The problem is that even this can give the malware an opportunity to encrypt the contents of the backup drive. Ransomware can be damn fast at doing this (or it can sufficiently cover its tracks so that the file system looks completely normal until it’s too late.
One possible solution is to use a NAS with it’s own backup app built in on the server side - give the NAS full rights to your document folders (so it can ‘pull’ the data), but don’t allow any of the accounts on your computer (including administrator) to have more than read-only rights to the content of the NAS (so nothing can actively ‘push’ changes from your end).
As long as the malware doesn’t actually manage to get running on the NAS (which is pretty damn unlikely), and as long as you set sufficient retention of backups, this should be enough to offer a recovery position from ransomware - the only thing you’d lose is changes and new documents that happened since the last backup.
I got hit by Osiris last night. I ran an Avast scan minutes after the email attachment was opened. Avast found and quarantined two files, and recommended a boot scan which I did. But a brief glance at the documents folder still shows dot Osiris as all the files extensions.
So if wiping the hard drive / replacing the hard drive is the answer. How can I tell if my back-up data is okay? I use Carbonite online back-up.
In addition, Carbonite keeps old versions of your files for the last three months. If any were encrypted on Carbonite, you can download the older versions and use them. It may take more time than an automatic restore, but you can get all your data back.
The new version 3 of Malwarebytes has Ransomware protection built in. At least that’s what it says in the program when it lists the type of protections afforded: Web, Exploit, Malware and Ransomeware. First time I’ve seen that included.
Crashplan is superb. Real-time with really good historic versions saved by default:
Last week every 15 mins;
Last 3 months every day;
Last year every week;
Previous years every month.
But I still have two SSDs, on which I save a few Gb of key files every few weeks, and never touch the archived dated versions. One sits in my safe deposit. I guess an encrypter could still screw me if it infiltrated both of these SSDs. It would probably be more secure just to buy thumb drives for dated archives and never re-use them.
I guess a massive EMP can get me, but then we’re probably just going back to barter, so I’m more concerned about whether I can grow potatoes in my back yard than the deductions on my 2012 tax return.