Solution for the new ransomware on Macs

[Argent]

I see that Transmission for Mac has been infected with ransomware. Yikes. I don't use Transmission, but if it happened there, other apps will be next. It was said that the only solution is to store backups offline, because all flies online will be encrypterd. What about using
"On successful completion -> Eject [drive]"?

My question is, will SD remount the drive before the next backup?

[dnanian]

Yes, it'll automatically mount and unmount when done (on a schedule).

[flyingout]

Hi Dave,

Reviving this thread since my goal is also to mitigate against ransomware.

I think I know the answer but figured I'd ask just in case.

I don't believe mounting and unmounting is sufficient since if SD can do it, so can the bad guys. So my thought was to remove the destination's FileVault password from the keychain, and mount it using a script, which I wrote. Unfortunately I found out that the before copy script doesn't run until a destination is available.

I suppose I can schedule my script separately, but that's more prone to problems.

So any thoughts on how this can be done? Might SD be able to ask for and hold onto the PW?

Thanks

[dnanian]

Just use two backups, one of which is connected and one of which isn't. Also, have an offsite backup with something like CrashPlan, Backblaze or the like.

[flyingout]

Quote:

Originally Posted by dnanian

Just use two backups, one of which is connected and one of which isn't. Also, have an offsite backup with something like CrashPlan, Backblaze or the like.

Thanks Dave. Exactly my setup. For as long as they've been available I've had TM, online clone, and Arq to S3. Now I've added an offline clone. I'm just trying to automate that offline one, because lazy.

I think I found a solution though. I'll schedule my unlock/mount script(s) separately and have SD do the copy automatically upon attachment.

The only thing is that I've also got a couple external volumes that I'll probably now want to encrypt and detach their backups. So I'll be losing SD's simple scheduling ability completely.

Cheers

[dnanian]

You can: just put the password in the keychain and use "Backup on connect".

[flyingout]

Quote:

Originally Posted by dnanian

You can: just put the password in the keychain and use "Backup on connect".

Well, I'm taking a big step back to figure out exactly how FileVault, Disk Utility (and diskutil), Keychain (and its Access Control) work. I'm at a loss at the moment.

Ejecting doesn't appear to relock the volume. And when locked (how?) Disk Utility and SD can't mount it, despite Keychain.

If ejecting would consistently lock the drive and Keychain's Access Control only gives the password to applications I allow (i.e. not to malware) then I'd be good. Not seeing that right now.

Cheers

[dnanian]

If you eject it (don't lock it), and try attaching it to another Mac, you'll see it's locked for anyone else.

[flyingout]

Quote:

Originally Posted by dnanian

If you eject it (don't lock it), and try attaching it to another Mac, you'll see it's locked for anyone else.

Right. No question about that. And if I power off and on, it either mounts automatically or asks for the password depending on if there's a keychain entry. This is how I've used FileVault up till now.

But I want some protection against malware (if it were to strike; I'm not hugely concerned btw) by ejecting the volume (one of many on a firewire chain) and know that only trusted apps can remount it. I'm not seeing that right now.

Either anything can remount it or nobody can. Still figuring out why or what I'm doing wrong.

[dnanian]

If you're really worried about this, just unplug it. Can't mount it if it's not attached.

The best protection against this kind of thing is kind of to just uninstall Flash, keep your OS up to date, and not do dumb things...