Back Up Of Files For Ransomware Remediation. Any Explanation?

I am new to Bitdefender. When I turn on the Ransomware Remediation, does this mean that Bitdefender will back up all of my data files (My Documents, Photos, etc)? If yes, where will these files be stored? If yes, does that mean it is not necessary to keep my Carbonite subscription?

Best Answer

  • Alexandru_BD
    Alexandru_BD admin
    Answer ✓

    Hello,

    @garioch7 thank you for the heads up! 😊

    @RancherRick Ransomware remediation is not a replacement for a proper backup solution. The way ransomware remediation works is by monitoring which applications access/modify your files, and backing up those files, until a verdict is given for the application. If the application is deemed safe, the backup is deleted. If the application is deemed unsafe, their actions are blocked, and the files are restored to the original. The backups are only kept locally.

    I hope this helps.

    Best regards.

    Premium Security & Bitdefender Endpoint Security Tools user

Answers

  • garioch7
    garioch7 Defender of the month ✭✭✭✭✭

    @RancherRick

    "Mr. Google" is your friend. Click on <this link> to read an explanation of how Ransomware Remediation works.

    Frequent full backups (system images) are absolutely essential to safe computing. Ransomware is not the only threat to be concerned about. Hardware failures are frequently the cause of data loss and Bitdefender cannot protect you from that or from accidentally deleted or corrupted files.

    I hope this helps. Have a great day.

    Regards,

    -Phil

    Former Bleeping Computer Malware Response Instructor

  • Hi Phil:

    Thank you for your information. I will plan to keep Carbontie.

    Just to clarify, do you know if Bitdefender makes a copy of all my data files if I turn on Ransomware Remediation? If so, where are these copies kept.

  • garioch7
    garioch7 Defender of the month ✭✭✭✭✭

    @RancherRick @Alexandru_BD

    I am copying a Moderator with this reply. I do not know where Bitdefender stores its ransomeware remediation files or when they are created, and if they are continually kept updated. I suspect that the files are kept updated, but are stored in a proprietary format, possibly BD encrypted format, so that the files remain immune from a ransomware attack because the ransomware does not realize that they are user data files.

    I am deferring to an expert who can provide you with a definitive and accurate answer. My speculation is just that: speculation.

    Have a great day, and stay safe in cyberspace.

    Regards,

    -Phil

    Former Bleeping Computer Malware Response Instructor

  • Thank you for your help, Phil.

  • DIVERSE
    DIVERSE ✭✭✭
    edited March 2022

    On this topic, when Ransomware Remediation is enabled, I also wonder:

    • are all files & folders protected, or just certain ones (e.g. in My Documents);
    • could the combined size of maintained copies of protected files become very large (more than 1 GB and/or more than 1,000 files, say) — and, if so, can users set a cap on this (like caps on a cache in a web browser);
    • are the copies saved locally (on the same device) or remotely (in a 'cloud');
    • when a file is accessed/modified in an 'ordinary' way by an 'ordinary' application (e.g. MS Office), will that file still be automatically backed up unless I have specifically created an exception from Ransomware Remediation for that particular application?

    —DIVERSE

  • +1 on Diverse's asks. I'd especially like to understand where Bitdefender is storing backup copies during a remediation event.

  • Alexandru_BD
    Alexandru_BD admin
    edited August 2022

    Hello,

    I'll jump in to shed some light on this, to the best of my knowledge:

    • are all files & folders protected, or just certain ones (e.g. in My Documents) - Yes, all files are protected.
    • could the combined size of maintained copies of protected files become very large (more than 1 GB and/or more than 1,000 files, say) — and, if so, can users set a cap on this (like caps on a cache in a web browser) - Yes, the total size can be very large. this is not configurable.
    • are the copies saved locally (on the same device) or remotely (in a 'cloud') - See my first comment on the thread - the backups are only kept locally.
    • when a file is accessed/modified in an 'ordinary' way by an 'ordinary' application (e.g. MS Office), will that file still be automatically backed up unless I have specifically created an exception from Ransomware Remediation for that particular application? - Certain applications are considered trusted. Files are restored only if they are encrypted in certain file formats by ransomware, but not if they are modified in any other way.

    Regards

    Premium Security & Bitdefender Endpoint Security Tools user

  • Maintain an offline backup—keep a secondary offline backup copy. When ransomware strikes, the malware can attack anything that the infected system has access to. Your end-users are unlikely to be backup administrators, but there are indirect paths through which backups can become infected. If this happens, there is no way to recover because both the main copy of the data and the backup will be encrypted. Keeping an offline backup can mitigate this risk. A simple way to do it is to use traditional backup tapes, which are impossible for Ransomware to penetrate.

    Use immutable storage—also known as WORM (Write-Once-Read-Many), immutable object storage can store data in a bucket and lock it to prevent further modification. Most disk-based backup systems protect data at the block level and use changed block monitoring to safeguard files as they are modified; the problem is that ransomware changes many storage blocks, so your back system may end up backing up the now-encrypted files. Immutable storage ensures backups remain unchanged.

    Endpoint protection on backup servers—modern endpoint protection platforms are able to detect ransomware processes as they begin infecting a system, by recognizing their abnormal behavior, even if the type of ransomware is new and unknown to security researchers. They can immediately lock down the infected systems and isolate them from the network to prevent ransomware from spreading. This is extremely useful for all organizational endpoints but is especially important on the backup server itself.