Simulation of protection against ransomware

Hello, first of all I would like to congratulate all the founders of this project I am a big fan and restic admirer! :risonho:
Because of you I started to study Golang :ligeiramente_smiling_face:
At first I found the lack of a GUI, but I easily got used to the easy use via CLI (thanks to good documentation) and realized the restic power using scripts bash (linux) or bat / powershell (windows).

I have a question, but first I think it useful to imagine the following scenario:

I made 5 daily backups of the “c:\my-data” folder (using restic) on the following dates:

January 1, 2018
January 2 2018
January 3, 2018
January 4, 2018
January 05 2018

On day 4, after restic completing the backup of this day, the computer was infected by ransoware which encrypted all data from the “c:\my-data” folder.

On day 05 the restic made a new backup creating for this day a snapshot / backup with the files infected / encrypted, that is, the restic on this day 05 again copied all the files to the repository as if it were the first complete backup, since all the files have been changed (encrypted).

My doubt is:

Will this backup done on May 5 affect the backups that were done on days 1, 2, 3, and 4, ie backups made prior to file infection?

Or does the restic keep the backups of days 1, 2, 3, and 4 saved, and so only the day 05 backup was compromised?

Thanks to all who can help!

1 Like

Restic doesn’t delete anything without explicit direction - and what is stored is not actual files/contents but rather the data in chunks (at least, as I understand it). Which means for your example - the backup on day 5 will take longer than previous (as there will be a substantially new full backup required) - but the “contents” of the previous days will be unaffected. An explicit restore of the desired snapshot will recover the data prior to the infection.

Snapshots must be explicitly removed via “forget” - and then the possibly orphaned data removed via “prune”. So unless/until you run such commands - your data would be safe.

2 Likes

Thank you very much!

Awesome, we’re glad it helped you :slight_smile:

That’s even better, the world needs more Go programmers!

No, they are independent, restic detected that the file content has changed (and maybe also the file name), so unless you remove the good snapshots (by using restic forget), you’ll have access to your data. I would manually run restic forget <id> on the ID of the compromised snapshot, then run restic prune to remove the data. Then you’re left with only the good data.

2 Likes

Thank you very much! :smiley:

Yes for sure! I am studying slowly because it is very different from what I saw in PHP and OO, but without doubt Go is the future!

I am very grateful for your tips and the Restic project. Initially I will help you with documentation whenever you feel the need to add information.

1 Like

I am also worried about ransomware, but I am worried that a hacker could get into my server, find the restic config and the secret keys to access my cloud storage, and then issue delete commands. The Sam Sam ransomware works this way.

I use a B2 storage backed. Is there a way to clone the contents of one bucket into a different one that is accessed with different credentials, as that way I can set myself a monthly task to create a copy of my backup that cannot be deleted by hackers even if they get into my system.

You’ll want to use rclone for that.

Hello, to use B2 just use rclone together with restic.
I use restic + rclone to send the backups to wasabi.com.

You can also deploy the rest server on an independent system and give it the --append-only flag, which will disallow any deletion operations over the REST protocol.

1 Like

Is it possible for any malware to add corrupted data to the existing repository to make confusion for Restic to restore data.

Yes, malware could add data to the repository, however all of your real data would still be there, untouched by the ransomware. You’d just have to dig around a bit to find it, which should not be too hard. restic mount combined with a find/grep looking for some of your specific data would probably be a good start.