Ransomware protection

I feel like this has been discussed, but didn’t find it.

Given all the hashes that PhotoStructure has of the files, and the checks for corruption and the like, I wonder if it might alert somehow if a bunch of pictures suddenly start not matching hash (I.e. they have been encrypted by ransomware)

I worry about pictures I don’t often access getting corrupted or encrypted somehow and me not finding it until ‘too late’ to recover from backups. (I actually keep my picture backups with a greatly extended retention for this reason, but…)

Thanks for the suggestion!

There were a couple discussions about this on Reddit.

PhotoStructure remembers the mime-type (from the first “magic” bytes of the file), SHA (the first 192 bits of a SHA512 hash), and the last-modified time for every asset file in your library.

I believe most cryptolockers will simply encrypt files without trying to be “clever” and retaining the magic file byte prefixes, so PhotoStructure could throw up warnings if it saw a SHA and mimetype changed for a given prior asset file.

Wouldn’t this be too late, though? Or is that OK (you just need to be notified?)

(I’d love to be able to “protect” people’s libraries, but PhotoStructure should run as a least-privileged process as possible to reduce it’s security footprint).

Would this warning be triggered if you wrote metadata to an image after it’s been ingested to Photostructure?

Changing metadata or just adding an external sidecar wouldn’t change the mime-type of the asset file, so, no (assuming I build what I suggested before).

Ideally it would never happen, but we know that’s not real world.

I think it would still be of use because if I started getting flagged, I would know that something is going wrong (could even be a disk failing and bad sectors cropping up, or a bad piece of software writing corrupt files). Once I know something is wrong, I could investigate and pull from (offline) backups.

One of my fears is that in tens and hundreds of thousands of pictures, something could run amok and mess things up and I wouldn’t find it until “too late” to recover (say if your backup aged out). Many people I know use commercial plans like CrashPlan or Backblaze that only have 30 day retention periods. That’s great for disk crashes and the like, but something that’s slower not so much.

At work (much larger environment) I had an instance of running across an odd, encrypted file where one wasn’t expected. It was a machine that was writing to the SAN with ransomware. I just happened to find it early and we recovered reasonably easily. If it had ran much longer it would have been a lot harder to deal with.

Some kind of warning seems worthwhile.

Obviously, this is a “down the road” thing, but wanted to plant the seed, since it seemed to me a lot of the infrastructure already exists due to other features anyhow.

1 Like

Sgtm. I’ll vote for it.