You do know that most of these use vulnerabilities that doesn't need human interaction once they hit the local network, right?

External hard drives do come handy though.

That's not enough anymore: good ransomware will look for backup systems and wipe those out before proceeding. You need read-only, airgapped backups before you can consider yourself safe.

A continuous back-up system should be enough --as long as it doesn't have the smarts to reset the encryption pwd on the backup set.

That doesn't help for targeted attacks, which corrupt the backups as they are being written. Not sure how to protect against that though.

An easy option is to use an offsite backup service that keeps versioned history (e.g. http://www.rsync.net or http://www.spideroak.com).

Not sure about Spideroak but in the case of rsync.net they duplicate snapshots and store them outside of your main account so even if your account gets compromised and an attacker deletes all your backups you're still safe.

They can corrupt one backup but not all backups. And a good backup software should do integrity check.

I wasn't referring to corrupting the backup directly -- but corrupting the data as it is written to the backup server. This can be done by compromising the backup client, through a rootkit, etc. If this is undetected for a year before the attacker pulls the final trigger, you have a year's worth of bad backups.

Use a filesystem that lets you take regular snapshots, like zfs.

This is good for now, but snapshots are like RAID: they are not backups.

They are if you send them offsite. Backups with version history are great if you can swing them.

Startup idea: zfssend.net, a place to send snapshots to As A Service :D

I think you are looking for https://rsync.net

The name I suggested was a clear reference to them. But they provide storage "accessible with any SSH/SFTP tool", not a place to `zfs send` to.

Wow, nice! How did you find that page? http://www.rsync.net/products/platform.html doesn't link to it

It was in my browsing history, somehow. No idea how I got there initially.

how can they infect an external drive that backed up the data before the infection?

Only if you connect the external drive again during a silent incubation period.

Why would the malware care about if it is an external or internal drive?

If you back your files up on the usb drive on Tuesday, remove the drive after back u the files, and get infected on Wednesday, the files on the drive obviously are not going to be infected.

If you remove the drive. Lots of backups are done on to always-connected devices.

So, if my external drive was connected to the computer during encryption, will it also be encrypted?

yes, that's exactly what he said:

> You need read-only, airgapped backups before you can consider yourself safe.

As if this attack purely relied on people clicking on emails. Maybe that's 1 person out of 10.000 but obviously this used various other methods to spread.

The hit rate of targeted click bait is much higher. In companies without proper precautions it can be as high as 50%

how else could it spread? flash exploit? Skype?

Wanna cry spread to computer connected to network but individuals at home probably aren't connected to a local network unless there are multiple computers

You are thinking "trojans," not viruses. Viruses spread without any user interaction by exploiting vulnerabilities in clean, but accessible machines.

Ransomeware used to be purely trojans, but newer iterations now come with a viral component based (at least partially) on that leaked NSA toolkit.