Backup Now, no Really

It’s ironic (not ironic?) that an IT-savvy nerd who has spoken about backups here on these forums should befall a tragedy putting my backup best-practices to the test.

On a dedicated DAW where only music-related stuff is clicked on, I just befell a “ransomware” virus.

I’m an IT guy, I know not to click on or run “weird stuff,” but got sucker-punched all the same.

I’m not ready to point fingers, but am not ruling out one of the “free xmas gift” downloads recently installed. Will report back if I can confirm, but if not that, it was likely a website link (or so the research seems to point). I can’t imagine what.

On this DAW I visit Gearslutz, KVR, the various DAW forums, MusicRadar, YouTube tutorial videos, plugin updates, etc. Nothing else.

And yet, one of my unfortunate clicks (if not a plugin update or plugin related download), and likely a Adobe Flash exploit (which I update weekly!) got me a trip to hell and back within the last 24 hours.

I was in Cubase, minding my own business on my crappy trance music, when things slowed down to the point of “reboot.”

At first I blamed Cubase 8.

Nope, it was “ransomware” encrypting all my datafiles in the background!

A reboot informed, via a new shiny wallpaper, that I had to click on a link and pay bitcoin, or never see my encrypted files again.

Yikes.

I checked.

Yup. They managed to encrypted all my text (and many other) data files. I knew because the files ended in a second extension of random text. E.g., “readme.txt.xype93s” instead of “readme.txt”. Opening the file revealed encrypted garbage.

It sprawled across all my SSDs faster than you can say “sata III solid state drives.”

Cubase project files, wav and aiff files remained untouched, thankfully (a limitation of the malware).

But text files and many other file types were encrypted for ransom.

I’m posting this here because it was only relatively garden variety, audio-related stuff I visit on this computer. What I’d consider to be relatively common usage paths for audio enthusiasts during the holiday sales and promotions.

So … yeah. Don’t be too scared, but also back your stuff up. Seriously. And run anti-malware software if it’s a computer you’re using to research plugins, etc.

I was able to get everything back due to backups.

Backup. Backup. Backup.

Also, if you’re on OS X, honestly, you’re mostly safe. Or at least you would have been in this case.

If you’re on Windows 8+ you’re probably safe (built in security essentials).

I am on Windows 7 and in my infinite wisdom, decided not to run malware protection in order to “optimize” my DAW.

Well, F’ that. I now have Window Security Essentials and Malwarebytes running (both) in full, live, real-time mode.

That was quick. Didn’t take much arm-twisting.

I’ll let you know (once I’m 100% back up) how that works with Cubase 8 / Windows, but whatever performance hit I get, it’s going to be factored into the overhead of the DAW’s capabilities.

This ransomware managed to find my USB flash drives and here’s the (interesting) damage report:

Waves USB: Okay – It wasn’t smart enough to touch it.

iLok USB: Okay – it wasn’t smart enough to touch it.

eLicenser USB: Okay – didn’t touch it.

Native Instruments “Service Center” – Okay.

Plugin Alliance – it found its “machine_id.txt” file and encrypted it! Plugin Alliance dongle (USB thumbdrive) is TOAST! (easily fixed, but still, pretty scary.)

+1 for not having license files with “.txt” in the name.

+1 again for iLok not even exposing the filesystem!

+1 again for iLok even surviving a complete loss (TLC) – didn’t come to that, but still, eLic, you’re not robust enough for 2014 (and beyond), in my humble estimation. eLic really needs a total loss coverage option similar to iLok.

Will edit this post with some others once I’m back up and can confirm.

Also, I use Dropbox for many things audio related. Between multiple computers, etc. This virus found and crawled through my entire Drobox trees and encrypted everything it cared about on it, too!

Yikes!

I had to delete everything in my dropbox, to be safe.

Luckily, I had a virtual machine (not running) that had a recent Dropbox sync. So I pulled the ethernet jack on my computer, loaded the virtual machine, copied everything out of my Dropbox to my desktop, then plugged the ethernet jack back in (which it quickly deleted everything) and then copied from the desktop back to Dropbox. Everything was back. Whew!

Backup with Crashplan. Seriously. Just do it.

“Happy Holidays” all.

To all you “don’t allow internet on my DAW types” – I bow to you in respect.

To all you audio companies that make it difficult to use your software without being connected to the internet – here’s another anecdote for you to rethink your offerings.

Backup. Via Crashplan online, imho. I’ve tried most of them and Crashplan gets my approval, more than once, have I had to restore from it.

