I have Windows11 and I do an automatic System Restore Point daily.

Can this System Restore be used to free a computer from a ransom ware
attack?

P

On 10/22/23 15:02, Peter Jason wrote:
> I have Windows11 and I do an automatic System Restore Point daily.
>
> Can this System Restore be used to free a computer from a ransom ware
> attack?
>
> P
>

Hi Peter,

Unfortunately, no.

The restore only restore parts of the operating system,
not your user files. Ransomare mostly leaves your
operating alone, so you can pay the ransom (and
steal your credit card too).

Have you been infected?

If ransomware is YUGE concern, consider switching to Mac
or better yet, Fedora.

-T

On Sun, 22 Oct 2023 16:08:11 -0700, T <T@invalid.invalid> wrote:

>On 10/22/23 15:02, Peter Jason wrote:
>> I have Windows11 and I do an automatic System Restore Point daily.
>>
>> Can this System Restore be used to free a computer from a ransom ware
>> attack?
>>
>> P
>>
>
>Hi Peter,
>
>Unfortunately, no.
>
>The restore only restore parts of the operating system,
>not your user files. Ransomare mostly leaves your
>operating alone, so you can pay the ransom (and
>steal your credit card too).
>
>Have you been infected?

No, not yet. I take it then a backup of user files is all that's
required?
>
>If ransomware is YUGE concern, consider switching to Mac
>or better yet, Fedora.
>
>-T

Peter Jason <pj@jostle.com> wrote:

>a backup of user files is all that's
>required?

It's all I bother with, just throw backups on an external hard drive,
and if an internal drive fails, take the opportunity to do a fresh OS
installation.

--
Joel Crump

On 10/22/2023 6:02 PM, Peter Jason wrote:
> I have Windows11 and I do an automatic System Restore Point daily.
>
> Can this System Restore be used to free a computer from a ransom ware
> attack?
>
> P
>

As a professional risk-taker, you should be made aware,
that the *very first thing* malware corrupts, is the
System Restore Points.

And ideas like this, only work if the Black Hats do not
know of their existence. This method has been around long
enough, to be defeated by now. A Google does not reveal
any evidence, one way or another, as to whether this
really works (to prevent a good ransomware from erasing MRIMGs).

https://knowledgebase.macrium.com/display/MSD/Macrium+Image+Guardian

"MIG works by preventing unauthorized delete or write operations
from being performed on Macrium backup files by any process that
does not have a valid Macrium code signature."

Paul

Paul wrote:
> On 10/22/2023 6:02 PM, Peter Jason wrote:
>> I have Windows11 and I do an automatic System Restore Point daily.
>>
>> Can this System Restore be used to free a computer from a ransom ware
>> attack?
>>
>> P
>>
>
> As a professional risk-taker, you should be made aware,
> that the *very first thing* malware corrupts, is the
> System Restore Points.
>
> And ideas like this, only work if the Black Hats do not
> know of their existence. This method has been around long
> enough, to be defeated by now. A Google does not reveal
> any evidence, one way or another, as to whether this
> really works (to prevent a good ransomware from erasing MRIMGs).
>
> https://knowledgebase.macrium.com/display/MSD/Macrium+Image+Guardian
>
> "MIG works by preventing unauthorized delete or write operations
> from being performed on Macrium backup files by any process that
> does not have a valid Macrium code signature."
>
> Paul
>

Have you spent any time investigating the benefit of Windows 10/11
Controlled Folder Access protection respect to malware and/or malware.

<https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide>

That's one of the areas I've not investigated to any great length with
actual malware corruption of data or Windows. Nor is there much
discussion in this group or even Admin groups on ransomware recovery.
- you hear about the occurrence but not always the resolution tools.

I do know that by default CFA includes the Windows system
folders(Documents, Pictures, etc) and other folders can be added or
excluded(though those Windows system folders like Documents, Pictures
can not be excluded from a default list).

--
....w¡ñ§±¤ñ

On 10/22/23 16:37, Peter Jason wrote:
> On Sun, 22 Oct 2023 16:08:11 -0700, T <T@invalid.invalid> wrote:
>
>> On 10/22/23 15:02, Peter Jason wrote:
>>> I have Windows11 and I do an automatic System Restore Point daily.
>>>
>>> Can this System Restore be used to free a computer from a ransom ware
>>> attack?
>>>
>>> P
>>>
>>
>> Hi Peter,
>>
>> Unfortunately, no.
>>
>> The restore only restore parts of the operating system,
>> not your user files. Ransomare mostly leaves your
>> operating alone, so you can pay the ransom (and
>> steal your credit card too).
>>
>> Have you been infected?
>
> No, not yet. I take it then a backup of user files is all that's
> required?

