The shortcomings of consumer-grade backup services in protecting against the scourge of ransomware have been exposed by the experiences of a UK businesswoman.
Amy W, who runs a small business in the Newbury, Berkshire area, was convinced that the KnowHow cloud was the only backup technology she'd ever need1 when she bought a laptop from PC World.
Eight months later, however, in the aftermath of a ransomware infection, Amy discovered that the KnowHow cloud backed up all her newly encrypted files and didn't keep any revisions, leaving her unable to restore files from a historic clean backup.
PC World told El Reg that 30 days of historic backups should have been available through KnowHow cloud but this is contradicted by the victim herself, who said only two backup points, each from the same day she was infected with the CryptoWall ransomware, were available.
El Reg heard about Amy’s woes after a friend of hers got in touch with us and pointed us towards a post (extract below) about her experiences on PC World’s Facebook page earlier this month.
Yesterday an email came through which i opened (it was from what looked like a completely standard email address) a virus flooded my laptop instantly corrupting all my files and saved documents getting pass my antivirus, I was thankful for my cloud. I had someone look at it and eventually completely remove the virus but i had to completely reboot and reset my laptop after, i would lose Microsoft Office but I could cope with that.
We logged on to my cloud and to my horror it had updated all my documents to the corrupted version, I was sure it would be ok so phoned Knowhow thinking i would be able to restore from a different date.
Knowhow told me it automatically over writes documents and doesn’t keep revisions of older documents and backups. I have lost everything, years of work and important documents that I've worked hard for gone. I was so shocked they don't offer this, even my IPhone lets me select dates i want to restore from.
Do not rely on Knowhow completely, I would have happily purchased a hard dive but was advised this would be enough. Google drive is good too as it keeps revisions. I'm Gutted!!
PC World suggested that Amy’s machine might have been infected with the ransomware for weeks before she discovered the problem, a suggestion she strongly denied.
"It was Cryptowall," Amy said. "It came through as an invoice. It wanted me to pay £1000 to get a key to unlock files and the price doubled every 14 days."
“I know exactly where the virus came from and had it removed the day it hit my laptop,” Amy told El Reg. “The ransomware had been on my laptop for a matter of hours when it was removed and I contacted Knowhow that evening the same day.”
“30 days worth of back up was definitely not available for me to access from my end, I had a choice of two times on the same day, one being when they had backed up with the corrupted files and one later in the day when my laptop had been reset,” she added.
Chris Boyd, a senior malware intelligence analyst at Malwarebytes, said that the case illustrates the wider potential shortcomings of cloud-based backups as a defence against ransomware.
“In general, cloud backup is another useful tool to help ward off the threat of ransomware, but isn't applicable in all situations,” Boyd told El Reg. “Individuals and businesses may rightly balk at uploading potentially sensitive documents into the cloud where they suddenly have no control over it, and should look into file encryption of their own to ensure nothing valuable leaks.”
“Offline backups would be the best way to go, especially as you have full control over the data at all times. Not all cloud backup hosts offer the ability to roll back to specific dates, which is a disaster in situations where malware butts heads with an automatic upload. Off-the-shelf backup solutions are fine for most things, but should go hand in hand with a layered approach which could include AV [anti-virus], anti-malware and exploit protection,” he added.
Asked what expectation its customers reasonably have about the capabilities of KnowHow cloud in mitigating against the growing problem of ransomware attacks, Dixons Carphone (PC World’s parent firm) said its system keeps 30 days of backups by default. PC World is clear in saying that customers shouldn’t rely on its cloud backup service in isolation while simultaneously saying it offers a safety net – one that seems to have failed in Amy’s case, at least.
Our cloud service automatically backs up a customer’s machine and keeps on file 30 days of previous back-ups which is why we are able to restore this customer's data.
Essentially this means that any file back up has 30 different back up version any of which the customer could restore from even if an encrypted file has been backed up. However if a customer had not noticed they had a virus for more than 30 days all of the previous day versions would have also been back up as an encrypted file.
The back up servers as a matter of course run daily virus and malware scans however these files would not be identified as suspicious as they were not a virus threat themselves.
To ensure total protection a customer would also need to run a form for anti virus / malware software on their machine to ensure no threats occur initially.
El Reg also asked for a response to Amy's criticism in general – and the point that older files were over-written so she couldn't back up to the last known "safe point" – in particular. We haven’t had a satisfactory explanation on this point as yet.
Media interest in the case, or perhaps her own dogged efforts to raise the issue on social media, meant that Amy was recently referred to PC World’s Cloud services team, members of which made a spirited go at restoring her files.
Amy praised the efforts of PC World staff in attempts to restore her files despite only partial success on this front.
“PC World have been nothing but helpful since I had contact with them last Friday, we have managed to save a few files,” she told us. “Although it seems to have been a struggle and definitely not something I could have restored myself.” ®
1Amy was sold KnowHow cloud on the basis that it was "military safe", according to her account.