Protecting File History from Ransomware

One of my clients was recently infected with the Cerber Ransomware and all data files were encrypted.  She had a USB external hard drive on which she kept a Windows System Image plus File History.  Fortunately the System Image was not touched but the configuration folder in File History was encrypted thus preventing restore from File History.   But the data files in File History were all okay.

Restoring the System Image got her system back to 2016-10-17.  I then wrote a   Rexx   program   to restore all her history files from that date forward so her system was completely restored. 

The point of this post is that it is not safe to have your File History device connected all the time.  As ransomware becomes more sophisticated it will eventually encrypt ALL files on ALL connected USB devices and even on network drives.

Even if your File History device is disconnected File History will continue to back up your files to:

C:\Users\%username%\AppData\Local\Microsoft\Windows\FileHistory

When the File History device is reconnected these files will be copied to it.

I typically leave my File History device disconnected all week until some time when I will not be using the PC.  I plug in the external device, go to Control Panel => File History => Run now.  (You may see a message that the device is disconnected but when you click Run now the red X will be removed.  When File History is finished it will display a message "Files last copied on mm/dd/yyyy hh:mm"  I then use Safely Remove Hardware to disconnect the history device.

File History will continue to run even if you Sign out of your account.

 

Discussion Info


Last updated May 28, 2020 Views 1,140 Applies to: