PC World's cloudy backup failed when exposed to ransomware The shortcomings of consumer-grade backup services in protecting against the scourge of ransomware have been exposed by the experiences of a UK businesswoman. Amy W, who runs a small business in the Newbury, Berkshire area, was convinced that the KnowHow cloud was the only backup technology she'd ever need1 when she bought a …
If the machine was for business use, then the lost data may well have been hundreds of text files (orders, invoices, etc.) or financial data files etc. and only occupied a few hundred MiBs. Not everyone has extensive video collections. I am also told that some lucky people have fibre and reasonable upload speeds.
I'm trying to figure out why renamed encrypted files would overwrite the originals on the backup, from my experience with ransomware it rarely leaves the originals and you'll have tons of .abc .locky etc files instead.
Additionally as you've said the staff themselves seem to be making this up as they go along - back up of all unchanged files would make no sense.
Personally I use Crashplan and manage how retention, versioning etc is done through the utility, that's partly because I'm utterly paranoid about losing stuff and it's the only cloud based backup I currently trust, even then I still have a local backup of *everything* anyway. Crashplan has saved me a couple of times though.. local drives do get stolen during burglaries :-/
"I'm trying to figure out why renamed encrypted files would overwrite the originals on the backup, from my experience with ransomware it rarely leaves the originals and you'll have tons of .abc .locky etc files instead."
This puzzles me as well.
Also, my (very limited) experience of recovering a ransomed PC was that the malware, in that case Tesla3, wrote out the encrypted versions and then deleted the originals so that the encrypted version didn't overwrite the original. It would be possible, of course, in the case of a disk with little spare room that the space released by one "deleted" file would be overwritten by a subsequent encrypt. If not something like Photorec can recover the files from free space of the original disk. Because of this the best advice that can be given is: kill the PC immediately and do not reboot except from something like Trinity Rescue with a USB drive attached to which recovered data can be written.
"I'm trying to figure out why renamed encrypted files would overwrite the originals on the backup, from my experience with ransomware it rarely leaves the originals and you'll have tons of .abc .locky etc files instead."
It depends on the specific ransomware. As mentioned here http://www.theregister.co.uk/2015/11/09/cryptowall_40/ last year, Cryptowall 4.0 introduced changing the filenames, but earlier Cryptowall (and cryptlocker) versions didn't. The first instance of it I was it wasn't even obvious an infection had happened other than the files couldn't be read (someone else on the network had been infected, and they've received the notification and kept quiet). So assuming it was one of the earlier versions she was infected with, the file names would have remained the same and would be able to overwrite the original ones.
ive dealt with quite a few crypto infections.
not all of them rename the files or the extention.
so your cloud backup solution happily uploads the latest (now encrypted) version of the file over the top of the unencypted one.
if you use dropbox (which some people still insist is a "backup tool" it then downloads that onto every other connected machine.
if you use carbonite, they have a dedicated team who can see when the infection hit (as many more files than normal are changed very quickly). they can then roll back the ENTIRE backup to before it hit. you rebuild your pc in the meantime. then they call you and saty, yes, you can restore, and all your unencrypted data comes back down the pipe. its bloody marvellous.
i believe that with dropbox pro they can also do this.
free dropbox you can see earlier versions of files, but theres no way to roll back the entire backup, so you would have to do it for every single file, which would be tedious...
Finally, "Amy W, who runs a small business in the Newbury, Berkshire area, was convinced that the KnowHow cloud was the only backup technology she'd ever need"
i mean for fucks sake. if you get pc world to do your IT then you are asking for it.
by the way, be very carful if you try and back up a truecrypt volume. by default, truecrypt is set to keep the date/time stamp on the file to the same regardless of if its been updated. also, the size of the file (usually) wont change as you set a fixed size for an encrypted volume. so the file is the same size, doenst ever get a new date stamp and so most backup products believe that the file has not changed. they back it up once when you first create it and never again...got caught out with that once. there is a setting in true crypt options to change the date/time stamp. i cant remember off hand where it is but its pretty easy to find in the options.
Correct me if I'm wrong, but didn't it start out to be at least sibling to a magazine on the TRS-80?
I have more to say, but I choke after saying that. I believe I was subscribed to it under an earlier name. It's somewhere between sometimes okay to the point where calling it idiotically stupid would be complimenting it undeservadly. People still subscribe to it, too. And follow their ads. And I'm not even trolling.
> if you get pc world to do your IT then you are asking for it
But if you know nothing about IT yourself, how do you assess whether that big high street outfit that seems to know what it's doing is actually any good ?
