Ransomware – Air Gap Security for the Little Guy

Picture shows a ransom note.

Ransomware – A public service provided by Eastern European thugs

Nefarious eastern European crime gangs taking over your personal computers and holding them for ransom? A frightening threat! What is a small business owner to do? You don’t have a staff of hundreds of IT security experts sitting in a darkened command center protecting your business. In fact, chances are that your office is pretty small, just a handful of PCs. And that large IT security staff? It’s you! That is, it’s you when you aren’t busy selling your product, arguing with the bank, providing psychotherapy to your small team of employees, trying to figure out the accounting software, and otherwise running your business.

In this post, I will outline a simple approach to hardening up your little business to these very real threats. There will be a small initial investment in hardware and software initially as well as a little time to set up. However, once you are setup, there will be no recurring costs and twenty minutes or so once a week should be adequate for you to have a solid defense against this sort of attack.

Executive Summary

  1. Make sure you have a solid antivirus package installed everywhere.
  2. Use a cloud service like DropBox or SpiderOak to store your data files.
  3. By an external USB hard disk for every PC or Mac you own.
  4. Buy R-Drive Image for the PCs and SuperDuper! for the Macs.
  5. Backup each machine to its dedicated USB hard disk once per week.
  6. Unplug the USB hard disk after each backup.

Antivirus Software

If you are trying to run a small business without any antivirus software installed on your personal computers, you need to have your head examined.

The good news is that there are a lot of choices and there is a lot of high quality review information available. Here is a good recent review: PC Magazine 2015 Ratings

Annoying Avast popup (my computer is NOT running slow)

Annoying Avast popup (my computer is NOT running slowly)

At Asatte Press, we have been using Avast Internet Security and have been reasonably satisfied with it. However, recently the Avast team has been adding more and more annoying popups that try to sell you expensive upgrades. For me these intrusive popups are a sign that they are losing touch with their customers’ needs. That is, the three key requirements for an Antivirus program are that it be:

  1. Effective
  2. Cheap
  3. Unobtrusive

I have been pleased with Avast on points (1) and (2) but they are starting to fail on point (3). When our current licenses expire, we may evaluate alternatives.

In any case, I offer the following tips:

  1. If you have Mac computers, your Antivirus vendor needs to offer a solution for Macs. (Macs are not immune to attack)
  2. If you have several computers, you can probably get a better price by buying a quantity license.
  3. Almost all vendors offer multiple levels of features. You don’t need the premium, all-singing, all-dancing version. The cheapest version or perhaps one up from the bottom is usually sufficient.
  4. iOS and Android devices are a grey area. The problem is not nearly as developed as the problem with PC software. However, if you have these sorts of devices (who doesn’t?) you should look for a Antivirus vendor that at least has a plan to have something for these platforms.

Solution Part 1:  AntiVirus – Pick an AntiVirus vendor. Buy a bulk license. Deploy the AntiVirus to ALL of your devices, not just to your Windows PCs.

Cloud Data Storage

Use cloud storage. A good cloud storage solution is incredibly convenient. You just edit and save your files on machine A. You then walk over to machine B. By the time you get there, the updated version is on machine B. No fuss. No muss. Not only is this function convenient, it also makes you almost completely invulnerable to the loss of a machine, whether the machine is lost to a hardware failure, lost when your office building burns down, or lost to a ransomware attack.

If you are not very technical, I recommend DropBox. It is superbly easy to install and very effective. You can do quite a bit with their free version and do almost anything you can imagine with their paid version.

If you are a bit more technical and you are a bit more concerned about security, you may want to consider SpiderOak. While DropBox does encrypt your files on its server, it has a major flaw in its security concept: DropBox creates the encryption keys and stores them on its servers. This approach is basically like putting a spare key to your front door under the doormat. As soon as any government agency gets curious, they can simply demand that DropBox unlock the data for them to feast on. I am not too worried about the out-of-control government agency scenario.  The bigger risk is that the eastern European thugs might breach DropBox’s defenses and gain access to the server full of encryption keys. At that point, you there would be nothing between them and your data.