Man, I just can’t seem to get a free Saturday.

Great story, and great advice! I learned my lesson a few years ago and always backed up since. Apple Time Machine, and now I will start using MS Windows File History.

Brave of you to tell us all about it, embarrassing though it might be

Thanks, Steve.

Yes, I really did not want to post this story, but felt if the message even spares one Cubase user what I’m gong through, it’d be worth it.

Really, this is a dedicated computer that only music related stuff is clicked on. I’m really careful with it.

I seriously think it very well may be a not-so-uncommon path others could stumble into.

One of these free xmas gifts, holidays updates or landing pages of a plugin or plugin review is the only thing I’ve been visiting on this DAW in the last 5 days and it happened last night, Dec 27 at 4:12am (don’t ask, I’m a night owl!).

PC users, please do enable Microsoft Security Essentials (it DID detect and remove the randsom-ware) and also back your precious music up.

Even though Security Essentials removed it, I had a full image backup I did just last week (whew!) and so I refreshed to it out of an abundance of caution.

Mac uses, too, of course, but this was a PC thing (no surprise there).

Edit: Bah! Just realized, if I had been smart, I’d have exported all the websites I visited on Dec 27th. Sadly, in my rush to clean my system, It’s gone forever. Sorry guys.

That said, mentally retracing my steps, seriously, it wasn’t anything that couldn’t have been linked to from KVR or similar (wide-ranging as that may be).

Jalcide, I am using Outpost security suite(firewall + antivirus + antispyware) to avoid this kind of horror story. It is not so heavy and works very well. I run a backup once a week (or when there is some new important file).

Thanks for sharing your story.

Good luck!

Thanks, Makumbaria, I’ll look into Outpost. I haven’t heard of it. My short list (to augment MS Security Essentials) has been between McAfee, Norton, AVG, Kaspersky, Trend Micro and Malwarebytes. I know there are several other good ones.

I think this is a very new virus, but hopefully information is shared quickly and therefore detected by all, already.

Yep, here is the reason why Steinberg has a key, rather than an Internet requirement.

I refuse to use my music computers connected to the Internet. I got this portable for that.

Sorry to hear about your situation, mate.

Great advice!
Seems ‘Murphy’ is always waiting in the wings to take a solo.

And I wonder how many people actually send $$?
{‘-’}

Thanks, Elektrobolt.

I’m just so grateful the affected computer was a DAW only.

Best move I ever made.

And grateful I had such a recent bootable backup of only a week old. On a removable SSD tray that was sitting outside the computer. If it were a backup drive always connected, with a drive letter assignment, it’d be toast.

Thanks, Curteye.

Sadly, too many, from what I was able to research.

The malware was well-written software, though.

I’m amazed at how fast and thoroughly it crawled all my drives and efficiently it encrypted the files while Cubase was at a 95% ASIO load!

I think it may have worked more smoothly than Cubase saving in the background. (kidding)

If those coders used their talents for good, I suspect they’d make even more money.

My DAW machines are Win XP
I never connect them to internet
Anything Network related is disabled
Never use anti-virus software

NEVER a virus, malware, Trojan, spyware, etc…

I back up/make images with Acronis, only needed due to component failures.

You people go ahead and surf the web on your DAW machines, use software that forces you to connect to the web for authorizations, and keep believing you’re immune because you’re using Win 7 or 8 etc.

Just backed up again, thanks for the reminder
Sorry to hear about your troubles though

Yup. I’m strongly considering taking your approach.

My first sequencer, running on an Amiga 500, wasn’t connected to the internet, because we didn’t have the internet back then. I was able to make music on it, just fine.

That said, I’m glad it was my DAW that took the hit and not my work-related machines.

I’m certainly not going to change my, albeit risky, behavior of exploring a free holiday download, or whatever took me on my unsavory path, so I may install a VirtualBox virtual machine on my DAW and simply launch it when doing such things – totally sand-boxed (with no mapped drive letters or volumes to the outside).

I might uninstall Adobe Flash on it, as well. Further research into this malware seem to point to that.

Which is ironic to me, since I was a Flash webapp developer for an ad agency in a past life.

Thanks, Strophoid.

Btw, to anyone curious which software I used to do the bootable image/backup: Paragon Drive Copy 14. The “Copy Hard Disk” wizard with the “raw copy” option. There are many other good drive image products, too. I chose this one for some other features it has.

