Ransomware Recovery

What do I do to restore my Clarion environment if my computer (and the backup server) gets wiped out by ransomware or wiperware?

I have backups of my projects and apps, stored both on the server and in the cloud, using Carbonite. But what about Clarion itself, plus all the add-ins and accessories, and all of their serial numbers and stuff? Plus all my default settings, fonts, etc.

Some people have suggested uploading stuff to GitHub. So, what is the best GitHub client, and what exactly do I need to upload, and where to find it? How do I make sure the stuff is private on GitHub?

I would welcome any and all suggestions, advice and best practices that you may wish to share. I will implement the ones that seem to fit my environment.

Years ago I started using the system described both by JP and by Friedrich.
I have VMware running on my machine.
All my Clarion work is done in a virtual machine.

I have a half dozen USB hard drives to which I copy the VMs on a rotating basis.

Itā€™s been useful when my host machine has died for other reasons. 15 minutes to copy the needed VM onto a different computer that has VMware installed and everything is back just where it was.

Yes itā€™s a bit slower than running natively on the host. But a no-brainer trade-off for me.

And Iā€™ve got a USB NVMe drive with VM backups that I keep in a ā€œfireproofā€ box.

As well as the VMs, I also make separate backups for projects, etc.

YMMV

I save most stuff to SVN on my office server. Itā€™s Linux based and I donā€™t believe there is ransomware that works on linux.
The SVN data is not accessible except via SVN so I think Iā€™m right.

Any form of backup you have will be better than none

Hate to be a party pooper but there is ransomware targeting Linux. Dont buy into the falsehood that Linux is unhackable.

The Week in Ransomware - June 10th 2022 - Targeting Linux (bleepingcomputer.com)
Anatomy of a Linux Ransomware Attack | LinuxSecurity.com

I can also state that despite having every MS Windows security measure switched on, like Ransomware protection, now I keep a copy of my backups on my main desktop and offline, and the hackers trolling me have weaponised those backups. So when I have finished developing a template or some app, thats it, dont do any more work on it, until I start using it in anger, but as this can be a few months later as other stuff needs developing in between, months later when using those templates in anger, I find parts of the template have been restored to an earlier buggy version! Its annoying as &%^*!!! Not only does this demonstrate they have a level of oversight over my work, suggestingā€™s its not some automated blunt attack program, but I still cant find how they are communicating or getting the data from an offline computer. Now my monitors do have presence detection abit like this PowerSensor Monitor | Philips so my monitors know when I am in front of them or not, their range is probably a good 30 feet distance at 45 degrees from the monitor so anyone that had an early TV and wireless remote control will know you can transmit data using IR tv remotes, so this might be one of the ways they can cross the airgap. Early laptops also used to have an IR transmitter usually on the side of the laptop as did many Windows CE phones when we had proper tiny keyboards on the phones, and unlike laptop monitors I cant break these monitors apart easily to remove or disconnect the sensors. Iā€™ve also disconnected all bluetooth and wifi adaptors from my desktop to remove that airgap risk, use shielded cables as these can also act as antennaā€™s, but the Intel Management Engine is still a risk, and getting at the Intel microcode or other chips which are not fused permanently are also valid attack vectors for hackers and thereā€™s plenty of them to look at. This website is a gold mine for hacks, but some do need a physical presence Sprites mods - Hard disk hacking - Intro

I did find out a few years ago that the UK happens to run a stealth secondary ADSL stream to peoples houses for streaming videoā€™s from content providers. So think of ADSL as a load radio stations all transmitting down a copper wire at the same time on their frequency. Your router is like a radio that can tune in to all the radio stations at the same time and reassemble the data transmitted over the different frequencies. When I was using an off the shelf router, and was poking around inside an ISP supplied router, thats when I discovered the second ADSL connection which is used for streaming content.

Now this has also tweeked my interest, because I now wonder if I can turn a router into a multi frequency radio scanner for over the air devices, with maybe some SDR components. A project for another time at the moment, but I do wonder what else we can do with these routers.

Anyway TLDR, Linux can be ransomwared and backups can be weaponised, so at least minimising the time a backup device spends connected to a computer could be useful, but Iā€™m also aware any ransomware is going to be much smaller in size than backup and could potentially have the ability to store itself on backups as a sleeper bit of code waiting for some future date and condition to be reactivated.

I think all you can do is hope you can restore backups, but also clean down and reinstall any machine as quickly as possible which means logging all those little changes made to devices and software to get it just the way we want.

Thanks for that. Iā€™m very aware that Linux is hackable, itā€™s just more difficult.
I wasnā€™t aware of any ransomware, now I am :slight_smile:

If you can get into a machine, at one level, it doesnt even matter if its running Windows, Linux, or MacOS, the cpu will still accept the same machine code commands, although instruction sets do vary with cpuā€™s.

Todays cars are also good examples, not only do they have isolated systems like infotainment systems, and engine management systems and abs systems, some are less isolated than others. This has many parallels with a cpu when thinking about the isolated processors on a cpu today, like the old maths coprocessor. When looking at how easily people can chip their car to improve performance, the skillset for editting instructions on chips is more widespread than most people perhaps realise. In some ways the chip upgrades which improve performance for a period of time like 7 days as a sampler is a bit like the TSR developed by one of the Borland/Clarion developers, was it Nigel Hicks?

