rektech

Ransomware Question

Recommended Posts

Hi I have Resilio Home pro. I use it to back up my wife and I's data.  I just had a customer of my work get hit  by ransomware and they lost everything. That got me thinking. Since my Wife works with her dad for their family deck business and hes not very knowledgeable with technology and will just open any file sent to him. If he would download so ransomware file and it were to get on my wife's computer. Is their any kind of safe guard in Resilio sync they would keep the ransomware from being synced to the rest of my computers?

Share this post


Link to post
Share on other sites

I've had similar thoughts with systems setup to share between users of varying skill. I've thought Sync would keep the older versions of deleted or encrypted files for 30 days before removing them...it might be a safeguard.

Maybe someone can comment on this scenario:

A user clicks on something and is infected by ransomware. All of the files that were being synced in a certain directory get encrypted. On other computers that receive the updated (now encrypted files), does sync maintain the non-encrypted versions for 30 days?

 

Sean

Share this post


Link to post
Share on other sites

Resilio Sync is a two way sync and thus not a backup!

Resilio Sync stores the old file in a so called Archive folder as a very very basic 'backup'. So in the case of a ransomware encrypting all files on computer A, these encrypted files will get synced to computer B, but on computer B Resilio Sync copies the not encrypted files to the Archive folder first.

Still, because it's a two way sync, it's not a backup. It's more likely that the ransomware infects computer B through the network, too and thus encrypts all files there, too, including the archive.

So don't skip the backup and don't omit an AV scanner on each computer, even if some people think they don't need one.

Share this post


Link to post
Share on other sites

It wouldn't seem impossible for Resilio to detect if a file's "magic bytes" changed (by being encrypted)... or when many files in a folder get deleted and they're about to be erased from all the synced locations... Resilio could show a warning in such a case, perhaps, to verify if the user really had just encrypted or deleted half of their files... orrrr maybe not and it's time to mark THESE data as infected and restore them from the "cloud".

Share this post


Link to post
Share on other sites

It's impossible for Resilio Sync.

  1. It's a sync and not a backup. For a ransomware you need a working backup and nothing else! Every other solution might work or not, depending on the ransomware. If you have a ransomware, it's very likely the remote location has it too, thus it would be useless if Resilio Sync tells me that files got encrypted if they get encrypted on each PC independently. That's why you need a backup, at best an offline backup!
  2. Resilio has a basic backup, which prevents the destruction of remote files due to a ransomware or deletion, it's the archive folder. I don't see why they should implement another additional layer if you could simply install an AV scanner on your PC to detect a ransomware? So what don't you like about the archive folder?
  3. Resilio Sync works in the background and the less I notice its presence the better. This means if I edit a lot of files (e.g. batch image editing) I don't want to get disturbed by some stupid warnings that a lot of files got changed recently. I know it. That's why I'm doing it. I also don't want another additional CPU load.

So again, what's wrong with the archive folder?

What's wrong with using an AV scanner?

Share this post


Link to post
Share on other sites

"We're a TV station, not a data analysis service - it's not our problem if that DVD with a commercial you sent in was broken in half; we'll just emit 10 seconds of white noise and charge you the normal screen time rate, even though we could have you provide another media." It's the approach you're presenting. Sure, a sync program is a sync program, but it's not uncommon at all for programs to interface with each other for a combined purpose.

1. It's not at all likely the remote location has ransomware too if it's on a different platform or hosting service altogether. 

2. Is it practical to have my ENTIRE file collection in the archive folder? I have yet to use Resilio, so you'll have to judge for me.

3. Don't like a feature? Turn it off. Don't like confirmation messages popping up? Turn them off. "Thanks for asking, but I am, in fact, updating large numbers of files right now. Stop asking for, say, a day."

Nothing's wrong with using an AV scanner, that's a ridiculous question. Not all viruses and ransomware get detected quickly enough for everyone to get their AV databases updated. Pretty much everyone's running Windows Defender now, and look, ransomware attacks spread like wildfire anyway. So apparently not all AV packages are equal.

Then there's the accidental deletion, of course, with no malware involved. Oops, I pressed the wrong button, and the program I was using adopted the approach you outlined yourself: it wasn't built to prevent the user doing damage to their files, so they didn't build any "are you sure?" messages in. Now my files are gone... ah, but they're on my mobile. DOH! Not anymore! STOP! ABORT! Too late.

So tell me, is it really that absurd to propose some sort of plugin solution (no feature creep) that could prevent or otherwise influence syncing in specific cases?

Share this post


Link to post
Share on other sites

What you're asking for is what the archive folder does for you already.

e.g. I have PC A, PC B and one NAS synced.
I delete my entire collection on PC A, on PC B and the NAS the entire collection will get moved to the archive folder from where I can copy it back on PC B or the NAS.
I modify my entire collection on PC A (e.g. optimize the images, did this just a few weeks ago. So the same a ransomware would do). On PC B and the NAS all files will get moved to the archive folder and the new files synced. So i could restore the files from PC B and the NAS from the archive if I did something wrong. In reality I had to delete the archive, to free some space afterwards

Nevertheless, I have an incremental daily backup, too. So whenever I do something stupid, I could restore the files from the daily backup, too.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.