Personally, it’s just not worth the risk. It’s always been about convienence but I will sacrifice that for knowing I should not worry too much about the above.

Yes, clients bring all kinds of things on flash drives, but I check them out first on a beater computer with lots of anti-malware. AVG, Malware Bytes, SpyBot…they all seem to find things the others do not.

By the way for anyone else considering Arturia, it’s been impossible to activate anything off line. They will take your money…no problem…but their off-line activation scheme doesn’t work. They keep saying have patience It goes to show how few users have a studio off line. We are a dying breed.

I’ve got SkyDrive with Ncrypted layer.

Good point. Maybe I’ll put several on that VM I’m thinking about. Use it as a staging area.

Yeah, I found this out with the V4 Collection, too.

Arturia claims they’re working on an update to their auth system that will allow true, offline / USB thumbdrive support with ability to de-auth from an web-based account center should a computer become lost, stolen or toast. He didn’t give a time-frame, but implied it was coming soon.

Right now, with the V4 Collection, you can’t auth offline and if your computer becomes toast you lose one of your 5 fixed authentications. He suggested that tech support could likely fix this on a case-by-case basis, should a computer crash, but I’m not a fan of embracing systems that leave it so undefined.

I think keeping pressure on these companies, emailing them, sharing anecdotes like mine, etc. does help.

And of course voting with the wallet, works, too. So many good offerings out there right now, I may just stay clear of any software that requires a constant internet connection (phones home, etc.) and that doesn’t provide methods for offline authentication.

SkyDrive has become OneDrive, for those unfamiliar with it, but it’s just a file-server area, not a full virtual machine. I guess I don’t see how this protects you much.

Anyway, encrypted drives usually only offer protection when they’re not mounted. Once mounted, if you can drag a file to it, malware can discover it and programmatically do the same.

I guess I’d need to hear a use-case described where it would offer protection.

If it wasn’t mounted, it would have been spared Dropbox’s fate in my situation, but then wouldn’t have been useful to me as a mounted drive (where I share mixdowns between Cubase and another machine that does mastering running Reaper).

Hi Jalcide,

OneDrive (formerly SkyDrive) is great because it means if a system goes down I can access the files online while I am resurecting the compromised system.

Ncrypted layer just encrypts files on a per file/folder basis on the local system and like OneDrive; makes them available via a web browser.

The local backup system I use is Macrium Relfect, which allows you to take images (or full clones) of drives of which I use the former to take a simple copy of the system drive (including My Documents etc) which is readable on a Windows 7 and up system.

Of course these “solutions” are not protection parse but are rather simple ways to provide file backups on the same or cloud system.

Cheers

Hey, Sycophant. Gottcha. Just making sure I wasn’t missing something.

Yeah, local + cloud is great. Even better when it has version control. I can’t tell you how many times I’ve grabbed an older file, that I didn’t think I’d need or that I overwrote with a newer version, from Crashplan cloud.

For coding (day job) I sometimes use Crashplan almost like a poor-man’s “Git” for version control – a sort of safety net. Not a good development best practice, but in a pinch, it’s great to have.

What I like about Crashplan, in addition to the delta history it keeps (like Apple Time Machine), is that it can be infrastructure-less if you use your friends’ / family’s computers. No monthly fee and would work even if Crashplan went down. A sort of “personally owned and operated” cloud.

Cheers.

Looks good, so does it allow you to backup to other computers, i.e. via a Static IP?

I used to use iDrive (not apple) for a time but being on Windows 8, the signin for OneDrive is integrated, as well as File History using plain file copies, notwithstanding Macrium Reflect images.

This serves as rudimentary file backup without having to expend a great amount of intellectual resources and in particular the 3rd method allows Windows readable repositories to be created and mounted as hard disks in any computer that is Windows 7 and above but for it (macrium) to work you need to have a secondary hard disk attached.

Macrium reflect can create rescue media but that is not really how I’d be wanting to use it, e.g. as a drive imaging and restoration utility. For ghosting, I still haven’t found something that is suitable let alone free.

Since Windows 8.1 now has Factory Restore, the situation is less grave I suspect but I would still like to invest time in a proper imaging solution, EASUS and Paragon have not really satisfied me in any way thus far.

As it stands, OneDrive is the only thing I can truly rely on for better or worse since I am not really taking external backups, which I guess is why you are using CrashPlan.

Best

Yes, we are a dying breed

I have NOT, and will NEVER have my main studio DAW connected to the internet. Just because

Just found this:

now I’ve got to read