While on the topic of ransomware...
-
@guyinpv said in While on the topic of ransomware...:
The attack this weekend worked over SMB, attacking the entire network, so I don't think having a network drive (to avoid a local drive letter) is an adequate solution any more.
Hasn't been for a long time. The first attack of ransomware we've been talking about how this was the death knell for the LAN.
https://mangolassi.it/topic/11257/scott-alan-miller-the-brave-new-lanless-future
-
Most ransomware attacks "casual home users" or businesses that act like them in ways that are really only fixed by no longer being casual home users.
-
But what is the technique?
No local drives or drive letters.
No LAN connections.The malware needs access to the files as a drive. it has to directly access them and fiddle with them "in place".
A tech like FTP would work, simply because it cannot actively "work on" a file in place. It would have to download the file, encrypt it, and upload it, replacing the previous version. But without the FTP credentials, or even knowing such a connection were possible or saved somewhere, it would stay safe.
Thus a backup program which makes an FTP connection (or -insert any other FTP-like connection-) is a pretty safe bet assuming the credentials are stored and used safely.
But again, I'm talking about local high-speed backup options.This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out. -
@guyinpv said in While on the topic of ransomware...:
But what is the technique?
No local drives or drive letters.
No LAN connections.The malware needs access to the files as a drive. it has to directly access them and fiddle with them "in place".
A tech like FTP would work, simply because it cannot actively "work on" a file in place. It would have to download the file, encrypt it, and upload it, replacing the previous version. But without the FTP credentials, or even knowing such a connection were possible or saved somewhere, it would stay safe.
Thus a backup program which makes an FTP connection (or -insert any other FTP-like connection-) is a pretty safe bet assuming the credentials are stored and used safely.
But again, I'm talking about local high-speed backup options.This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.The issue with this type of malware is that it goes out hunting for shares that the infected user has access to. This is why I would set up any app like Veeam that can back up to an SMB share to run as its own user, and configure the network share so that it is only accessible by the backup user. The standard user wouldn't need to have read or write access to that network share since it's all handled by the backup application.
Of course, that is not fool proof, but it would make it that much more difficult for the malware to get in and damage your backups.
-
@guyinpv said in While on the topic of ransomware...:
This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.AetherStore.
-
@DustinB3403 said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.AetherStore.
Nice tech.
Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?
-
@guyinpv said in While on the topic of ransomware...:
@DustinB3403 said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.AetherStore.
Nice tech.
Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?
Only to a single system that would have the share mounted. So you'd simply have to protect that 1 system. But I'll let @Rob answer those questions.
-
I really think all that ransomware stuff only matter if a SOHO (or worst) windows place with bad configuration is in place.
Just one simple scenario that cannot be affected by the ransomware I've seen as of today: the smallest physical server you can imagine (2 cores, 4Gb ram), with a Centos VM on top of Xen (remote exploits of Xen are VERY rare and immediately patched), using rsnapshot that PULL the data to the local storage of the Centos VM.
The Centos VM can be made completely unaccessible from the network in ANY way, totally disabling ssh and blocking every connection with SELINUX, iptables and tcp wrapper all together.
The same for the Xen dom0 (usually is Centos, too), so the only way to interact with the backup VM will be to console-login the physical server, then console-login to the VM from "xl console"…If you know a ransomware that can deal with physical access, Xen, Centos and at least two long random password (Xen AND Centos VM), please tell me so.
All this stuff is free software, not a fancy or expensive anti-ransomware solution, just solid design and good software. -
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
-
@guyinpv said in While on the topic of ransomware...:
@DustinB3403 said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.AetherStore.
Nice tech.
Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?
Yes, you still have to secure it as well. The storage can't be read by the malware on the machines it infects but it can be encrypted.
-
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
-
@Francesco-Provino said in While on the topic of ransomware...:
I really think all that ransomware stuff only matter if a SOHO (or worst) windows place with bad configuration is in place.
Just one simple scenario that cannot be affected by the ransomware I've seen as of today: the smallest physical server you can imagine (2 cores, 4Gb ram), with a Centos VM on top of Xen (remote exploits of Xen are VERY rare and immediately patched), using rsnapshot that PULL the data to the local storage of the Centos VM.
The Centos VM can be made completely unaccessible from the network in ANY way, totally disabling ssh and blocking every connection with SELINUX, iptables and tcp wrapper all together.
The same for the Xen dom0 (usually is Centos, too), so the only way to interact with the backup VM will be to console-login the physical server, then console-login to the VM from "xl console"…If you know a ransomware that can deal with physical access, Xen, Centos and at least two long random password (Xen AND Centos VM), please tell me so.
All this stuff is free software, not a fancy or expensive anti-ransomware solution, just solid design and good software.Yes, modern system administration protects systems at the system level. It's LAN base file sharing that is the key point of vulnerability if people keep that stuff.
-
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
-
@guyinpv said in While on the topic of ransomware...:
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
The same time it would take the application to push it out to a share.
So it does not matter.
-
@guyinpv said in While on the topic of ransomware...:
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
Basically yes. Just a large backup file that you could compress to your heart's content. Could be incremental or full, up to you.
-
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
Basically yes. Just a large backup file that you could compress to your heart's content. Could be incremental or full, up to you.
Not exactly. That is not how Veeam Endpoint Backup works.
It makes a Full backup on day 1.
It makes incrementals until it hits your set max retention value.
Then the next day it makes a new incremental and then merges the oldest incremental back into the full for a new full.
So daily (after the system finally hits the max incremental on local disk) you would be backing up this entire local folder over the wire. -
I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.
-
@curious_mindz said in While on the topic of ransomware...:
I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.
Detaching your backups is how you protect your backups. Sure you could add things like AppLocker, but if you have properly separated systems then you have nothing to worry about.
-
@curious_mindz said in While on the topic of ransomware...:
I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.
This discussion is not on preventing cypto. this part of the discussion was on dealing with the backups in a way that they cannot become tainted.