SpiderOak solves this problem with a different implementation approach: you make up the encryption key (not them) and that key never leaves your PC. When the out-of-control government agency or eastern European thug group arrives, there is no key anywhere on SpiderOak’s system. They only thing they can get access to is mountains of encrypted data.

We are currently using SpiderOak and DropBox in parallel. SpiderOak is a much smaller operation and they have had one or two hiccups, but generally it seems to perform about as well as DropBox and it is a more secure architecture.

One thing to be careful of is barnacle cloud services. Almost all the big players out there are trying to prompt you to install things like iCloud or Windows Skydrive in hopes that they will be able to push DropBox out of your life . Don’t let them do it. Each additional cloud service that you install – especially ones like iCloud that want to vacuum up everything on your device – introduces an additional level of security risk. Only install cloud services that you plan to use regularly and pay attention to.

Solution Part 2:  Cloud Data Storage – Pick a cloud storage vendor and store all your documents and data in the cloud. Don’t let additional barnacle cloud services install themselves if you don’t actually plan to use them.

The Basic “Air Gap” Approach

The picture shows an external USB harddrive unplugged sitting on top of a PC

‘Air Gap’ Security Demystified – External USB Drives

So the eastern European thugs have encrypted your hard disk? No problem, we will just restore the computer from the backup.

Or will we?

Making regular backups of computers are one of those things like flossing your teeth, pasting pictures into photo albums, writing thank you notes, and eating lots of vegetables…that everyone knows that they SHOULD do…but that a lot of regular folks somehow never quite get around to.

Well, those anal-retentive people like me who have figured out how to work regular computer backups into the schedule (I am getting much better about the vegetables…) have long since figured out that they way to make it regular is to make it painless. As such, all of our PCs at Asatte Press have been purpose-built with redundant hard disks. Backup is a snap. Configure the backup utility to point to the spare hard disk and press “Go” every now and then.

Unfortunately, the eastern European thugs have foreseen this eventuality. Not only do their ransomware programs scramble your main hard disk, these %$#!! programs scan your other hard disks and purposely destroy anything that looks like a backup image.

That is where the “air gap” comes in. This mysterious term simply means that there is no wired (or wireless!) connection between device A and device B. That is, there is an “air gap” between the two devices. Unfortunately, those extra hard disks that we built into our PCs do not pass this test. There is no air gap between them and the hackers and indeed they have been compromised.

Luckily, however, an external USB hard disk that you unplug after each backup has exactly that “air gap” feature.

Solution Part 3: External USB Hard Disks for Each PC – This step is pretty simple. Buy a large external USB hard disk for each PC. As of the date of this post, two terabyte external USB hard disks are selling for $89 on Amazon.com. Unless you are trying to edit video on a PC, chances are high that you will be using at most 2-300 gigabytes of your disk. A 2TB USB drive will be sufficient to have multiple versions backed up for each PC.

“Can’t I just buy one and share it?” – I don’t recommend attempting to save money this way. You will get very confused about which image belongs to which computer. As a small business operation it is safer and more effective to simply dedicate one USB drive to each PC in your office.

Norton Ghost for Windows 7 and Below

The picture shows the box cover of Norton Ghost 15

Norton Ghost – Great Product for Windows 7 and Below

Once upon a time there was a wonderful product called “Norton Ghost”. The product was reasonably priced (if you did not mind processing the rebate coupons). The product was easy to install and easy to use. It worked really well.

Although the product had many features, the feature that users loved was the ability to make an image of a computers hard disk that included every bit and was effectively a snapshot in time. Mess up your system settings? Accidentally download an obnoxious virus? Upgrade to a catastrophically unstable device driver version? No problem!

