I’m looking at using Duplicati as a backup solution in tandem with Back Blazes B2 Cloud storage.
I just have a question about backup security. I am a little paranoid about ransomware (having fallen victim to it before but was fortunately able to restore from backup). When using Duplicati / B2 Cloud how safe am I from having my backups encrypted or deleted by a would be ransomware attack?
It seems to me that a somewhat intelligent hacker could simply use the credentials found in the Duplicati interface to delete all my backup files from Back Blaze. Am I right?
I’ve passworded the admin interface and disabled the option to auto login from the tray icon, but I’m sure that info is stored in a config file somewhere or something like that?
Are there any other best practices I have missed here?
Welcome to the forum!
This is theoretically possible but IMO the likelihood is near zero. Unless you are a high profile target where attackers have infiltrated your network in advance (where they can examine your systems to see what backup software is in place), you aren’t going to get hit with ransomware that is so specific.
The ransomware that hits nearly everyone is quite generic. It just encrypts all files it can find on local disks and on network shares, and it usually also deletes local shadow copies. A B2 bucket is not a local disk so it won’t be discovered by ransomware that isn’t specially crafted to look for Duplicati databases.
Personally I wouldn’t lose sleep over it. But if you ARE extra paranoid, you could do additional things to mitigate this (very small) risk. I personally use Duplicati to back up to a local NAS, and then the NAS syncs to B2. This means my B2 credentials are not present on the Windows machine. Also, my NAS has scheduled snapshots that cannot be deleted by ransomware running on a Windows machine. If I ever got hit and my PC and NAS got encrypted, I would just roll back to a previous snapshot and restore my data.
Thanks yeah, I have snapshots getting taken by the cloud hosting provider too. I guess i am being a little paranoid haha.
The cloud snapshots could not be accessed by a hacker unless they somehow also hacked into my cloud hosting control panel, which has totally different login credentials to anything on the server.
So I guess I need to look at it as follows:
- In the case of a very targeted ransomware attack I revert to a snapshot from my hosting provider.
- My Duplicati backups are for peace of mind in case my cloud provider somehow goes out of business overnight (which has happened to me before).
Thanks for the reply.
Current security systems fail to block Ramsonware. But nothing prevents us from using our wits.
Create a folder in the root of C (roller, for example)
It hosts a txt (roller.txt, for example).
Tell Duplicati to run this script before launching the backup.
REM Place file path in variable to simplify comand lines.
REM Use fully qualified file names in command.
IF NOT EXIST “%Location%\roller.txt” shutdown -s -t 60
If roller.txt has been encrypted by Ramsonware (not exist), the copy is denied and the machine shuts down.
@Souto good additional measure, but the ransomwares I read about aren’t that dumb. They encrypt not the filename but only the content. At least at the first pass.
They encrypt not the filename but only the content. At least at the first pass.
You are wrong and you can easily check it: download an encryption program and encrypt a .txt
This same procedure is used by Syncrify backup.
When you install it creates a jpg image that serves as “bait”
Most ransomware I’ve seen will alter the filename once it encrypts file contents (usually adds a suffix). But I don’t know if that happens 100% of the time. It might be an improvement to the batch file to also verify contents.