Given the rise of ransomware in the recent months, what protection does Arq offer against that? That thing alone would easily tip the scales for me versus the Time Machine.
I see that the AWS S3 IAM user has both read and write access, so if the ransomware authors ever bother with it, they can kill the backups.
Would that help if I setup versioning on the bucket? Will Arq be able to restore backups from the older version of data, before the attack takes place?
Bucket versioning should help with this. I don't use Arq and don't know if it supports s3 bucket versioning, so it might not be convenient but the data would still exist.
Although if an attacker has control writing to your s3 bucket, they could rack up a big bill.
There is no monetary incentive to rack up the bill, but there is an incentive to kill backups - ransom demands are a lot more persuasive when the victim has no backup.
Why would that tip the scales versus Time Machine? Time Machine should provide the same protection as Arq, i.e. versioned backups from before the ransomware attack should be safe.
I know there was some hue and cry a little while ago about Mac ransomware that can encrypt network drives and external hard drives, but there's a reason why the _encrypt_timemachine routine was an unused stub. From what I understand, Time Machine has protections built into the kernel that prevents existing backups from being modified. New backups after the ransomware attack would obviously end up backing up encrypted data, but the existing backups should remain untouched.
Time Capsule's drive is just another network drive. The data could be easily erased. There's also a button in the Airport Utility that nukes all data on the drive. There is no reason for me to believe that this button could not be triggered by rouge software.
It would be nice if you could provide citations to the opposite.
It's not "just another network drive". It's mounted specially by the OS. Sure, if you mount the drive like a normal network drive then the protections might be lost (but maybe not; it's plausible that the protection takes the form of an xattr that prevents modification, so mounting it using any mechanism that respects xattrs might preserve the same protection. I'm not at home right now or I'd check up on that). But you don't normally mount your Time Machine backup volume as a normal network volume, and the malware shouldn't be able to do it either (since it doesn't know the password).
I'm not familiar with the button in AirPort Utility that you mentioned. I assume you're talking about a Time Capsule? I don't have one of those, I use a Synology NAS as my Time Machine destination, so I'm not familiar with the button in question. That said, presumably triggering that functionality requires having the base station password, and if you want to speculate about the software actually causing AirPort Utility to launch and manipulating its UI in order to try and literally press the button, that kind of functionality would require the user to grant Universal Access permission to the rogue software (the Accessibility permission in the Privacy tab of the Security & Privacy preference pane).
In any case, if you're talking about theoretical attacks where the software figures out how to actively mount a network drive that isn't already mounted in order to wreck it, then you may as well speculate about it figuring out how to delete data from your Amazon S3 bucket (or whatever other cloud provider you use as an Arq destination).
>if you're talking about theoretical attacks where the software figures out how to actively mount a network drive that isn't already mounted in order to wreck it, then you may as well speculate about it figuring out how to delete data from your Amazon S3 bucket
Yeah, and that is precisely where I started my question. To quote (from the post you have replied to):
[...] I see that the AWS S3 IAM user has both read and write access, so if the ransomware authors ever bother with it, they can kill the backups. [...]
Both Arq and Time Machine create differential backups. Thus, any particular backup can be restored back in time. However, Arq targets non-file-based media (although you could trick it by a little SSH magic). Time Machine requires file-based access.
If ransomeware finds your file-based backup, it will encrypt it and render your backup useless.
The term backup gets bandied about, so it can mean one or more of the following: high-availability, synchronization, and/or disaster recovery. You'll want to look into these and the concept of the 3-2-1 method.
Yes arq will protect you from ransomware. Time Machine will not.
both backup differences only. So with arq you just pick a backup before everything was encrypted. With Time Machine the problem is your hard drive is on the same machine that's been infected so that hard drive will be encrypted as well.
Arq doesn't have that problem since the data is in the cloud. The ransomeware doesn't have write access to that data, at most it has indirect append access since arq will start backing up the encrypted files. Which is why you'll be able to just pick a version of the backup before anything was encrypted.
---
that is until there is ransomware that checks for arq and tells it to delete all your cloud data :(
> that is until there is ransomware that checks for arq and tells it to delete all your cloud data :(
Well, yes, and that is exactly what I wrote in my original post:
[...] I see that the AWS S3 IAM user has both read and write access, so if the ransomware authors ever bother with it, they can kill the backups. [...]
I see that the AWS S3 IAM user has both read and write access, so if the ransomware authors ever bother with it, they can kill the backups.
Would that help if I setup versioning on the bucket? Will Arq be able to restore backups from the older version of data, before the attack takes place?
Any other ideas?