In reality, she was one step better than a lot of people, at least she (thought she) had a backup of some sort - how many people have no backup whatsoever ?
I've never seen a crypto virus that renames the extensions. All I've encountered append a new extension. For example .zip would be come .zip.zzz. Can you give an example of one that doesn't rename files?
At any rate - using an incremental forever backup solution with only 1 version is a bit silly and prone to fail, if you get a file corrupted you're screwed from restoring it.
If your stuff is important, then the onus is on you to make sure it is available. Need to send your Tax Returns ? You photocopy the document, or scan it, and send the original. The copy is to be properly filed so you can find it back if necessary. It is that mechanism that people just completely forget about when they sit in front of a keyboard. The Cloud is NOT a replacement for that procedure, it is an additional precaution. One that is only as good as the service offered.
Until this kind of thing happens. The lesson, unfortunately, can be very painful.
As for PC World's so-called "backup", it never failed - it was never useful in the first place. That is also something she should have checked once in a while. The dates of the latest backup. If she had done so, she would have noticed that PC World does not offer a backup service, but a copy service. That might have tipped her off sooner that she needed a proper backup solution.
There I fixed that for you.
If your stuff is important, then the onus is on you to make sure it is Backed up to a backup device.
This lady went to the store to get Advice and a computer, was informed that this was the best backup solution available.
"This lady went to the store to get Advice and a computer, was informed that this was the best backup solution available."
The best backup solution available isn't worth a shower of shit if it's not tested periodically to make sure it's actually working properly.
If the advice she got didn't include that piece of knowledge then she really should have a case against them. Unfortunately I'll bet that all liability is excluded in an obscure clause in 4 point lettering kept in the electronic equivalent of a locked filing cabinet in the basement lavatory behind a sign saying "beware of the leopard"
Reading her semi-literate Facebook posting, it's obvious that she's not the sharpest tool in the box. Sadly, there are too many people who will buy over-priced junk from PC World, and will assume that the nonsense spouted by their salesmen is gospel.
Her errors:
Buying anything from PC World.
Trusting "anti-virus" snake-oil (when will people realise that it can't work? )
Believing that any "service" provided by PC World could be good enough for business use. "Military grade"? Hah!
Finally - the use of a (barely) domestic-grade OS and software for business.........
Don't disagree about the need to take responsibility for your own data. But we live in a marketing driven world, where IT pitfalls are blurred by PR-suits... IMHO Neither Cloud or Offline is the answer, there needs to be a third option. Because flooding / fire / theft / drive failure are still big issues too.
The sad thing here is, there is no super tech guru in the media that has the attention of the masses to warn people like Amy in advance. Instead marketing dollar spending by greedy Dixons-PCWorld type corporations can bury this story over time under the weight of PR spin...
This Reg article also sets a sobering tone for CloudFog:"All of which means that the world is learning that the cloud isn't yet the “drop-in replacement” for in-house IT that everyone was hoping it would be.":
http://www.theregister.co.uk/2016/03/22/cloud_security_harder_than_encrypt_everything/
Pascal,
I think you're being unfair to the victim here. She's a member of the public, not an IT pro.
The public put their trust in people to whom they've paid money (just like DWP does) and are not equipped to evaluate whether the advice they're given is right (DWP again!). Only when there's a failure on a scale big enough to attract widespread attention such as TalkTalk's break-in do they realise that their vendor reassurances are worthless. Apart from the fact that it's then too late they have the problem of knowing what advice they should take for the future.
I'm not disagreeing with you here but she's go to take on the lion's share of responsibility here. As usual they've never tested the backup and probably never even checked it once it was installed and "working". It's the usual lazy way of backing up data and most of us (myself included) only improve in this area once we've make a royal cock up of it in the past or seen someone close to us lose months of work.
You don't need to be an IT pro to check backups, no more so than you need to be a household security expect to set an alarm, but as with house alarms it's only one thing that may/may not work and it's best to remember that locking the door and checking you've got your valuables out of site is best. similarly with backup checking it's actually working and having a "oh shit I lost everything" plan is best.
"You don't need to be an IT pro to check backups"
Think about this for a moment. I assume you're a sysadmin. How often do your users come round to you to check your backups? She's the user, PCW are her sysadmins. Why should she even know about checking?
Personal story here. I had a gig to replace two non-Y2K-capable boxes. They'd been set up so that one of them did an NFS copy to the other, the warm standby, overnight (they were situated at opposite end of a large industrial site - a disaster large enough to affect both boxes would have given them more problems than the loss of both boxes). In the course of looking at the existing setup I discovered that the overnight window wasn't long enough to allow a complete backup. I've no idea how long they'd been without an effective warm standby.
