1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RansomeWare

Discussion in 'Windows - Virus and spyware problems' started by attar, Aug 15, 2016.

  1. attar

    attar Senior member

    Joined:
    Jun 17, 2005
    Messages:
    11,509
    Likes Received:
    29
    Trophy Points:
    128
    Any thoughts on this ransomware that's going around?
    Suposedly any drive connected to the PC is at risk.
    I was wondering if a good ploy to protect my backups in my external enclosure would be to 'remove' the disk using a utility like 'HotSwap'.
    The drive now becomes invisible at the command level and when I want to access it again, run 'diskpart' then 'rescan' - or do the cunning dogs also have that covered.
     
  2. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,070
    Likes Received:
    79
    Trophy Points:
    128
    which RansomeWare or do you mean all of them?
     
  3. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,691
    Likes Received:
    35
    Trophy Points:
    78
    Hey attar,
    I don't have time to go over what I do but the following is basically what I do... Look it over and I'll have some time to go over my plan with you maybe this week.. I have never thought about Hot Swap but maybe I'll give it a good look at.

    QUOTE:
    Re: How to protect against CryptoLocker (ransom) type Trojans
    Posted: 10-Jan-2015 | 2:44PM • Permalink

    Something that might work is to keep the USB WD Drive volume unmounted until you run the backup job. I'm not sure, but I've read elsewhere that ransomware encryption variants won't access unmounted drive volumes. I don't know if some ransomware variants will mount volumes that were previously unmounted.

    Since you're running a Raid array, I'm not sure how this would work but I think it would work the same way as a single USB backup drive. I used to run an internal Raid 1 array on my Desktop PC but removed it since it doesn't protect against malicious intrusions (malicious content will be mirrored to the companion drive).

    For example, a script using "Diskpart" could be run to mount a backup volume before running the backups and then unmount the volume when the backup job completes. That would allow the backup drive to remain connected (USB, etc) to the parent PC when not in use.

    One example would be something like this, where you could run the script manually before a backup job begins or run it unattended from Windows Task Scheduler a couple of minutes before a scheduled backup job begins.


    Create a CMD batch file containing this:


    cd \
    diskpart /s C:\Users\your_name\Desktop\mount_drive.txt

    Then, create a notepad/txt file on your Desktop with the same name as above (mount_drive.txt) that includes this:


    select volume #
    assign letter=x
    exit


    After the backup job completes, an "unmount" script can be run similar to the previous script:


    select volume #
    remove letter x: dismount
    exit

    Here's an example screencap of what's currently mounted on my PC using Diskpart. Volume 5 is a Flash Drive with the letter "f" volume on the drive. I used manual commands to simulate what can be automated with a batch file, repeating some of the "list" commands to illustrate the "*" mark indicating that Diskpart has selected the correct drive.

    Microsoft DiskPart version 6.1.7601
    Copyright (C) 1999-2008 Microsoft Corporation.
    On computer: JEFF-PC


    DISKPART> list volume


    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    Volume 0 D DVD-ROM 0 B No Media
    Volume 1 System Rese NTFS Partition 197 MB Healthy System
    Volume 2 C NTFS Partition 931 GB Healthy Boot
    Volume 3 E Videos NTFS Partition 465 GB Healthy
    Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy
    Volume 5 F FLASH STICK FAT32 Removable 15 GB Healthy


    DISKPART> select volume 5


    Volume 5 is the selected volume.


    DISKPART> list volume


    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    Volume 0 D DVD-ROM 0 B No Media
    Volume 1 System Rese NTFS Partition 197 MB Healthy System
    Volume 2 C NTFS Partition 931 GB Healthy Boot
    Volume 3 E Videos NTFS Partition 465 GB Healthy
    Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy
    * Volume 5 F FLASH STICK FAT32 Removable 15 GB Healthy


    DISKPART> remove letter f: dismount


    DiskPart successfully removed the drive letter or mount point.

    DiskPart successfully dismounted and offlined the volume.


    DISKPART> list volume


    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    Volume 0 D DVD-ROM 0 B No Media
    Volume 1 System Rese NTFS Partition 197 MB Healthy System
    Volume 2 C NTFS Partition 931 GB Healthy Boot
    Volume 3 E Videos NTFS Partition 465 GB Healthy
    Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy
    * Volume 5 FAT32 Removable 15 GB Healthy


    DISKPART> assign letter=f


    DiskPart successfully assigned the drive letter or mount point.


    DISKPART> list volume


    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    Volume 0 D DVD-ROM 0 B No Media
    Volume 1 System Rese NTFS Partition 197 MB Healthy System
    Volume 2 C NTFS Partition 931 GB Healthy Boot
    Volume 3 E Videos NTFS Partition 465 GB Healthy
    Volume 4 H GoFlex 1 NTFS Partition 465 GB Healthy
    * Volume 5 F FLASH STICK FAT32 Removable 15 GB Healthy


    DISKPART>

    Just my opinion, the best method for protection against malicious occurrences is to have redundant backups on devices that are disconnected from the parent PC except when backup jobs are processing.

