While on the topic of ransomware...



  • One of the ways these encryption malware thingies work is by essentially attacking all the "drive letters" attached to the system.

    One of the ways to be able to recover from encryption attack is to have your backup on a "disconnected" backup service, something that isn't a "drive" on your computer.
    The most common of this is going to be a simple cloud backup tool. Something like CrashPlan, BackBlaze, SpiderOak, Carbonite, etc.

    But there are some cases where it's not very practical to use cloud backup. Perhaps there is too much data, the files are too large, the bandwidth isn't available, etc.

    This leaves the average person with a couple options, something like, connecting and disconnected USB drives or whatever, leaving them detached for the most part.

    What is the best local type of backup that is immune to an encryption attack yet doesn't require manual intervention such as connection/disconnecting USB?

    The attack this weekend worked over SMB, attacking the entire network, so I don't think having a network drive (to avoid a local drive letter) is an adequate solution any more.

    So what are all the options for backups that can be done on a local network and be immune to an encryption attack?



  • @guyinpv said in While on the topic of ransomware...:

    Dont backup over smb. Many Hypervisor backups dont. For example Unitrends does not use smb at all when backing up vms on a hypervisor, at least mine doesnt. My XS is setup only with lvmoiscsi and local storage. The backup target is an lvmoiscsi disk on a storage server.
    This helps backups stay safe, but obviously we use smb for drive maps, and all we can do there is educate users, SRP, good access controls, etc.


  • Service Provider

    Without manual intervention, there has to be something on your system that contains the information about how to reach (and encrypt) your backups. You can minimize this with enterprise approaches like tape libraries that have robots, WORM drives or "reach in" backup methods. But casual home users can't do that stuff.


  • Service Provider

    @momurda said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    Dont backup over smb. Many Hypervisor backups dont. For example Unitrends does not use smb at all when backing up vms on a hypervisor, at least mine doesnt. My XS is setup only with lvmoiscsi and local storage. The backup target is an lvmoiscsi disk on a storage server.

    Although all of those methods can be attacked just like SMB. Less commonly are, but nothing technologically limiting there.


  • Service Provider

    @guyinpv said in While on the topic of ransomware...:

    The attack this weekend worked over SMB, attacking the entire network, so I don't think having a network drive (to avoid a local drive letter) is an adequate solution any more.

    Hasn't been for a long time. The first attack of ransomware we've been talking about how this was the death knell for the LAN.

    https://mangolassi.it/topic/11257/scott-alan-miller-the-brave-new-lanless-future


  • Service Provider

    Most ransomware attacks "casual home users" or businesses that act like them in ways that are really only fixed by no longer being casual home users.



  • But what is the technique?
    No local drives or drive letters.
    No LAN connections.

    The malware needs access to the files as a drive. it has to directly access them and fiddle with them "in place".

    A tech like FTP would work, simply because it cannot actively "work on" a file in place. It would have to download the file, encrypt it, and upload it, replacing the previous version. But without the FTP credentials, or even knowing such a connection were possible or saved somewhere, it would stay safe.
    Thus a backup program which makes an FTP connection (or -insert any other FTP-like connection-) is a pretty safe bet assuming the credentials are stored and used safely.
    But again, I'm talking about local high-speed backup options.

    This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
    Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.



  • @guyinpv said in While on the topic of ransomware...:

    But what is the technique?
    No local drives or drive letters.
    No LAN connections.

    The malware needs access to the files as a drive. it has to directly access them and fiddle with them "in place".

    A tech like FTP would work, simply because it cannot actively "work on" a file in place. It would have to download the file, encrypt it, and upload it, replacing the previous version. But without the FTP credentials, or even knowing such a connection were possible or saved somewhere, it would stay safe.
    Thus a backup program which makes an FTP connection (or -insert any other FTP-like connection-) is a pretty safe bet assuming the credentials are stored and used safely.
    But again, I'm talking about local high-speed backup options.

    This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
    Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.

    The issue with this type of malware is that it goes out hunting for shares that the infected user has access to. This is why I would set up any app like Veeam that can back up to an SMB share to run as its own user, and configure the network share so that it is only accessible by the backup user. The standard user wouldn't need to have read or write access to that network share since it's all handled by the backup application.

    Of course, that is not fool proof, but it would make it that much more difficult for the malware to get in and damage your backups.



  • @guyinpv said in While on the topic of ransomware...:

    This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
    Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.

    AetherStore.



  • @DustinB3403 said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
    Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.

    AetherStore.