"I'm not disagreeing with you here but she's go to take on the lion's share of responsibility here"
Applying the same logic to a mechanic replacing the brakes on your car, if you have an accident caused by shoddy advice and a bad job, you must bear the lion's share of responsibility for the accident?
Victim blaming is a very slippery slope.
"If your stuff is important, then the onus is on you to make sure it is available"
<snip>
Totally correct and yet utterly wrong.
This woman was not like us, she was a naive computer user. She sought help from PC World {sadly} and was advised that the correct thing to do was to install this cloud backup. How was she , a naive user to know of the pitfalls?
Personally i have some encrypted data in the cloud because it is fashionable, I have version control on every file, I have a backup (every two hours) to a hidden non shared area on the server, I have a backup to an external hardware encrypted drive and I mirror the server to another one away from home. oh and both servers are RAID five.
That is how i do it but then I am supposed to be a professional and I have never lost any data. This woman did her best and the advice she was given was wrong, ill informed and spurious, those of us in the know would expect nothing better from PC World.
"oh and both servers are RAID five."
After several near misses and a catastrophe* I have come to the conclusion that if one has only three drives then RAID 5 is a waste of time and leads one into a sense of false security. With today's large discs >4TB the time to rebuild a RAID 5 array after a single disc failure is longer than the MTBF of the drives themselves, thus there is a real possibility that one can have a second drive fail during the rebuild and thereby causing an unrecoverable error condition in the RAID.
Personally I take the hit on disc space and with only three drives set up RAID 1 (mirroring) and a warm spare.
One should use RAID 6 (at least) if one has more than 3 drives and some version of RAIDed and mirrored drives if you have 6 or more.
(*R-studio was a godsend allowing me to reconstruct a virtual RAID from the "ashes" of my failed array!)
"If your stuff is important, then the onus is on you to make sure it is available"
That's nice, but many people who DO care, rely on technology they know nothing about, ending up with solutions touting buzzwords like "Military Safe" or some such bull crap.
Is the onus on them to suddenly become data security experts? Because that's what you're expecting...
PC world's cloud backup is a white labeled version of Livedrive... The client app is so/so ... I've had clients on it for years. It has got better over the years but its not great when it gets out of sync... and we all know what consumers do when the computer says "error" - yes, they ignore it!
Frankly, this sounds like the most probable explanation. A cloud backup may fail to complete for a variety of reasons. A likely cause is that the size of the data becomes too large for the backup window.
If a professional server backup fails to complete, alarms sound and operators and system managers rush round trying to solve the problem. In a home office environment, it could be easy to miss, or to misinterpret, warnings from the backup program.
Backup and anti-virus software on Windows often seems to suffer from over-engineered UI syndrome: the standard UI isn't flash enough to pull in the punters, so they make it look like something else. After 30 years working with computers I expect to be able to understand most software, but my wife's copy of BitDefender induces a kind of brain-fog.
The answer is both. Having looked at the website (http://knowhow.com/article.dhtml?articleReference=5545&country=uk/). There doesn't appear to be an keep the files if they are changed for 30 days, just if the file has changed upload the changed file. This is a backup, ie if your PC goes bang you can restore all your files as they were when the PC goes bang, not how they were 30 days ago
However if you delete a file it will keep it for 30 days after you deleted it
"What happens when I delete a file from my computer?
If you delete a backed up file from your computer, this will be removed from your online backup once the Knowhow Cloud software scans the backed up folders. If you accidently deleted a file or folder and need it back, you have up to 30 days to recover it. To do this:
Go to the Desktop
Click on the small arrow on your taskbar where you'll see the Knowhow Cloud icon
Right-click on the icon and select Open Control Centre
Select the Restore tab
Navigate to the file or folder and then click on Restore"
There is a third option which is that she isn't giving us the full truth either.
The sentence "Yesterday an email came through which i opened (it was from what looked like a completely standard email address) a virus flooded my laptop instantly corrupting all my files"
Seems to be missing the words "...email address) after I opened the attachment a virus..."
Yeah more to this than meets the eye.
This stuff takes hours or days to take effect. It doesn't just encrypt everything in 20 seconds and then goes "You pay now!!"
It runs till its done and then announces itself. She would not have known till then.
I've had customers bring their machines to me that have had it running for two weeks and just ignored the warnings from the AV that actually said something was up.