  1. Put the Norton Ghost install CD in your CD drive.
  2. Plug in the USB hard drive containing the backup image.
  3. Reboot the computer.

Norton Ghost would come up, automatically detect everything, find your backup image and present you with the option to restore. All you had to do was click “Go” and go eat lunch. When you came back, your computer would be as good as new. Every last bit would be back where it was prior to the screw up.

This product was so handy and useful, it had achieved marketeer’s Nirvana: the product name had become a well-known verb. “No problem. I’ll just ghost that and have you back up in a jiffy!”

This halcyon state of affairs lasted through 2011 and into early 2012 at which point PC makers started transitioning from conventional BIOS to UEFI, an architectural upgrade meant to overcome limitations caused by the 1980s era architecture of conventional BIOS….

Don’t Buy Symantec System Recovery

The picture shows the box cover of Symantec System Recovery 2013

Symantec System Recovery – Not Recommended

Since UEFI BIOS was going to require some adjustments to the product design, Symantec decided to make a number of changes to their marketing strategy at the same time:

  1. Substantial price increase. Or, at least a substantial effective price increase as they both increased the price and stopped offering rebates.
  2. Replace the catchy “Ghost” name with the eminently forgettable “Symantec System Recovery”.
  3. Make the product much more complicated.
  4. Ship a product that does not actually work.

Frankly speaking, I can’t imagine what they were thinking. Why did they simply throw away all the customer goodwill built up around the “Ghost” brand?  I can’t see any upside for them.

In any event, the product does not work. In 2014  I purchased a new top-of-the-line Lenovo X1 Carbon with a QXGA (2048 x 1536) screen and Windows 8.1.  Being a loyal Ghost customer, I also made the effort to figure out what Symantec had done with my favorite product and chase shown a copy of Symantec System Recovery 2013 – paying more than twice what I had previously paid for Ghost. Once I had it installed, it seemed to work in a manner similar to Ghost.

However, earlier this year I needed to send the Notebook in for repair and was getting ready for the service center to completely wipe my disk. As a precaution, I decided to make sure that the new Symantec product was going to be able to restore my system. I was appalled to find that NO it was NOT going to restore my system.  First, it was not smart enough to recognized the QXGA resolution monitor. On reboot the UI was microscopic. Each line was about 1/8″ high. Using a magnifying glass, I found that the product had decided that the backups (which it had made!) could not be loaded onto my hard disk. I spent a few hours crawling around on online forums and reading cryptic release notes put out by the Symantec team. The bottom line was that I was supposed to get some special low-level disk formatting tools – not provided by Symantec – and do some sort of intricate and risky low-level formatting procedure which might have run afoul of Lenovo’s backup partitioning scheme.

Extremely irritated, I sent the machine in for service as is with no backup solution and a failing power switch  that made it difficult or impossible to install one. Needless to say, I can’t recommend this product.

R-Drive Image for Windows (Any Version)

The picture shows the box for R-Drive Image

R-Drive Image for Windows

After the X1 Carbon went to Lenovo’s service center in Atlanta…the initial results were not acceptable. Late. Poor communication. However, about the third time I called on a Friday, I got a crackerjack, smart young woman on the phone and she made heaven and earth move. Monday morning my repaired machine was waiting for me at my office in Austin with absolutely every hardware problem repaired – and with my disk contents intact. In fact, the quality of the unit was BETTER after service than it was when I first purchased it.

Interestingly, I had a similar experience with a Sony Vaio notebook. Apparently, the factories in China are not all that careful. Units arrive on your doorstep in the United States that are barely snapped together. Thinks fall off. Other things fail. However, when you send the unit in for service, if you get the right United States based highly-skilled technician, that technician will basically take the unit apart and re-manufacture it for you. You end up with a rock-solid unit that is built the way the design team intended it to be built. I now have one Lenovo and one Sony notebook that fit this description.

At any rate, I digress. I did quite a bit of research to find a replacement for Norton Ghost. My choice is R-Drive image.