    I am using a continuously-connected USB HDD for my unattended scheduled specific-item backups but that's for recovery scenarios that don't include encryption ransomware incidents.

    I have 3 backup copies on a couple of Flash drives and an external USB HDD that contain my most important items on my PC. These drives are separate from multiple full-HDD backup options and are disconnected from my PC except during the actual file copying process.

    I use a "file copy" script to copy my items over to the backup drives to minimize the time that the drives are connected to the PC.

    END QUOTE

    Look that over and I'll get back with you to let you know just what I'm doing......

    2oG :)
     
  4. attar

    attar Senior member

    Joined:
    Jun 17, 2005
    Messages:
    11,509
    Likes Received:
    29
    Trophy Points:
    128
    Ransomeware in general.
     
  5. attar

    attar Senior member

    Joined:
    Jun 17, 2005
    Messages:
    11,509
    Likes Received:
    29
    Trophy Points:
    128
    Yes, that's the idea - except I thought I was being original.
    Another line of thought might be removing the disk letters from the backup disks and using a script to locate the drive by it's name - "Slim" or "HP" since the name stays with the drive the designated letter notwithstanding.
    I already use that method in a script to clone my C drive to a backup in a caddy.
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,691
    Likes Received:
    35
    Trophy Points:
    78
    You're getting the idea.. You use the Volume # to find a drive with the letter removed, it doesn't change until you delete that drive (partition) and create a new one.... Hang in there, I'll give you some good stuff. :cool:

    2oG
     
  7. attar

    attar Senior member

    Joined:
    Jun 17, 2005
    Messages:
    11,509
    Likes Received:
    29
    Trophy Points:
    128
    I used this to verify that the backup drive accepts incremental backups and that my backup drives go offline when the backup finishes.
    This bat file will have to be modified for each backup drive and run using Task Scheduler - (or manually - this is why it checks for an Admin) .

    1 @echooff
    2
    3 :start
    4 setrandname=%random%%random%%random%%random%%random%
    5 mdc:\windows\%randname%2>nul
    6
    7 if %errorlevel%==0 (echo Administrator detected!!!
    8 gotoend2)
    9
    10 echoMust be run as Administrator: try again
    11
    12 pause >nul
    13 exit
    14
    15 :end2
    16 @echooff
    17 rd c:\windows\%randname%2>nul
    18
    19 hotswap! -s
    20
    21 echo enable all
    22 timeout /t 5 /nobreak
    23 HotSwap! p: -Q
    24 hotswap! p:\
    25
    26 timeout /t 5 /nobreak
    27 HotSwap! q: -Q
    28 hotswap! q:\
    29
    30 timeout /t 5 /nobreak
    31 HotSwap! r: -Q
    32 hotswap! r:\
    33
    34 timeout /t 5 /nobreak
    35 HotSwap! h: -Q
    36 hotswap! h:\
    37
    38 timeout /t 5 /nobreak
    39 echo all off
    40 rem pause
    41 for/f "delims=" %%a in('WMICPathWin32_volume where "Label='ndrive'" Get DriveLetter
    /format:list')do >nul2>&1set"SystemVolume_%%a"
    42 SET_test=%SystemVolume_DriveLetter%
    43 SET_result=%_test::=%
    44 ECHO %_result%
    45 if"%_result%" ==":="gototestit
    46 echo %_result%:
    47
    48 AMBackup /b inc /s "%_result%:\C System Backup To N\C System backup To N.adi"
    49 AMBackup /b inc /s "%_result%:\e disk backup\e disk backup.adi"
    50 pause
    51 Rem the following label command is only required ifa disk is being cloned:
    52 Rem label %_result%: ndrive
    53 HotSwap! %_result%:
    54 exit
    55 :testit
    56 cls
    57 Echo destination drive not detected: check connections and try again
    58 pause
    59 exit
     
  8. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,691
    Likes Received:
    35
    Trophy Points:
    78
    Hey attar,
    I sorry for the delay. I really wanted to comment on this but my wife has been really sick and I been really busy..
    I don't have a Raid array at home so have never tried anything like this. First of all: does it work?
    I see what you are trying but don't really understand all of it. o_O lol
    Later tonight I will lay out what I am doing with my backups (I use the KISS factor) and maybe you will get some ideas from that..

    see you later,
    2oG :)
     
  9. attar

    attar Senior member

    Joined:
    Jun 17, 2005
    Messages:
    11,509
    Likes Received:
    29
    Trophy Points:
    128
    My external drives are used by a program called AOMEI Backupper to store daily backups of my C drive to drives N O P Q R (Mon, Tue, Wed etc on daily rotation).
    AOMEI is called from Windows Task Scheduler to create these backups.
    I also use a program called HotSwap! to take these drives offline or online.