Hi Peter,

With cautions. If your backup is plugged in when you get
infected, your backup get hit too.

Here is the thing about ransomware. What you are up against
is a group of highly intelligent, highly paid ass holes with
no internal religious block to moderate their behavior.

There is nothing you can do to out wit them. Believe me,
I have tried. They got around everything I threw in their
way like it wasn't even there.

Except one thing. They can not fly from communist China to
your house to steal your computer.

This is why I highly recommend backing up to multiple
revolving backup media, such as flash drives. And
removing them when you are done backing up. The ass
holes may get your last backup drive, but they won't
get your prior one.

And when you restore, restore from a Linux Live USB
stick. This protects you if there is still something
installed on your computer.

HTH,
-T

>>
>> If ransomware is YUGE concern, consider switching to Mac
>> or better yet, Fedora.
>>
>> -T

On Mon, 23 Oct 2023 09:02:18 +1100, Peter Jason wrote:
>
> I have Windows11 and I do an automatic System Restore Point daily.
>
> Can this System Restore be used to free a computer from a ransom ware
> attack?

No.

The restore point is stuff like the Registry, Start Menu, Windows
files and I think some of C:\Program Files. The big thing a restore
point does not contain is your data -- documents, photos, music
files, etc.

A real backup, to a location that's not your computer, is the only
thing that will give you a shot at recovering from a ransomware
attack.

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

On 23/10/2023 8:02 am, Peter Jason wrote:
> I have Windows11 and I do an automatic System Restore Point daily.
>
> Can this System Restore be used to free a computer from a ransom ware
> attack?
>
> P
>
How does a NAS box used as a backup of all my data fair in a ransom
attack. My NAS box is in sleep mode when I am not using it

Maurice Helwig wrote:
> On 23/10/2023 8:02 am, Peter Jason wrote:
>> I have Windows11 and I do an automatic System Restore Point daily.
>>
>> Can this System Restore be used to free a computer from a ransom ware
>> attack?
>>
>> P
>>
> How does a NAS box used as a backup of all my data fare in a ransom
> attack. My NAS box is in sleep mode when I am not using it

If access to the NAS is password protected and the connection is
disabled as soon as the backup is complete then the ransomware can only
get at the NAS while your backup process is running. Until the
ransmomware finds out the password, of course.

--
Graham J

On 10/23/2023 2:55 AM, Graham J wrote:
> Maurice Helwig wrote:
>> On 23/10/2023 8:02 am, Peter Jason wrote:
>>> I have Windows11 and I do an automatic System Restore Point daily.
>>>
>>> Can this System Restore be used to free a computer from a ransom ware
>>> attack?
>>>
>>> P
>>>
>> How does a NAS box used as a backup of all my data fare in a ransom attack. My NAS box is in sleep mode when I am not using it
>
> If access to the NAS is password protected and the connection is disabled
> as soon as the backup is complete then the ransomware can only get at the NAS
> while your backup process is running.  Until the ransmomware finds out the password, of course.

To quote a Mexican in a certain movie "we don't need no stinkin badges".

A malware, when faced by a NAS, will determine the model number, and
use a "known unpatched exploit" to get into it. No password required.
There are very few NAS which double as bank vaults. There are lots
of NAS models out there, with poor support practices or firmware updates.

The one guy I helped with Ransomware, his entire computer room was
wiped out. This tells you that the state of the art, is thorough.
It leaves no "storage stone" unturned. If computer #1 is exploited,
and you turn on computer #2 to do some Googling, having them on the
same router could spell your doom. The exploited machines(s) have to be
unplugged from the LAN, in an attempt to keep it out of other places.

Some ransomwares remain submerged for a period of time, recording
activity on the machine, so they have a fair idea what resources
you have available. Maybe they watch your file share activity,
log the keyboard input (snarf passwords) and so on.

All I know about my own computer room, is if they get in here,
I have poor LAN security... I don't collect images all that often,
and the last set totaled 4TB. At least the WinXP machine is dead,
so they can't worm in via SMB1 :-) some NAS boxes still use SMB1.

I wish I could have a more positive attitude on the topic, but
I don't see any guarantees involved here. And I don't particularly
believe "layered defense" will do you much good, because the offense
develops techniques and they share them with one another. For example,
you don't write your own Restore Point smasher, you just use the
one that is circulating, as part of your malware. Modules for various
purposes can be sold as "kits", so it might be $1000 for a kit to
bust into a set of NAS models. It's an ecosystem.

