used again, always select a letter at the last of the alphabet like W, X, Y or Z. When assigning a letter, the computer will select the next un-used drive letter, in alphabetical order, that is not being used. Therefore; if you assign a letter on the tail of the list it is unlikely that it will ever be re-assigned so you can always use that same letter for your backup partition. I am not aware of any malware that is able to mount an un-mounted drive, though I imagine that it's not outside the realm of possibility. That is why I always keep a disconnected drive with a backup…. What I actually meant was: I understand what you are doing, I just can’t understand why! I use AOMEI pro and recommend it for my customers. Not necessarily for the command lines but mostly for the auto clean up. AFAIK, Auto cleanup is not implemented in the command lines at this time. This computer has (4) 1TB drives, 3 inside and 1 external in a cabinet with its own power supply. A schedule runs the following daily at 12:01 am after I am in the bed, usually. Then shuts the computer down for the night: -- Mount drives. bat -- ipconfig /release rem turn the internet OFF. cd \ rem select the main directory diskpart /s C:\Users\oldgeek\Desktop\mount_drives.txt rem run the script to mount drive. -- mount drives.txt -- select volume 11 rem my 3rd drive assign letter=x exit Now there will be 2 scheduled AOMEI backups, differential with auto cleanup (I have reasons that I do not like incremental) about 6 minutes apart that backup the system and my data files to x. After the backups, a dismount is scheduled. -- dismount drives. bat -- cd \ disk part /s C:\Users\oldgeek\Desktop\dismount_drives.txt -- dismount drives.txt -- select volume 11 remove letter x: dismount exit rem exit diskpart shutdown /s rem shutdown the computer I also have a 3 day a week schedule to backup to an external drive that has the USB port turned off. Don’t think malware can get into it because it requires a reboot to turn it on. Not gonna list all of that unless you are interested. lol 2oG
Hey attar, How are you coming along with your Backup system? I have made a few little changes to my plan because I ran across a program that I had forgotten that I had. It converts .bat files to .exe and I can use CMD commands instead of messing with diskpart scripts.. Hell, I'm just getting old and take the shortest, easiest path to get from point a to point b, lol. Let me know how you come out on that 5 drive backup system. I'm impressed! ..... really. I hope it works out for you. But for me....... NOT!.. lol 2oG