    Instead of creating multiple batch files for each of the backup drives, I use two simplified generic bat files.
    The first file is scheduled to bring the external disks online a couple of minutes before the scheduled backups run.
    The second file is scheduled to take the external disks offline a few minutes after the scheduled backups end.
    I know the start time of the backups and from experience I can estimate when the backups are complete.

    The drives go on and offline as expected, the only niggle is that as they come online, 'Autoplay' pops up a window per drive.
    I get around that by using a registry file to suppress 'Autoplay' for all drives.
    When offline the drives are invisible to the system; neither DOS or the Management Console sees them.

    Here are the bat file listings: 1 brings the drives online, 2 takes the drives offline.

    1.
    hotswap! -s
    timeout /t 10 /nobreak >nul
    cls
    echo drives N O P Q R are going online
    timeout /t 3 /nobreak >nul
    exit

    2.
    echo wait...
    echo drives N O P Q R are going offline....
    HotSwap! N: -Q
    hotswap! N:\

    HotSwap! O: -Q
    hotswap! O:\

    HotSwap! p: -Q
    hotswap! p:\

    HotSwap! q: -Q
    hotswap! q:\

    HotSwap! r: -Q
    hotswap! r:\

    rem HotSwap! h: -Q
    rem hotswap! h:\
    cls
    echo drives N O P Q R offline...
    timeout /t 3 /nobreak >nul

    exit
     
  10. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,691
    Likes Received:
    35
    Trophy Points:
    78
    Hi attar,
    Over the past 15 years I have built hundreds of computers for customers that I usually rank as a “User” in ability, i.e., more knowledgeable than a Newbie but less than Advanced. Therefore, I work with them in order to set up their new computer and tailor it for their needs…. There is no “one size fits all” in a security plan, some want all Free programs, others don’t mind paying for them, others want to sync their phone and lappy, etc., etc.

    In my opinion, a backup strategy forms a crucial part of a layered security plan. Consider where you would be if your security strategy failed. If you’ve ever lost critical data to a malware infection, or had a hard drive crash, no doubt you already consider it of primary importance. Just slightly less important than your heartbeat!

    When you create a partition, a drive letter and volume number are assigned to it. Just remember that you can change or remove the drive letter/ name, but the volume number will never change. Therefore, you will always be able to locate that partition using the volume # no mater if it has a letter, a name or not. If you delete a partition, the volume # is gone but will be used when the next partition is created; therefore, you must keep up with it. lol

    When you assign a drive letter to a backup partition that will have the letter removed, then; in order to keep the drive letter from being used again, always select a letter at the last of the alphabet like W, X, Y or Z. When assigning a letter, the computer will select the next un-used drive letter, in alphabetical order, that is not being used. Therefore; if you assign a letter on the tail of the list it is unlikely that it will ever be re-assigned so you can always use that same letter for your backup partition.

    I am not aware of any malware that is able to mount an un-mounted drive, though I imagine that it's not outside the realm of possibility. That is why I always keep a disconnected drive with a backup….


    What I actually meant was: I understand what you are doing, I just can’t understand why!


    I use AOMEI pro and recommend it for my customers. Not necessarily for the command lines but mostly for the auto clean up. AFAIK, Auto cleanup is not implemented in the command lines at this time.


    This computer has (4) 1TB drives, 3 inside and 1 external in a cabinet with its own power supply.
    A schedule runs the following daily at 12:01 am after I am in the bed, usually. Then shuts the computer down for the night:

    -- Mount drives. bat --

    ipconfig /release rem turn the internet OFF.
    cd \ rem select the main directory
    diskpart /s C:\Users\oldgeek\Desktop\mount_drives.txt rem run the script to mount drive.

    -- mount drives.txt --

    select volume 11 rem my 3rd drive
    assign letter=x
    exit


    Now there will be 2 scheduled AOMEI backups, differential with auto cleanup (I have reasons that I do not like incremental) about 6 minutes apart that backup the system and my data files to x.

    After the backups, a dismount is scheduled.

    -- dismount drives. bat --

    cd \
    disk part /s C:\Users\oldgeek\Desktop\dismount_drives.txt


    -- dismount drives.txt --

    select volume 11
    remove letter x: dismount
    exit rem exit diskpart
    shutdown /s rem shutdown the computer


    I also have a 3 day a week schedule to backup to an external drive that has the USB port turned off. Don’t think malware can get into it because it requires a reboot to turn it on.

    Not gonna list all of that unless you are interested. lol :rolleyes:


    2oG :)
     
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,691
    Likes Received:
    35
    Trophy Points:
    78
    Hey attar,
    How are you coming along with your Backup system?
    I have made a few little changes to my plan because I ran across a program that I had forgotten that I had. It converts .bat files to .exe and I can use CMD commands instead of messing with diskpart scripts.. Hell, I'm just getting old and take the shortest, easiest path to get from point a to point b, lol. Let me know how you come out on that 5 drive backup system. I'm impressed! ..... really. I hope it works out for you. But for me....... NOT!.. lol

    2oG :)
     

Share This Page