Anti Ransomware Script

1. #! /bin/bash
2.  
3. ###################################################
4. # DESCRIPTION
5. ###################################################
6. # COPYRIGHT (C) applehelpwriter.com / Phil Stokes 2016
7. # For more info go to:
8.  
9. # http://applehelpwriter.com/how-to-stop-ransomware-infecting-backup-disk
10.  
11.  
12. # This script is for use with a CARBON COPY CLONER (BOMBICH SOFTWARE / www.bombich.com)
13. # Scheduled backup task
14. # Tested on CCC v4.1.7, Mac OS X 10.11.4
15.  
16.  
17. # This script aims to abort the scheduled backup if the percentage
18. # of changed files in a given 'Canary' directory exceeds a user-defined threshold.
19.  
20.  
21.  
22. ###################################################
23. # USAGE
24. ###################################################
25.  
26.  
27. # 1.
28. # In the USER PREFERENCES section below, alter the following THREE paths names:
29.  
30. # i. BACKUPDISK="<path to your /Volumes/[destination drive]/Users/user_name/some folder>"
31. # ii. HOMEVOL="<path to your source vol home folder>"
32. # iii. LOGFILE="<make up a name>" #we suggest something inconspicuous
33.  
34. # 2.
35. # Set the threshold to as low as you can reliably get away with
36.  
37.  
38. # 3.
39. # Save the script to a local folder
40. # Recommended: give the script an inconspicuous name
41. # like NOT**** "anti-ransomware.sh" ****
42. # (i.e., make it harder for an attacker to identify and find)
43. # Recommended: do NOT locate the script in the CCC default Scripts folder
44. # (i.e., make it harder for an attacker to identify and find)
45. # Recommended: locate the script outside of your Home folder
46.  
47.  
48. # 4.
49. # Open CCC, select the task from the sidebar
50. # Locate the 'BEFORE TASK RUNS' section.
51. # Select the script from the location in 3. above
52.  
53.  
54.  
55. ###################################################
56. # USER PREFERENCES
57. ###################################################
58.  
59. # path to the home folder on the BACKUP DESTINATION disk, e.g:
60. BACKUPDISK="/Volumes/MYBACKUP DISK 500GB/Users/phil/MyFolder"
61.  
62. # path to the home folder on your internal SOURCE drive
63. HOMEVOL="/Users/phil/MyFolder"
64.  
65. # invent a filename here, it doesn't need to exist initially:
66. LOGFILE="My Family Stuff"
67.  
68. # threshold in percent
69. Threshold=10
70.  
71. ###################################################
72. # SCRIPT LOGIC
73. ###################################################
74.  
75. LOGPATH="$HOMEVOL"/"$LOGFILE"
76.  
77. # get the total file count on the destination
78. if cd "$BACKUPDISK"; then
79.         DestHomeFileCount=$(ls -Rl | grep -v ^l | wc -l)
80.     else
81.     exit 0
82. fi
83.  
84. # get the total number of changes btw src & dest
85. SrcDestDiffCount=$(
86.     diff -rqN "$HOMEVOL" "$BACKUPDISK" | wc -l
87. )
88.  
89. # find the percentage of change
90. ChangeLimit=$(
91.     echo $(((DestHomeFileCount / 100) * Threshold))
92. )
93.  
94. # determine if task should run
95. if ((SrcDestDiffCount < ChangeLimit)); then
96.         MSG="run"
97.     else
98.         MSG="be aborted"
99.  
100. fi
101.  
102. # log and write to the Canary to update the modification time
103. printf "\n%s" `date` >> "$LOGPATH"
104. printf "\nDestination %s has %d files in the canary folder\nThere are %d changes between it and the source %s.\nThe threshold for aborting the backup task is approx %d percent, or %d not more than changes.\nResult: task will %s." "$BACKUPDISK" "$DestHomeFileCount" "$SrcDestDiffCount" "$HOMEVOL" "$Threshold" "$ChangeLimit" "$MSG" >> "$LOGPATH"
105.  
106.  
107. if [ "$MSG" == "be aborted" ]; then
108.  
109.         # abort scheduled backup
110.         /Applications/Carbon\ Copy\ Cloner.app/Contents/MacOS/ccc -x
111.  
112. fi
113.  
114. exit 0