    Nice tech.

    Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?



  • @guyinpv said in While on the topic of ransomware...:

    @DustinB3403 said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
    Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.

    AetherStore.

    Nice tech.

    Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?

    Only to a single system that would have the share mounted. So you'd simply have to protect that 1 system. But I'll let @Rob answer those questions.



  • I really think all that ransomware stuff only matter if a SOHO (or worst) windows place with bad configuration is in place.

    Just one simple scenario that cannot be affected by the ransomware I've seen as of today: the smallest physical server you can imagine (2 cores, 4Gb ram), with a Centos VM on top of Xen (remote exploits of Xen are VERY rare and immediately patched), using rsnapshot that PULL the data to the local storage of the Centos VM.

    The Centos VM can be made completely unaccessible from the network in ANY way, totally disabling ssh and blocking every connection with SELINUX, iptables and tcp wrapper all together.
    The same for the Xen dom0 (usually is Centos, too), so the only way to interact with the backup VM will be to console-login the physical server, then console-login to the VM from "xl console"…

    If you know a ransomware that can deal with physical access, Xen, Centos and at least two long random password (Xen AND Centos VM), please tell me so.
    All this stuff is free software, not a fancy or expensive anti-ransomware solution, just solid design and good software.



  • The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.

    [In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]


  • Service Provider

    @guyinpv said in While on the topic of ransomware...:

    @DustinB3403 said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
    Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.

    AetherStore.

    Nice tech.

    Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?

    Yes, you still have to secure it as well. The storage can't be read by the malware on the machines it infects but it can be encrypted.


  • Service Provider

    @guyinpv said in While on the topic of ransomware...:

    The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.

    [In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]

    Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.


  • Service Provider

    @Francesco-Provino said in While on the topic of ransomware...:

    I really think all that ransomware stuff only matter if a SOHO (or worst) windows place with bad configuration is in place.

    Just one simple scenario that cannot be affected by the ransomware I've seen as of today: the smallest physical server you can imagine (2 cores, 4Gb ram), with a Centos VM on top of Xen (remote exploits of Xen are VERY rare and immediately patched), using rsnapshot that PULL the data to the local storage of the Centos VM.

    The Centos VM can be made completely unaccessible from the network in ANY way, totally disabling ssh and blocking every connection with SELINUX, iptables and tcp wrapper all together.
    The same for the Xen dom0 (usually is Centos, too), so the only way to interact with the backup VM will be to console-login the physical server, then console-login to the VM from "xl console"…

    If you know a ransomware that can deal with physical access, Xen, Centos and at least two long random password (Xen AND Centos VM), please tell me so.
    All this stuff is free software, not a fancy or expensive anti-ransomware solution, just solid design and good software.

    Yes, modern system administration protects systems at the system level. It's LAN base file sharing that is the key point of vulnerability if people keep that stuff.



  • @scottalanmiller said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.

    [In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]

    Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.

    What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?

    How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?


  • Service Provider

    @guyinpv said in While on the topic of ransomware...:

    @scottalanmiller said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.

    [In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]

    Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.

    What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?

    How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?

    The same time it would take the application to push it out to a share.

    So it does not matter.


  • Service Provider

    @guyinpv said in While on the topic of ransomware...:

    @scottalanmiller said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.

    [In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]

    Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.

    What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?

    How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?

    Basically yes. Just a large backup file that you could compress to your heart's content. Could be incremental or full, up to you.


  • Service Provider

    @scottalanmiller said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    @scottalanmiller said in While on the topic of ransomware...:

    @guyinpv said in While on the topic of ransomware...:

    The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.

    [In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]

    Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.

    What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?

    How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?

    Basically yes. Just a large backup file that you could compress to your heart's content. Could be incremental or full, up to you.

    Not exactly. That is not how Veeam Endpoint Backup works.

    It makes a Full backup on day 1.
    It makes incrementals until it hits your set max retention value.
    Then the next day it makes a new incremental and then merges the oldest incremental back into the full for a new full.
    So daily (after the system finally hits the max incremental on local disk) you would be backing up this entire local folder over the wire.



  • I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.



  • @curious_mindz said in While on the topic of ransomware...:

    I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.

    Detaching your backups is how you protect your backups. Sure you could add things like AppLocker, but if you have properly separated systems then you have nothing to worry about.


  • Service Provider

    @curious_mindz said in While on the topic of ransomware...:

    I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.

    This discussion is not on preventing cypto. this part of the discussion was on dealing with the backups in a way that they cannot become tainted.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.