Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

vitalion

macrumors member
Original poster
Nov 5, 2013
34
2
Hello all,

I hope that this is the right forum section

I am looking at a backup solution and most of my research concludes that one of the best options is Carbon Cope Cloner, a software by bombich.

As they state on their website, the app offers "Snapshots - Bring back files that you thought you'd lost forever! CCC can capture all your files exactly as they are at a moment in time. Restore files you accidentally deleted — or that were corrupted by malware."

Going deeper into this feature:
The Role of Snapshots in a Comprehensive Data Protection Strategy
There are several aspects of data protection that a backup aims to provide. Protection against:
...
Malicious file modification (e.g. malware/ransomware)
...


Full info via this link www.bombich.com/kb/ccc6/leveraging-snapshots-on-apfs-volumes


All of the above made me curious on how is it possible to restore files from an external HDD when your system is infected with a ransomware and all of your data are encrypted?

My usage scenario is based on the following structure.

Setup:
Internal SSD -> Various files and folders that i would like to backup daily
Ext. SSD -> Various files the i need frequent access and read and write speed is important
Ext. HDD A -> Files and Folders (mainly Archived projects and Lightroom catalogue)
Ext. HDD B -> Planning to use this HDD as the destination for backing up all of the above (Internal SSD, Ext. SSD, Ext. HDD A) via Carbon Copy Cloner on 12 hours intervals

I am on a Mac Studio running Ventura 13.3.1
All the hard drives are APFS formatted
I dont mind wiping the system and re installing the OS and the apps that i use in case of a disaster

Does any of you have a clear understanding how this mechanism works? I am struggling to understand how is possible to access data and do a "healthy data restore" from an external drive that has files that are infected with a ransomware.

Thank you in advance. If you need any more info please let me know.
thank you for your time.

Regards,
A.
 

KaliYoni

macrumors 68000
Feb 19, 2016
1,799
3,956
I am looking at a backup solution

files that are infected with a ransomware.

I don't have any direct experience with backing up multiple disks with CCC but I have some general thoughts about your situation:
  • RansomWhere? is a utility from a well-respected security researcher, Patrick Wardle, that provides a first line of defense against ransomware. I've had it on my Macs for years.
  • Disks holding archives or data that doesn't change frequently can be periodically, say, once a calendar quarter, backed up to a thumb drive/drives or optical media. If you keep multiple versions of these backups, you most likely will always have pristine copies of the disks on hand.
  • I maintain backups of my internal SSD using Time Machine and Carbon Copy Cloner. The Time Machine drive is always connected. The CCC drive is disconnected most of the time. I do a CCC backup about once a week or before installing an OS update. I do this for redundancy and to increase the chances of having a clean version of my entire setup in the event of a catastrophic failure or a security breach.
 

stradify

macrumors 6502
Jul 4, 2015
307
157
USA
Two different scenarios: Infection & Ransomware.

If your computer has Ransomware then access to your files will be blocked and consequently CCC shouldn't be able to back up your computer. Your previous Snapshots should be unaffected if they were made before your files were locked by the Ransomware. Wiping your User Data and reinstalling from an unaffected Snapshot should eliminate the Ransomware.

An infection on a computer shouldn't prevent CCC from making backups and Snapshots. Snapshots made previous to the infection shouldn't be affected. Check out the settings in Pre-Flight that control how long a length of time Snapshots are retained. I use a weekly backup schedule, with the default setting, and it's currently showing March 26th as the oldest retained Snapshot, so about 6 weeks. That can be customized for your user case.

I recommend contacting Mike Bombich at CCC with your concerns. He'll give you guidance on the best backup strategy for your situation and explain, better than I have, how Snapshots provide security against Ransomware and Infections.

Also, good on you for taking seriously the security of your data. :)

Didn't catch KaliYoni's post before I made mine. I second his recommendation that you run Objective See's app Ransomware and take a look at some of the other great apps they provide for free.
 

gilby101

macrumors 68030
Mar 17, 2010
2,978
1,643
Tasmania
1) Time Machine and CCC are very similar. Each has its adherents.

2) There is no Mac ransomware in the wild (yet). There might be a few very targeted exceptions.

3) Potential ransomware may well attempt to encrypt files on all attached and network disks.

4) It is hard to modify files on a TM disk. It is much simpler to modify files on a CCC disk. So TM may provide some protection, CCC less so. But, I am not aware of any thorough testing of this. I would not want to rely on TM, CCC or similar.

5) Synchronising cloud services (e.g. iCloud, Dropbox, OneDrive, etc.) are likely to synchronise any ransomware encryption to your other computers.

6) Off-site or disconnected backups are your best protection. Either sets of hard disks physically disconnected from your Mac or a cloud backup using, for example, Arq Backup.

7) Apple's protection mechanisms (XProtect, etc.) will likely cover any in the wild ransomware attacks. Keep your Mac fully patched.
 

HDFan

Contributor
Jun 30, 2007
7,310
3,351
Off-site or disconnected backups are your best protection. Either sets of hard disks physically disconnected from your Mac or a cloud backup using, for example, Arq Backup.

Physically disconnected backups are a good option. Some Cloud services, such as Backblaze, offer unlimited backups so even if cloud storage version is overwritten by ransomeware versions you can restore from an earlier backup.

You can also run an antivirus on your Mac that has ransomeware protection, but this is a controversial topic. I use Sophos.

 

vitalion

macrumors member
Original poster
Nov 5, 2013
34
2
I don't have any direct experience with backing up multiple disks with CCC but I have some general thoughts about your situation:
  • RansomWhere? is a utility from a well-respected security researcher, Patrick Wardle, that provides a first line of defense against ransomware. I've had it on my Macs for years.
  • Disks holding archives or data that doesn't change frequently can be periodically, say, once a calendar quarter, backed up to a thumb drive/drives or optical media. If you keep multiple versions of these backups, you most likely will always have pristine copies of the disks on hand.
  • I maintain backups of my internal SSD using Time Machine and Carbon Copy Cloner. The Time Machine drive is always connected. The CCC drive is disconnected most of the time. I do a CCC backup about once a week or before installing an OS update. I do this for redundancy and to increase the chances of having a clean version of my entire setup in the event of a catastrophic failure or a security breach.
thanks, i will have a look at RansomWhere?, looks like an interesting "mechanism"
 

vitalion

macrumors member
Original poster
Nov 5, 2013
34
2
thanks for the replies. maybe i will send an email at Bombich as well to ask them.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.