Now I was thinking how someone could be notified about ransomware detection.
I have an idea and am unsure if it is a good one but I will let you be the judge.
One could use a known file (a photo or whatever) and the hash from that file and add that to repository information.
That way kopia can check the file and the hash.
If the hash has diverged a notification event could be created to inform, that this backup might get encrypted.
As I said, not sure if this is smart.
Just a thought I had when thinking about ransomware.
But I would be very against adding anything like this to kopia. Let’s keep it as a backup software and do not try to add anti-ransomware/anti-virus/anti-malware functionality into it:)
Kopia today allows you to run specific actions before taking snapshots where you can add whatever extra functionality you need.
There are lots of programs to check files against known checksums, AIDE being one such, but I guess there are many like it, that run several checksums on each file and stores the results so you later can check against this list.
I would conceive a short shell script comparing a checksum against a ‘known good’ file (known as a keyfile) combined with Kopia’s actions would be simple enough. It would need to be executed automatically at boot I would think. EG:
The following presumes one is running a Linux system with SystemD. Note it is merely a ‘sketch,’ so it is untested and may given unexpected results. Obviously you’ll need to work out exactly what $insertTheActionToTakeHereLikeSendingANotificationViaKopiaActions does.
$HOME/.bin/ransomware-tripwire.sh
#!/usr/bin/env bash
# description: check a keyfile to ensure a ransomware tripwire
# directions : first get the sha512sum via 'sha512sum $yourKeyfileLocation`
# other common checksums are md5sum, sha256sum, b2sum, b3sum.
# b3sum (blake3) is _incredibly_ fast, extensive & the most
# modern beating even sha512sum-accelerated cpus.
#
# test according to your environment via
# 'time $checksumOfYourChoice $yourKeyFileLocation'
# depends on : $HOME/.config/systemd/user/ransomware-tripwire.service
# filename : $HOME/.bin/ransomware-tripwire.sh
KEYFILE="$HOME/Pictures/Wedding/Vows.jpg"
EXPECTED_CHECKSUM="b2d820d249cd3d0acf2e28654f05fec806b8bef783246d93921c34e8ff75a3d6ff66407e6934ef8672e90a6a2742a8ba83e4729aa78270118b63d7d605e403d0"
KEYFILE_CHECKSUM="$(sha512sum $KEYFILE | awk '{print $1}')"
if [ "$KEYFILE_CHECKSUM" != "$EXPECTED_CHECKSUM" ];then
$insertTheActionToTakeHereLikeSendingANotificationViaKopiaActions
fi
exit 0
# description : check a keyfile to ensure a ransomware tripwire on user login
# depends on : $HOME/.bin/ransomware-tripwire.sh
# filename : $HOME/.config/systemd/user/ransomware-tripwire.service
# exec : systemctl enable --now --user ransomware-tripwire.service
[Unit]
Description = check a keyfile to ensure a ransomware tripwire
After = multi-user.target
ConditionFileIsExecutable = %h/.bin/ransomware-tripwire.sh
ConditionFileNotEmpty = %h/Pictures/Wedding/Vows.jpg
[Service]
Type = oneshot
RemainAfterExit = yes
ExecStart = $HOME/.bin/ransomware-tripwire.sh
Restart = on-abort
[Install]
WantedBy = default.target
systemctl daemon-reload --useris needed before systemctl enable --now --user ransomware-tripwire.service. systemctl status --user ransomware-tripwire.service will confirm if it runs properly. Other handy commands to know are systemctl stop --now --user and systemctl disable --now --user.