Main Page > Browse Categories > How To / Articles > File Replication / File Synchronization and the impact of Ransomware |
File Replication / File Synchronization and the impact of Ransomware
Problem
Certain types of malicious software, called Ransomware, encrypt a victim's files, making them inaccessible, and then demand a ransom payment to decrypt them. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", propagated automatically between computers over the network without user interaction, using an exploit of the Windows' Server Message Block (SMB) protocol that was sub-sequentially fixed.
Ransomware typically encrypts files and renames them too, usually by changing their file extension, but not always. There are types of Ransomware which do not change file names or extensions. The file size usually does change as the file content is encrypted. This creates some issues for file replication and synchronization when the encrypted files are replicated and/or synchronized.
There are two main scenarios:
a) The Ransomware does change file names or extensions. The file replication or synchronization process will copy the new renamed files and, depending on other profile settings, might delete the old ‘good’ files.
b) The Ransomware does NOT change file names or extensions but only the file contents. The replication or synchronization process will consider these as changed files and copy them over the old files.
In both scenarios, there are issues that the Ransomware will create to the file replication and synchronization process.
Mitigation of the issues
Possible mitigating steps include:
1. If file replication is used for backup purposes, it is recommended to use a rotating target, e.g. use a different target every day of the week (see Folder Variables in ViceVersa PRO which can change automatically the target path of the profile based on day of the week and other variables). Also it would be best if the replicated data is kept offline / archived when not in-use. For example, replicating to a different removable disk each day or each week, and disconnecting the disk when not in use. Additionally, files should be replicated frequently and in real-time if possible so that even very recent files have a good replica.
2. Enable the file archiving feature of ViceVersa. When file archiving is enabled in the profile settings, files are not simply overwritten or deleted, instead they are moved to an archive folder from which they can be restored if needed.
3. Use the two profile options “Max. files/folders to delete, do not execute if more” and “Max. files/folders to update (=overwrite), do not execute if more”. When these options are used, replication or synchronization will stop, should it result in more than X files/folders updated or deleted and return an error. No files at all will be copied or deleted and execution is aborted before the copy/delete process even starts. The amount can be specified as a number, for example 100, or as percentage, for example 10%. These two options can be useful because Ransomware usually encrypts many files in a short period of time and in this case the replication / synchronization will not run at all and the unencrypted files in the target will be safe guarded.
Conclusion
File replication and synchronization can be impacted by Ransomware as the encrypted files are replicated / synchronized and the good unencrypted files might be deleted or replaced with the bad copies. There are mitigating steps that can be taken in ViceVersa to reduce the impact of Ransomware on file replication and synchronization.
Certain types of malicious software, called Ransomware, encrypt a victim's files, making them inaccessible, and then demand a ransom payment to decrypt them. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", propagated automatically between computers over the network without user interaction, using an exploit of the Windows' Server Message Block (SMB) protocol that was sub-sequentially fixed.
Ransomware typically encrypts files and renames them too, usually by changing their file extension, but not always. There are types of Ransomware which do not change file names or extensions. The file size usually does change as the file content is encrypted. This creates some issues for file replication and synchronization when the encrypted files are replicated and/or synchronized.
There are two main scenarios:
a) The Ransomware does change file names or extensions. The file replication or synchronization process will copy the new renamed files and, depending on other profile settings, might delete the old ‘good’ files.
b) The Ransomware does NOT change file names or extensions but only the file contents. The replication or synchronization process will consider these as changed files and copy them over the old files.
In both scenarios, there are issues that the Ransomware will create to the file replication and synchronization process.
Mitigation of the issues
Possible mitigating steps include:
1. If file replication is used for backup purposes, it is recommended to use a rotating target, e.g. use a different target every day of the week (see Folder Variables in ViceVersa PRO which can change automatically the target path of the profile based on day of the week and other variables). Also it would be best if the replicated data is kept offline / archived when not in-use. For example, replicating to a different removable disk each day or each week, and disconnecting the disk when not in use. Additionally, files should be replicated frequently and in real-time if possible so that even very recent files have a good replica.
2. Enable the file archiving feature of ViceVersa. When file archiving is enabled in the profile settings, files are not simply overwritten or deleted, instead they are moved to an archive folder from which they can be restored if needed.
3. Use the two profile options “Max. files/folders to delete, do not execute if more” and “Max. files/folders to update (=overwrite), do not execute if more”. When these options are used, replication or synchronization will stop, should it result in more than X files/folders updated or deleted and return an error. No files at all will be copied or deleted and execution is aborted before the copy/delete process even starts. The amount can be specified as a number, for example 100, or as percentage, for example 10%. These two options can be useful because Ransomware usually encrypts many files in a short period of time and in this case the replication / synchronization will not run at all and the unencrypted files in the target will be safe guarded.
Conclusion
File replication and synchronization can be impacted by Ransomware as the encrypted files are replicated / synchronized and the good unencrypted files might be deleted or replaced with the bad copies. There are mitigating steps that can be taken in ViceVersa to reduce the impact of Ransomware on file replication and synchronization.
Related
Attachments
No attachments
Did this help you?
Yes No
Statistics
46% found this information useful
Other Options
Printable Version
General Information
No. 132
Author: TGRMN Software
Download ViceVersa File Synchronization Software Free Trial
Visit ViceVersa Forum
No attachments
Did this help you?
Yes No
Statistics
46% found this information useful
Other Options
Printable Version
General Information
No. 132
Author: TGRMN Software
Download ViceVersa File Synchronization Software Free Trial
Visit ViceVersa Forum
A printable version of the entire ViceVersa FAQ and Knowledge Base is also available.
For further queries, please contact us by E-Mail at support@tgrmn.com.
User Comments