Paul

On 23/10/2023 7:46 pm, Paul wrote:
> On 10/23/2023 2:55 AM, Graham J wrote:
>> Maurice Helwig wrote:
>>> On 23/10/2023 8:02 am, Peter Jason wrote:
>>>> I have Windows11 and I do an automatic System Restore Point daily.
>>>>
>>>> Can this System Restore be used to free a computer from a ransom ware
>>>> attack?
>>>>
>>>> P
>>>>
>>> How does a NAS box used as a backup of all my data fare in a ransom attack. My NAS box is in sleep mode when I am not using it
>>
>> If access to the NAS is password protected and the connection is disabled
>> as soon as the backup is complete then the ransomware can only get at the NAS
>> while your backup process is running.  Until the ransmomware finds out the password, of course.
>
> To quote a Mexican in a certain movie "we don't need no stinkin badges".
>
> A malware, when faced by a NAS, will determine the model number, and
> use a "known unpatched exploit" to get into it. No password required.
> There are very few NAS which double as bank vaults. There are lots
> of NAS models out there, with poor support practices or firmware updates.
>
> The one guy I helped with Ransomware, his entire computer room was
> wiped out. This tells you that the state of the art, is thorough.
> It leaves no "storage stone" unturned. If computer #1 is exploited,
> and you turn on computer #2 to do some Googling, having them on the
> same router could spell your doom. The exploited machines(s) have to be
> unplugged from the LAN, in an attempt to keep it out of other places.
>
> Some ransomwares remain submerged for a period of time, recording
> activity on the machine, so they have a fair idea what resources
> you have available. Maybe they watch your file share activity,
> log the keyboard input (snarf passwords) and so on.
>
> All I know about my own computer room, is if they get in here,
> I have poor LAN security... I don't collect images all that often,
> and the last set totaled 4TB. At least the WinXP machine is dead,
> so they can't worm in via SMB1 :-) some NAS boxes still use SMB1.
>
> I wish I could have a more positive attitude on the topic, but
> I don't see any guarantees involved here. And I don't particularly
> believe "layered defense" will do you much good, because the offense
> develops techniques and they share them with one another. For example,
> you don't write your own Restore Point smasher, you just use the
> one that is circulating, as part of your malware. Modules for various
> purposes can be sold as "kits", so it might be $1000 for a kit to
> bust into a set of NAS models. It's an ecosystem.
>
> Paul
>
>
Thanks Paul I will Review my Backup procedures and storage

On 2023-10-23 12:22, Maurice Helwig wrote:
> On 23/10/2023 7:46 pm, Paul wrote:
>> On 10/23/2023 2:55 AM, Graham J wrote:
>>> Maurice Helwig wrote:
>>>> On 23/10/2023 8:02 am, Peter Jason wrote:
>>>>> I have Windows11 and I do an automatic System Restore Point daily.
>>>>>
>>>>> Can this System Restore be used to free a computer from a ransom ware
>>>>> attack?
>>>>>
>>>>> P
>>>>>
>>>> How does a NAS box used as a backup of all my data fare in a ransom
>>>> attack. My NAS box is in sleep mode when I am not using it
>>>
>>> If access to the NAS is password protected and the connection is
>>> disabled
>>> as soon as the backup is complete then the ransomware can only get at
>>> the NAS
>>> while your backup process is running.  Until the ransmomware finds
>>> out the password, of course.
>>
>> To quote a Mexican in a certain movie "we don't need no stinkin badges".
>>
>> A malware, when faced by a NAS, will determine the model number, and
>> use a "known unpatched exploit" to get into it. No password required.
>> There are very few NAS which double as bank vaults. There are lots
>> of NAS models out there, with poor support practices or firmware updates.
>>
>> The one guy I helped with Ransomware, his entire computer room was
>> wiped out. This tells you that the state of the art, is thorough.
>> It leaves no "storage stone" unturned. If computer #1 is exploited,
>> and you turn on computer #2 to do some Googling, having them on the
>> same router could spell your doom. The exploited machines(s) have to be
>> unplugged from the LAN, in an attempt to keep it out of other places.
>>
>> Some ransomwares remain submerged for a period of time, recording
>> activity on the machine, so they have a fair idea what resources
>> you have available. Maybe they watch your file share activity,
>> log the keyboard input (snarf passwords) and so on.
>>
>> All I know about my own computer room, is if they get in here,
>> I have poor LAN security... I don't collect images all that often,
>> and the last set totaled 4TB. At least the WinXP machine is dead,
>> so they can't worm in via SMB1 :-) some NAS boxes still use SMB1.
>>
>> I wish I could have a more positive attitude on the topic, but
>> I don't see any guarantees involved here. And I don't particularly
>> believe "layered defense" will do you much good, because the offense
>> develops techniques and they share them with one another. For example,
>> you don't write your own Restore Point smasher, you just use the
>> one that is circulating, as part of your malware. Modules for various
>> purposes can be sold as "kits", so it might be $1000 for a kit to
>> bust into a set of NAS models. It's an ecosystem.
>>
>>     Paul
>>
>>
> Thanks Paul I will Review my Backup procedures and storage

