Testing Backups Against Ransomware

Today, we’re going to test a few local backup plans against ransomware to see if they will protect you if you find yourself infected.  For this test, I have spun up a virtual machine running Windows 10 Home which has been fully updated to current at the time of writing.  This machine is on my lab network, which is segmented off from my home network.

I mounted a second virtual disk to this machine to act as the backup disk.  Now, I know the ransomware will target this disk if it has a drive letter assigned to it.  I’m looking to see if it will target the backup itself.

Antivirus is provided by the included Windows Defender with all settings at the default values.

Before I go any further, do not attempt this on your own.  You will destroy your data and possibly the data of others.  I take no responsibility for any actions you take after reading this post.

The Process

I created a few sample files in Word and Excel and downloaded a few images from the internet.  These will be the test files.  I’m using a sample of Locky to infect the PC.  I created a checkpoint of the VM prior to making any changes to revert back to after testing each backup.  The process for testing is outlined below.

  1. Create full backup of system to the locally mounted drive using default settings.
  2. Run the ransomware infection.
  3. Remove the infection with Malwarebytes.
  4. Attempt to restore files.

Before I started testing, I wanted to test the sample of Locky.  I was pleasantly surprised to find that Windows Defender blocked it before it could do anything.  Let’s turn off Windows Defender and see what happens.

I double click on the Word document and it opens in Protected View.  If I click on “Enable Editing”, the macro is still disabled.  It tells me I need to enable to macro.  It looks like Microsoft has made it reasonably difficult for one to get infected this way.  It amazes me that people need to call the helpdesk to set up an email account on their iPhones, but manage to circumvent every security measure in place and ionfect the corporate network with ransomware.

Locky Word Document
When opening the infected document, it will likely look like this.

So, I went ahead and clicked the “Enable Content” button and waited. Nothing seemed to happen to my files. Do I have a dud? I wait.

I check my web filter.  Don’t see anything going out from that machine.  I reboot the VM.  No ransom note.  No encrypted files.

I disable country blocking on my firewall.  Still nothing.  I can’t believe I am having this much difficulty getting infected with ransomware.

I located another sample of ransomware.  When I clicked “Enable Content”, Word crashed.  This seems more promising.

I wait.  Reboot the VM.  Another dud.

Malicious file warning in Windows 10.
When trying to run the ransomware executable, this message appears.

I was finally able to obtain an executable of the Locky ransomware.  Microsoft was nice enough to give me further warning.  I ignore this warning and continue.  Nothing seems to happen.  The executable file disappears from my desktop.  Files are not encrypted.  What gives?

For my home firewall, I use a Sophos UTM 9.4 software appliance.  One of its features is Advanced Threat Protection.  This works on the same principle as an Intrusion Detection System, but in reverse.  It scans traffic leaving the network to see if it is heading for a known botnet or command and control server.  If this is detected, the traffic is blocked.  Why is this important?  Most ransomware strains will attempt to communicate to a central server to obtain the encryption keys.  If it cannot get the keys, it doesn’t encrypt files.

So, I create exceptions for the VM, effectively turning off all the protection Sophos offers and run Locky.  I wait for it to do its work.

Nothing happens.  Process explorer shows that it keeps connecting to an IP address in Tehran, but keeps disconnecting.  I am flabbergasted that I am having this much difficulty infecting a PC with ransomware.

Let’s Go Back to the Drawing Board

I scrap Windows 10 in favor of Windows 7.  Since I’m actively trying to infect the PC with ransomware, I will not be installing antivirus software.  The problem with testing n Windows 7 is that we cannot test Windows File History.

Switching gears, I located a sample of CryptoLocker from 2014.  I kicked off the executable on the Windows 7 VM and was presented with a prompt to run an executable located in my AppData folder.

On the Windows 10 front, launching the executable displayed a warning telling me the file was malicious.  I ignored it.  Another executable ran from the AppData folder, but this time there was no prompt.  Windows Defender kept saying it found some malware and stopped the executable.

After rebooting Windows 10, Windows Defender kicked back up and cleaned up what was left of the infection.  No files were harmed.

I got a ransomware sample emailed to me.  I opened it on my Windows 7 VM and disregarded every security prompt in Word.  After a few seconds, a balloon came up instructing me to turn on the Windows Security Center Service.

I wait.

Nothing happens.  It seems that people get infected with ransomware on a daily basis, yet here I am trying to get an infection and failing miserably.  This reminds me of my childhood, romping through puddles and going outside during with winter without a coat so I would get a cold and miss school.  I never got a cold.  I never missed school.

If I can’t find a good ransomware sample, I’m going to make one.  I turn to my trusty friend, PowerShell.  Armed with an understanding on how ransomware works, I created a script that will traverse directories and rename the files in it.  The script will scan all drives and append a “.ransom” to the end of any file that is not an executable or DLL that is not within a folder with “Windows”, “Program” or “AppData” in the path.  The goal here is to simulate a ransomware infection, but not break the machine.  Now that I created the script, I take a snapshot of each VM and test.  Success!

Testing the Backups

For the purposes of this test, we are testing local backups.  Any cloud backup service which offers file versioning will offer protection since the files are not linked to your PC via a network share or physical drive.  The process has changed a bit, but is simple:

  1. Create full backup of system to locally mounted drive using the default settings
  2. Run ransomware script
  3. Attempt to restore from backup

Windows File History

Starting with Windows 8, Windows backup was replaced with Windows File History.  Windows File History does not create a full system image, but ti does keep backups of files in your libraries.  Unfortunately, the files in Windows File History were encrypted by my script.  This suggests that Windows File History won’t offer much protection from ransomware.

Windows Backup and Restore

Replaced by Windows File History, this backup solution creates a bare metal backup of your PC and stores it as a VHD on an external hard drive.  Unfortunately, since ransomware will usually prompt for administrator rights, the backup files get encrypted as well.  Some strains of ransomware only target specific file extensions, so Windows Backup and Restore may be a viable option.  To combat this, ransomware variants have either been including the “.vhdx” extension or just encrypting indiscriminately.

EaseUS ToDo Backup Free

This is quite possibly my favorite offline backup tool.  EaseUS ToDo Backup Free offers the ability to backup a full system image, as well as differential and incremental backup schemed with versioning.  If you get creative, you can rotate the backup media out, keeping one backup set disconnected from your PC.  With support for cloud backup, this is your one stop solution for backup.

The backup archive is stored as a “.pbd” file, which was encrypted by my ransomware simulator.  This suggests that it could potentially fall victim to an actual ransomware infection.  If you elect to backup to cloud storage, your archive would be safe, provided that you aren’t syncing the files locally to your PC.

Conclusion

Testing additional local backup solutions provided more of the same results.  If it has a drive letter, it will likely get encrypted by ransomware.  Now you may be asking “what good is a backup if it won’t protect me from ransomware?”  The answer to that is simple, it’s not supposed to.  You need to protect your backups from ransomware.  There are a few ways to do that.

  • Use an off-site cloud backup service such as Carbonite or Backblaze.
  • Disconnect your backup drive when you’re not performing a backup.
  • Backup to multiple drives and rotate them.

Some backup solutions offer the ability to back up to a drive that does not have a drive letter, or a network share.  Most variants of ransomware only look for something with a drive letter, so these may be safe.  There are a few out there that can find unmapped network shares or drives and infect those, so be careful with this one.