TR Forums

A couple of days ago I got a call from someone who had "something odd" happening on his computer. Cutting a long story short he'd been hit by ransomware and all his files were encrypted. Not I problem I thought, all the stuff that really matters is in dropbox, the PC can just get nuked.

However while dropbox allows you to restore back to previous versions there isn't a way to restore everything back to how it was at a specific time and going through each file one at a time isn't an option when you're talking about 70,000+ files!

Fortunately this exists:
https://github.com/clark800/dropbox-restore
Just give it a folder in dropbox and a date and it will delete any files created since then and roll back all files to how they were, perfect!

You need python 2.7 and pip installed.

Then use pip to install the dropbox api (pip install dropbox)

Now comes the tricky bit. Because this isn't an official app and many other people seem to have needed to use it, you have to create your own api key to run the script. To do this you have to go here: https://www.dropbox.com/developers/apps (log in)
Click the "new app" button and select these options:
API App => files and datastores => Can the app be limited... No => All file types => enter a name for the app
On the next page you get app key and secret that you paste into the restore.py script (they go in right at the top it's really obvious where).

The first time you use the script you have to visit a url in a browser to give the app access to your dropbox. That done it chugs away doing it's thing.

I suppose these ransomware things really underline the need to have some backup in place and that relying on dropbox for this job does work but isn't ideal at least not until they add something native to do this.

Hope someone finds this useful.

Dropping an anchor here for future reference. Thanks!

Good find! Bookmarking this for later reference.

I'd say it is a very strong argument for having *some* sort of backup (whether Dropbox or something else) that does not reside on the same machine, and is not accessible as a normal folder share. Ideally it should be in an off-site location, to protect against fire/flood/theft/etc.

just brew it! wrote:

I'd say it is a very strong argument for having *some* sort of backup (whether Dropbox or something else) that does not reside on the same machine, and is not accessible as a normal folder share. Ideally it should be in an off-site location, to protect against fire/flood/theft/etc.

Yup. That was something beat into my brain back in 1999, when I was getting my MCSE+I for NT4 and my CNE for Netware 4.x, and 5.x, and it still holds true for home users. At a minimum, get a NAS to backup all your critical data. If it's business related (or data that's irreplaceable), you really need 3 offsite backups, because you never know if a fire/tornado/hurricane/earthquake is going to trash your location and equipment.


*EDIT*

I can't count the number of times I've had to tell customers that their data was irretrievable and they lost all their photos, music, financial records, etc. In each case, it was a harsh reality lesson, and I felt terrible having to break the bad news to them (some broke down sobbing).

Being proactive is the only proper course of action.

I've played around with backup a lot.

After experimenting with a bunch of various setups - RAID1, rsync, git, etc, I finally settled on just outsourcing it to a cloud backup provider. All my computers sync to this one server box in my closet which then backs up to the cloud. Restore is possible from any previous version.

I personally use CrashPlan - they have an unlimited data backup plan for something like $5/mo. But there are several other very similar providers. For the price, it is well worth it.

Dropbox is very good if you really want to be able to access and share your files on the cloud. But for pure backup, I've found it to be a bit cumbersome and very expensive.

GoogleDrive is a lot cheaper. You can get 1TB for $10.

Lately I've tended to set it up so backups are created on a network share with read/write access, then are later moved to somewhere that's read-only to the machine being backed up. That way it's impossible for ransomware to destroy anything but the in-progress backup.

I set this up yesterday as a test but it works rather well, a bit clunky, but it works. I'll use this for now. I may at some point switch to a cloud based solution.

Oh and ransomware can DIAF. I hope to god I never see it on my wife's or parent's computers but the chances that I will are probably 70/30. :?

I started taking backups a little more seriously when I lost a USB thumb drive with years worth of documents, source code, images, etc. on it. But even then I was only backing up a local 1TB hard drive in a USB enclosure. It wasn't until I heard about the Cryptolocker ransomware that I decided to start using Crashplan (I actually had gotten a free year with them the year before, but hadn't used it until a few months ago). Between that and Dropbox, which is also backed up by Crashplan, I feel alot safer knowing that most of my important stuff, I think, is backed up remotely. Though I still haven't figured out what to do with my music library, which is like 30+ GB in size.

Kurotetsu wrote:

I started taking backups a little more seriously when I lost a USB thumb drive with years worth of documents, source code, images, etc. on it. But even then I was only backing up a local 1TB hard drive in a USB enclosure. It wasn't until I heard about the Cryptolocker ransomware that I decided to start using Crashplan (I actually had gotten a free year with them the year before, but hadn't used it until a few months ago). Between that and Dropbox, which is also backed up by Crashplan, I feel alot safer knowing that most of my important stuff, I think, is backed up remotely. Though I still haven't figured out what to do with my music library, which is like 30+ GB in size.

For your music library, just get a NAS, back it up... disconnect it, and put it into the emergency bin. Cheap insurance.
The Cryptolocker ransomware is a frightening prospect for folks who are not technology savvy, like older parents. Entirely uncool.

I just did a little bit of reading up on ransomware -- scary stuff. Judging from the amount of money they're pulling in, you can be sure this is going to be the malware of the future.

Ransomware is like Nigerian mail scams, the cost is low enough that it only takes a small percentage of goobers paying them to make it very profitable. It helps that Eastern Europe has a dangerous mix of low cost of living, few skilled-labor opportunities, and a very large military crypto skills base.

Paying for it is often the only chance you have unless you have recent enough backups that it doesn't matter or you are willing to take the hassle of reinstalling everything, which can take hours. That's what make it so evil. Basically, nigeria mails are loudmouths that shout bad things but unless you actually are stupid enough to buy something, basically harmless, cryptowall are hostage takers, litteraly.

[quote="Aphasia"]Paying for it is often the only chance you have unless you have recent enough backups that it doesn't matter or you are willing to take the hassle of reinstalling everything, which can take hours. That's what make it so evil. Basically, nigeria mails are loudmouths that shout bad things but unless you actually are stupid enough to buy something, basically harmless, cryptowall are hostage takers, litteraly.[/quote]


Or you get lucky, and use the HeartBleed vulnerability to counterattack the CnC server to obtain your key. I can't find the article right now, but one victim got lucky during the counterattack and found that their key had been pre-loaded to the server during the 24hr ransom window.

Hz so good wrote:

Or you get lucky, and use the HeartBleed vulnerability to counterattack the CnC server to obtain your key. I can't find the article right now, but one victim got lucky during the counterattack and found that their key had been pre-loaded to the server during the 24hr ransom window.

Yeah, I used that exact story as an example in another thread here not to long ago. I was at the Checkpoint CPX in barcelona where one of the guys involved it solving it was a speaker and of course, used it as a great example of what goes on for security researchers...

Aphasia wrote:

Yeah, I used that exact story as an example in another thread here not to long ago. I was at the Checkpoint CPX in barcelona where one of the guys involved it solving it was a speaker and of course, used it as a great example of what goes on for security researchers...

That's awesome! I never get to go the fun conferences.

No, TechNet and Brainshare don't count. Well, except that one Novell conference where they had a human-sized gyroscope. Good thing they kept a trash can nearby.