Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Once PC is infected with ransomware, PC's hard drive and all attached to it disks/files on it (USB drives, network drives) will get encrypted.
In the worst case scenario the only way to recover such infection is to have backup (at least most important files: docs, pictures etc).
However, here is scenario that bothers me:
Code:
1. OS has been infected with ransomware.
2. Files on disk/s have been started encrypting (this process is ongoing now)
3. While the point 2 (encrypting) is happening, user attach USB drive to do backup. (eg. rsync).
4. Backup/rsync is done. USB drive is detached.
Now, part of the backup'd files have been encrypted but some - not.
User realized after the backup that his PC has been infected with ransomware. PC's files are basically lost BUT some files on the backup USB drive are still good.
Question: what will happen if backup USB disk will be attached to healthy/another PC?
(probably the best way in this scenario would be to connect backup USB to the PC with different kind of OS than infected PC was but for purpose of this case lets say its going to be still this same kind of OS).
Code:
a. healthy files can be restored/safely copied and PC will not be infected.
b. USB's files will continue to encrypt and will also infect PC
c. depending from ransomware it might be A or B.
In my opinion, there is no such thing as a semi-infected system, the system is either infected or not, no matter how many files have actually been infected. If it is infected, it can't be trusted.
Multiple independent backups of both system and data should be made over time using an offline method (e.g. booting a backup/imaging program from a USB key) so that you are neither dependent on your own system files for the backup, nor on a single recovered snapshot if a system does get infected.
a RANSOM demand -- should be treated as a hard drive fail.
the reasons are simple: first you have no assurance that the decrypt will work -- or even if it runs/appears to work -- that you data will be accurate afterward
best to reformat the disk, re-install the O/S and restore your data
if you don't have a backup consider making one. I just us ZIP in a bash shell.
Guys, thanks for answers but u all missed the point.
I have no ransomware infection. I do not need advices how to do full backup/backup. And so on...
I asked for very specific scenario.
There are a variety of to-disk backup systems available for Linux, mostly based on rsync (like Apple's venerable Time Machine). You can also fairly-easily "homebrew" one, yourself.
The critical aspect is that it needs to be a multi-generational backup (making very frequent backups and keeping these for about two weeks, then cleaning-up most of them so that (say) a daily backup is kept for a month, then weekly backups indefinitely, and so on.
Furthermore, the backups must be stored to a directory (on an external device) that is writeable only by the backup-daemon, which is a userid that can't be directly logged-on to. This effectively protects the data from modification and, if you wish, from disclosure.
And you keep this running ... all the time.
- - -
And, please, stop referring to these things as "infections." A digital computer is not a biological organism. It does not "get infected," period.
Guys, thanks for answers but u all missed the point.
I have no ransomware infection. I do not need advices how to do full backup/backup. And so on...
I asked for very specific scenario.
Please read again with understanding.
Quote:
And, please, stop referring to these things as "infections." A digital computer is not a biological organism. It does not "get infected," period.
This thread seems to be a language barrier thing to me. Because earlier
Quote:
Now, part of the backup'd files have been encrypted but some - not.
User realized after the backup that his PC has been infected with ransomware. PC's files are basically lost BUT some files on the backup USB drive are still good.
Question: what will happen if backup USB disk will be attached to healthy/another PC?
(probably the best way in this scenario would be to connect backup USB to the PC with different kind of OS than infected PC was but for purpose of this case lets say its going to be still this same kind of OS)
Which kinda makes no sense. Ransomeware by it's very nature keeps you from accessing your files.
So how did you make a backup when
Quote:
User realized after the backup that his PC has been infected with ransomware.
But then. I have never been the sharpest pencil in the cup.
Quote:
what will happen if backup USB disk will be attached to healthy/another PC?
Now. I am assuming. This hypothical made backup usb drive made will a ransomware infection was on your computer will effect another pc with ransomeware. Since it sounds like a impossible scenario.
There should be nothing on the usb drive. So no. If you think there is. Look inside with the infected ransomeware computer. Since you think it has access to files, like on that usb drive.
All they knew was that, if they bought an external hard-drive and plugged it into their computer and left it there ... everything in their past history ... files, e-mails, contacts, you name it ... would be preserved.
"It Just Worked.™"
Even though Microsoft had produced Microsoft Backup half-a-decade before, it presupposed that its user was "a corporate IT professional" who was willing to "learn how to use it properly."
. . . and, I confess to say . . . "just where has Linux been, exactly, for all this time?"
@rokytnji: There is no need for that sarcasm and underlining my English skills. Specially here on a technical forum and specially by Senior Member.
Getting back into the scenario:
Read again (slowly rokytnji) bullet points from my first post. Especially point 2 and 3 - rokytnji.
If this is still unclear try following description:
Ransomware that I have seen, encrypts specific type of files only: JPG, MP3, MP4, DOC and some other (dont remember full list now).
Encryption will not happen in no-time. It must take some period of time to encrypt file by file.
Therefore I can imagine scenario where in the meantime of encryption, user plugs backup drive, backup/rsync data (some files already encrypted and some not) and then detaches backup drive.
This way some of backed up files are encrypted and some not.
Another thing that bothers me - while ransomware is already presented on the OS, it can spread on any attached drives. By this I mean copy itself (ransomware binaries) and later spread to another PC.
It takes privileges to install software on a machine, typically. Anytime you find programs installing themselves on a machine you will usually find that the user in question has administrative privileges ... in Linux, is a member of the ("big ...") wheel group.
It can't be emphasized enough: "software intrusions most commonly occur by deceiving humans, who have more system privileges than they need and who are ignorant of how the system works. When asked to enter a password, they do so. And this password then leads "everywhere."
Last edited by sundialsvcs; 01-17-2017 at 09:22 AM.
@rokytnji: There is no need for that sarcasm and underlining my English skills. Specially here on a technical forum and specially by Senior Member.
I was being kind. Not sarcastic. I am done here.
Edit: But I can see how you might think I was being sarcastic. My biker ways are ruff and gruff and I can come across as a meany sometimes. I don't mean to. Sorry about that. I am still done here, though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.