R-Drive image is not cheap, costing a bit more than the historical street price for Norton Ghost. However, R-Drive image is cheaper than the Symantec product that does not actually work.

R-Drive image is very easy to purchase online. I used the free trial for a week or so and then purchased a license. I tested it by doing the reboot with a recovery USB (which it creates for you). It booted right up – with a reasonably sized font (!) – found the backup, and was down to the “click here to go” screen. Honestly, I did not click go and let it re-image my hard disk because I am not a well-funded test lab. This is my real working machine I am testing with. However, I feel confident that it would have restored my hard disk without any issues.

One difference between Norton Ghost and R-Drive Image is that the latter does not attempt to make incremental backups. It simply makes an image file of the hard disk on your USB drive. Norton Ghost had the appealing feature of storing delta images. That is, it would make a full backup and then store only changes. RiDrive Image does not have this function. However, I have noticed recently that on some of our Windows 7 machines that are still using Norton Ghost, it is struggling to do these incremental images now that we have 200+ GB of stuff to back up. I think the days of the incremental image may be behind us. In any case, my two terabyte external hard disk holds about 10 backup images of my Lenovo X1 Carbon comfortably. As such, I simply manage it. I keep one really old backup, one from perhaps two months ago, and starting from a month ago, one per week.

Solution Part 4: R-Drive Image for Windows PCs – If you have pre-2012 Windows 7 PCs and can still find a copy of Norton Ghost, you may be able to use that. Otherwise, buy enough R-Drive Image licenses to cover all your PCs. Use it to back up each PC once a week. Unplug each USB disk drive when you are done.

Super Duper! for the Mac

The picture is a screenshot of the SuperDuper web site showing their logo and marketing slogan.

SuperDuper! for the Mac

Macs are wonderful machines, but the selection of native Mac software does not compare to the selection of software available for Windows machines. There is no Norton Ghost for the Mac.

Apple itself provides “Time Machine” However, from what I have been able to gather, Time Machine suffers from the same problem as our built-in hard disks. You have to leave the hard disk attached at all times for it to work properly. This configuration will not withstand a determined ransomware attack.

Screenshot shows SuperDuper! getting ready to clone a hard disk

SuperDuper! simple disk copy operation

After some research, I found SuperDuper! from Shirt Pocket Software.

SuperDuper! is a very simple and reasonably-priced application. Basically, SuperDuper! simply clones your Mac hard disk to the attached USB disk. This approach is very simple. One slight drawback of this approach is that you can’t store multiple images on the USB drive. Your USB drive stores exactly one and only one snapshot of your Mac. That limitation makes SuperDuper! a little less useful for doing a tricky and complicated series of changes to your Mac. However, the complex-set-of-changes scenario does not happen as often with Macs as it does with Windows machines. For protecting against ransomeware attacks, SuperDuper! is entirely adequate.

Solution Part 5: SuperDuper! for Macs – Buy copies of SuperDuper! for all your Macs. Use them to backup each Mac once a week. Unplug each USB disk drive when you are done.

iOS and Android

The ransomware problem is less pronounced for iOS and Android.

There have been some reports of thugs exploiting the Apple “Find My Phone” lockout the legitimate user. The vulnerability seems to be related to the not-very-secure iCloud implementation. However, in the same round of security-hardening that prompted us to install SpiderOak we also locked down iCloud. We took it off of all of our Windows devices and disabled as much of it as possible on our Apple products.

Here is some additional information on the iOS Ransomware Threat.

There are also some Android variants floating around. My previous investigation suggested that the risk for us was pretty low. That is, the risk seemed to be highest for users who revel in constantly downloading and trying new mobile apps. While we do have a few Android devices, they are pretty stable and as such not too much of a risk. However, we have gone ahead and installed Avast AntiVirus on them.

Here is a little more information on the Android Ransomware Threat.