Consider the NAS accessing your machines to do the backups, not the
other way round, so that they can not infect the NAS from your machines.
No access from the computer to the NAS. And no remote access on the NAS.
Then you also need backups OFF line (external hard disks, manually
connected only during the backup procedure). Many. Also consider that
the NAS doesn't run any type of Windows: have a mixed room.

You might hire an external consultant specialized on backups, hardware
and software.

--
Cheers,
Carlos E.R.

On 23/10/2023 8:44 pm, Carlos E. R. wrote:
> On 2023-10-23 12:22, Maurice Helwig wrote:
>> On 23/10/2023 7:46 pm, Paul wrote:
>>> On 10/23/2023 2:55 AM, Graham J wrote:
>>>> Maurice Helwig wrote:
>>>>> On 23/10/2023 8:02 am, Peter Jason wrote:
>>>>>> I have Windows11 and I do an automatic System Restore Point daily.
>>>>>>
>>>>>> Can this System Restore be used to free a computer from a ransom ware
>>>>>> attack?
>>>>>>
>>>>>> P
>>>>>>
>>>>> How does a NAS box used as a backup of all my data fare in a ransom
>>>>> attack. My NAS box is in sleep mode when I am not using it
>>>>
>>>> If access to the NAS is password protected and the connection is
>>>> disabled
>>>> as soon as the backup is complete then the ransomware can only get
>>>> at the NAS
>>>> while your backup process is running.  Until the ransmomware finds
>>>> out the password, of course.
>>>
>>> To quote a Mexican in a certain movie "we don't need no stinkin badges".
>>>
>>> A malware, when faced by a NAS, will determine the model number, and
>>> use a "known unpatched exploit" to get into it. No password required.
>>> There are very few NAS which double as bank vaults. There are lots
>>> of NAS models out there, with poor support practices or firmware
>>> updates.
>>>
>>> The one guy I helped with Ransomware, his entire computer room was
>>> wiped out. This tells you that the state of the art, is thorough.
>>> It leaves no "storage stone" unturned. If computer #1 is exploited,
>>> and you turn on computer #2 to do some Googling, having them on the
>>> same router could spell your doom. The exploited machines(s) have to be
>>> unplugged from the LAN, in an attempt to keep it out of other places.
>>>
>>> Some ransomwares remain submerged for a period of time, recording
>>> activity on the machine, so they have a fair idea what resources
>>> you have available. Maybe they watch your file share activity,
>>> log the keyboard input (snarf passwords) and so on.
>>>
>>> All I know about my own computer room, is if they get in here,
>>> I have poor LAN security... I don't collect images all that often,
>>> and the last set totaled 4TB. At least the WinXP machine is dead,
>>> so they can't worm in via SMB1 :-) some NAS boxes still use SMB1.
>>>
>>> I wish I could have a more positive attitude on the topic, but
>>> I don't see any guarantees involved here. And I don't particularly
>>> believe "layered defense" will do you much good, because the offense
>>> develops techniques and they share them with one another. For example,
>>> you don't write your own Restore Point smasher, you just use the
>>> one that is circulating, as part of your malware. Modules for various
>>> purposes can be sold as "kits", so it might be $1000 for a kit to
>>> bust into a set of NAS models. It's an ecosystem.
>>>
>>>     Paul
>>>
>>>
>> Thanks Paul I will Review my Backup procedures and storage
>
> Consider the NAS accessing your machines to do the backups, not the
> other way round, so that they can not infect the NAS from your machines.
> No access from the computer to the NAS. And no remote access on the NAS.
> Then you also need backups OFF line (external hard disks, manually
> connected only during the backup procedure). Many. Also consider that
> the NAS doesn't run any type of Windows: have a mixed room.
>
> You might hire an external consultant specialized on backups, hardware
> and software.
>
Thankyou