They both screwed up but to be honest the major weak point was her just not being savvy enough.
the newer crypto strains will also sit on your machine for a while doing nothing.... waiting for you to plug in your usb backup drive (people still use them!) .
then it encypts the usb backup disk.
then it encrypts your primary
then it ransoms you.
oh, but ive got a back up.....ooops.
versioning backup system all the way....
" after I opened the attachment a virus..."
Or, more likely and for "convenience", she has enabled full HTML rendering, including external source in her email client. Convenience trumps security every time for users.
Most people don't care or know about how a tool should work or how important it is to keep your tools in good condition, especially if that means having to spend time learning about things not directly related to the job or which may cost money now rather than later when things break.
Just look at the numbers of people driving around with lights not working, fan belts slipping, SatNavs or phone stuck the windscreen in inappropriate and downright illegal view obstructing positions. If they can't handle simple, obvious and in-your-face problems like that why would we expect them to deal with more complex and ethereal computer security and backup systems?
If you say to someone "are you opening an email that contains full HTML rendering, including external source in your email client?" and they understand that then yeah they probably should have known better. But pretty sure in a non IT environment they are just going to say what?
Email is just a message thing, people don't get it can be delivered in different formats, have embedded code etc.
To them its a electronic letter like the ones you open at home, without running it through a scan and opening it in a negative pressure environmental container, whilst wearing a level 4 biocontainment suit, I mean its only Anthrax.
Back in the late '80 there was a trojan horse virus called " PC Cyborg Trojan". This encrypted your hard disk, but nothing was visible for 90 reboots of your PC. Then an ransom would appear asking for $189 to be sent to a PO Box, you would then be sent then unlock code for your PC.
Which still wouldn't explain having just 2 restore points available. Either the laptop didn't have any changes for 30 odd days or the 'backups' didn't happen for that long. Or maybe the service is just broken.
Either way flushing older copies from the cloud is idiotic. I nominally keep about 3 weeks worth of daily snapshots but the software doesn't delete anything unless I'm adding a new image, they shouldn't just disappear even if your product has "30 days" in the name.
True, however its a lot harder to have an off-line backup when its in the cloud, since you cant unplug your bit and stick it in a safe or send it to a family member.
Cloud makes people lazy as its suddenly someone else's problem and people stop thinking about data integrity.
Tape, spinning rust, memory sticks, DVD etc - all still really useful for off-line backup as its really hard to infect / encrypt something that is disconnected and powered off !
I think the problem here is that off-line backup requires somebody to do something; either plug in or unplug something. It's generally done for the first week or so and then gets forgotten as people just don't see the value in doing it. That value only becomes evident when they are hit with the virus.
Not so hard really is you organise your time properly.
My Development PC does an incremental backup every day to a local (network) NAS using Acronis.
The weekly full C: drive is also sent off to the NAS. This has 8TB of spinning rust. I go onto it every couple of months to purge a few things.
Then I get a text reminder to plug in a 2TB HDD to the device at 3pm on a Friday. A scheduled job then takes a backup of everything. I have four Disks that are rotated for this job.
Why Friday afternoon?
simple really as it is POETS day and a Pint or two becons.
Then every baseline backed up (git repo) and is then sent off to a Linux (intel Nuc) for safekeeping.
You can't have too many backups but then I'm old enough to remember taking backups of my source code on Paper Tape. I still have the repair kit somewhere.
"True, however its a lot harder to have an off-line backup when its in the cloud, since you cant unplug your bit and stick it in a safe or send it to a family member."
I suppose you could have two separate cloud vendor backups and try to remember to sync them separately and independently and not have the clients running constantly. Maybe have a third one running constantly for that HDD crash, stolen laptop scenario.
> Cloud makes people lazy as its suddenly someone else's problem and people stop thinking about data integrity
Anon for what should be obvious reasons - the boss might read this.
At the moment there's a push on at work to move everything to "the cloud". Some of it is actually "cloud", some is just "hosted services" and the only difference from a decade ago is better connectivity and lower prices !
And yes, a big part of it is to be able to "fire and forget", to make "someone else" responsible for security, updates, backups, etc, etc. I can't think what could possibly go wrong !
http://www.theregister.co.uk/2016/01/25/office_365_imap_outage/
http://www.theregister.co.uk/2016/02/22/office_365_outage/
http://www.theregister.co.uk/2015/11/30/euro_network_gobbles_googles_cloud/
http://www.theregister.co.uk/2015/12/11/typo_in_case_sensitive_variable_name_caused_google_cloud_outage/
http://www.theregister.co.uk/2015/09/28/whoops_there_goes_my_cloud/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