Anyway the point being, I continue to be amazed at the level of innovation that exists.

Banks face their ā€˜darkest hourā€™ as crimeware powers up ā€¢ The Register

I came up with this one years ago, only you just make sure its waterproof and leave it in the gutters because its out of sight out of mind but you could certainly snoop on farms and country estates and manor houses. Most people if they clean their gutters might be giving them a clean out before Autumn kicks off and another one in spring, but thats about it. So many attack vectorsā€¦
Wi-Fi spy drones used to snoop on financial firm ā€¢ The Register

I am looking at setting one of these up now to see if it works at sanitizing the usb sticks moved between an online pc and my offline dev pc. GitHub - CIRCL/Circlean: USB key cleaner

I think I might be getting closer to building one of these rooms at this rate. :wink:
Mission: Impossible (1996) - Close Call Scene (5/9) | Movieclips - YouTube

OK guys, letā€™s assume my projects are backed up. One copy on the server, another copy in the cloud, but not using a ā€œliveā€ cloud service like Dropbox or Google Drive.
Do I just back up the entire C:\Clarion11 folder and my c:\Installs folder with all my installers and serial numbers in it? Anything else?

How do I send this stuff to GitHub? What is the best GitHub client to do this?

Yes The Clarion 11 folder and the SV folder under user\appdata\roaming
Using that you can put all back together again.

1 Like

Yes

Yes - Registry Keys, the IDE and 3rd party apps use the registry as well. I havent found any other changes made yet, but if I remember correctly there is some sort of storage on an intel cpu which let software vendors store licences on the cpu somewhere like the windows licence is stored in the uefi bios. I think it might be Intels Software Guard Extensions Software Guard Extensions - Wikipedia and Iā€™m not aware of anyone in Clarion ie SV or 3rd party addons using it either.

Iā€™m uncomfortable with offsite storage because I know what people are like including the security services. I caught Dropbox going through my dev machine when they first appeared on the scene. API Monitor: Spy on API Calls and COM Interfaces (Freeware 32-bit and 64-bit Versions!) | rohitab.com helped there and despite getting my machine and network locked down so I can account for every packet going in and out, hackers have been able to change bios passwords and other things. Even air gapping a computer is getting harder now with new tech built into devices that cant be deselected.

1 Like

I recommend that Acronis Backup can whole files including Windows Operator, Registry, Application, Document & other data. Yepā€¦ Clarion tooā€¦ and all partition drives too !!!

Better than Sorry about Ransomware by Hacker

Best Acronis at https://www.acronis.com/en-us/
:wink:

1 Like

Compatibility of Acronis Backup Software with Encryption Software | Knowledge Base

  • Acronis Backup software may fail to access an encrypted partition from Windows and thus will not back it up;
  • Acronis Backup software may fail to resize an encrypted partition during restore;
  • Acronis Backup software may back up an encrypted partition from Windows, but restoring such a partition will make it unencrypted. If an encrypted system partition is backed up and then restored, then the machine will become unbootable after the restore. This is only true when working in Windows;
  • Some files may be missing in the backup.
  • Files that were encrypted by third-party software may be corrupted after restore

The same problems which exist with encrypted partition in Linux exist in windows as well. I have that problem with Dellā€™s management software as well, it cant handle encrypted partitions.

There are also legal implications with using other peopleā€™s software as well, their end user licence agreements are open to interpretation and knowing every major country has their own security services, this can become a factor. Put simply having excellent security services can be a disadvantage for those countries.

1 Like

A complete disk image is a good idea, but only if stored offline, such as on an external hard drive. And make sure the drive to be imaged doesnā€™t have any bad sectors, or the backup may fail. The same applies to the target drive.

I have an old copy of Acronis, and I generally do a sector-by-sector backup, but a file-by-file restore. Files like thumbs.db should not be backed up or restored. Remember that external drives should be formatted in NTFS mode, not FAT32, because of the 4 GB file size limit.

I donā€™t need a Encryption on Acronis.
Only normal backup into 5Tb HDD Portable keep with up to 4 weeks each folder storage. Example any one faulty or corruption unable restore, find other previous week folder got good recovery is safe. After Backup put away in the fireproof/security safe box. I used Acronis license for 6 years.

Iā€™m not happy with that, but I am happy with that because its a form of privacy and I think most people dont value privacy properly. Can it be brute force cracked with enough resources probably.

Have you bought two of these boxes and tested one of them?

Iā€™m not trying to defend against the apocalypse, just against sudden complete data loss due to hacking or hardware loss or failure, such as a burglary, flooding, lightning, or hard drive crash.

I use the 1-2-3 rule of backups: you should always have three copies : (1) the original, (2) one local backup and (3) one remote backup. A complete image of the PC is useful, but not essential if you can recover from (2) or (3). Iā€™m assuming that the ransomware will destroy (1) and (2).