Re: Backup and ransomware Was: alg5 accidentently deleted a folder and emptied trash

[Valter Prahlad]

Il giorno 08/03/16 08.16, "G3-5 List" ha scritto:

> If I use CCC to update a clone backup more frequently than every 72 hours,
> when I discover I¹ve been "ransomwared² won¹t it be too late, i.e., the clone
> will have been contaminated too, right?

Well, yes and no.

As long as the backup happened BEFORE the malware started encrypting your
HD, the backup would contain the malware (Transmission 2.90 in this case),
but its data would remain clean, NOT encrypted.
The encryption happens only (AFAIK) when the malware is active and running,
not just because the malware is on a disk.

Hence, you could clean your Mac's HD, remove the malware from the backup,
and restore the backup; and everything should be fine.
Of course I would keep an eye on which Transmission version I would be
running.

As others have noted, backup disks can easily be compromised by malware when
they are connected 24/7. As long as a a disk is on its own (not connected),
no software can alter its content whatsoever.

A good backup strategy would be having an always-connected backup disk (e.g.
using Time Machine), and another disk for periodic backups (e.g. once a
week), maybe stored offsite.
This strategy would offer the safety of both an up-to-date backup, and a
backup safe from whatever is happening to your computer right now (be it
malware, a thief, fire, etc.).


-- 
-- 
You received this message because you are a member of G-Group, a group for 
those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs.
The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette 
guide is at http://www.lowendmac.com/lists/netiquette.shtml
To post to this group, send email to g3-5-list@googlegroups.com
For more options, visit this group at http://groups.google.com/group/g3-5-list

--- 
You received this message because you are subscribed to the Google Groups 
"G-Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to g3-5-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Backup and ransomware Was: alg5 accidentently deleted a folder and emptied trash

[Bruce Johnson]

> On Mar 8, 2016, at 12:16 AM, 'TRGPN WebMaster' via G-Group 
>  wrote:
> 
> On Mar 7, 2016, at 3:12 PM, Bruce Johnson  
> wrote:
> 
> "In the light of the advent of Mac ransomware, however, I’m starting to think 
> that maybe keeping backups disconnected might be a good thing; if you get a 
> ransomware infection, all mounted volumes are going to be affected, which 
> would include a Time Machine volume. "
> 
> 
> If I use CCC to update a clone backup more frequently than every 72 hours, 
> when I discover I’ve been "ransomwared” won’t it be too late, i.e., the clone 
> will have been contaminated too, right?

Well, IF this is your only backup, it would require taking more steps to 
restore the data:

Nuke and pave the Mac with a clean install of the os. Download something like 
MalwareBytes for Mac , clean up the backup disks 
and then restore the old data.

Pretty much what we did (only with Windows) for the prof here who got hit with 
Locky; fortunately Locky didn’t encrypt the system restore points that 
"Previous Versions” creates.

I’ve also read more about the Mac ransomware since and it appears that it 
tried, but was unable to encrypt Time Machine volumes; I’m not sure this was 
because of any special things apple’s done (only the process backupd can write 
to a Time Machine volume, I’m not sure how hard or easy it would be to replace 
or override backupd to use it to corrupt a backup.) or simply because it was 
poorly written, and relies mainly on a user’s panic at losing everything to 
extort them.

-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

-- 
-- 
You received this message because you are a member of G-Group, a group for 
those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs.
The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette 
guide is at http://www.lowendmac.com/lists/netiquette.shtml
To post to this group, send email to g3-5-list@googlegroups.com
For more options, visit this group at http://groups.google.com/group/g3-5-list

--- 
You received this message because you are subscribed to the Google Groups 
"G-Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to g3-5-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Backup and ransomware Was: alg5 accidentently deleted a folder and emptied trash

['TRGPN WebMaster' via G-Group]

On Mar 7, 2016, at 3:12 PM, Bruce Johnson  wrote:

"In the light of the advent of Mac ransomware, however, I’m starting to think 
that maybe keeping backups disconnected might be a good thing; if you get a 
ransomware infection, all mounted volumes are going to be affected, which would 
include a Time Machine volume. "


If I use CCC to update a clone backup more frequently than every 72 hours, when 
I discover I’ve been "ransomwared” won’t it be too late, i.e., the clone will 
have been contaminated too, right?

“…what would a poor boy do?” —Genesis

-- 
-- 
You received this message because you are a member of G-Group, a group for 
those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs.
The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette 
guide is at http://www.lowendmac.com/lists/netiquette.shtml
To post to this group, send email to g3-5-list@googlegroups.com
For more options, visit this group at http://groups.google.com/group/g3-5-list

--- 
You received this message because you are subscribed to the Google Groups 
"G-Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to g3-5-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.