Battling Ransome/Crypto-ware: Drive Shares



  • There is a growing shift of practices to battle ransomware which looks for other drives to munch on, by not mapping network shares, the ransomware doesn't have anyplace to jump to, and therefore is isolated to the single computer it managed to get attached to - at least in theory and until they are written to start doing a blind search across the network for open ports / shares

    But the 'norm' for years - decades has been - you need access to this - you map it, Likely the user's home drive is H:, software is S:, public is P: and so on.

    Shortcuts are rather easy to generate - they are basically just a sticky-note pointing to some place either local or remote. People - Users and IT people alike are accustom to hitting 'MY COMPUTER' or 'EXPLORER' and dropping into the share or drive they need to function.

    In order to move to a shortcut 'mentality' you have to ignore years of use and 'training' to not use 'MY COMPUTER' or "EXPLORER' and use some shortcut on their desktop / local documents folder. Is it even practical? And for some of those I work with on a daily basis - how much more productivity time is the computer now 'stealing' away from them?

    Can shortcuts still be managed by script or better still GPO? - yes, and no reason not to. But it again comes down to the end point - how much time / frustration will it be? Applications are not built to look at shortcuts to fine file locations - they are built to look at drive letters. So when saving files,.. it's another long-somewhat confusing- fraught with issues task.

    This is likely something that will get push back from end users... as it'll take more time from Candy Crunching.


  • Service Provider

    It's not worth it to get ride of drive mappings for two reasons. The first is that many crypto infections are run by humans that gain access to a system and then start encrypting it. This is the worst case because they will knock out your backups if they have access and then start encrypting stuff. The second reason is that new variations of crypto locker seek out network shares and don't rely on drive mappings.

    The not mapping network drives thing was a short term fix that lasted until the hackers read about it and changed their code.



  • Evolution of things was bound to happen the move from just hitting mapped drives to searching for open shares on any and all devices.

    There is only so much you can do to lock down a system / network. At a certain point data has to come in and go out. Even if you locked down the work station and just used a high security RDS client - it's going to happen at some point because there is something open to all for information transferring. And it goes back to the addage - if they want it bad enough,... they'll do quite a lot to gain access... (insert Mission Impossible Theme)

    So it's back to continuing on as 'normal' but ensure security using Anti-Virus/Mal/Ransom ware... Maybe as it should be..



  • So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    Another, although it may or may not be viable, would be to move to some other type of storage method. NextCloud, Sharepoint, Alfresco, all of these have ample protection against Ransomware if they are used in the correct way.


  • Service Provider

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    Snapshots don't take up much space under normal operations. When the entire file changes, such as when it's encrypted, you're writing a lot of changes and usually it runs out of space so you can recover some stuff, but not all your stuff.



  • @mike-davis said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    Snapshots don't take up much space under normal operations. When the entire file changes, such as when it's encrypted, you're writing a lot of changes and usually it runs out of space so you can recover some stuff, but not all your stuff.

    Not sure how Snapshots would be unable to recover in this instance. Once the disk is full the encryption will fail to write to it.



  • @gjacobse said in Battling Ransome/Crypto-ware: Drive Shares:

    There is a growing shift of practices to battle ransomware which looks for other drives to munch on, by not mapping network shares, the ransomware doesn't have anyplace to jump to, and therefore is isolated to the single computer it managed to get attached to - at least in theory and until they are written to start doing a blind search across the network for open ports / shares

    But hasn't ransomware already been doing this for some time?



  • Not mapping drives is really just an attempt at security through obscurity. The actual technology hasn't changed, the access hasn't change. All that has changed is where the share is listed.



  • @mike-davis said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    Snapshots don't take up much space under normal operations. When the entire file changes, such as when it's encrypted, you're writing a lot of changes and usually it runs out of space so you can recover some stuff, but not all your stuff.

    In theory, what would fail in that case would be the snapshot of the encryption and the healthy recovery snapshots would still be there unaffected.



  • @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?



  • @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?

    They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.



  • Yeah I agree with @StrongBad, this article is a bit late. The malware is already seeking out non mapped network shares that the user account has access to.

    Also, if you're going to change a user's workflow like this, why not go all the way and move to something like SharePoint or NextCloud as mentioned by @coliver. These solutions probably offer the single best defense outside of backups against cryptoware.

    It's best when integrated directly inside the applications themselves, and not something provided by the OS. In other words, you can use WebDav to map a network drive to NextCloud (and probably SharePoint as well), but then you're just opening these solutions up exactly the same as a traditional network drive.

    But, if you integrate the storage directly into Word/Excel/Outlook, etc, like SharePoint does, then the malware has to learn how to work through these applications to do their work.



  • @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?

    They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.

    OK, I haven't used these very much - though the last time I did, they were time based, not change based (is that still the case?) I'm not sure if an initial snap is taken after a file is added or not, so that's another thing to be concerned about.



  • @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?

    They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.

    OK, I haven't used these very much - though the last time I did, they were time based, not change based (is that still the case?) I'm not sure if an initial snap is taken after a file is added or not, so that's another thing to be concerned about.

    I'd have to look again. It may very well be time based, could of sworn they had a on-modify switch.


  • Service Provider

    @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?

    ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.



  • @scottalanmiller said in Battling Ransome/Crypto-ware: Drive Shares:

    @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?

    ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.

    Cool - I just wasn't sure if Server 2016 for example had introduced a VM style snap of their volumes.
    Thanks.


  • Service Provider

    @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @scottalanmiller said in Battling Ransome/Crypto-ware: Drive Shares:

    @dashrender said in Battling Ransome/Crypto-ware: Drive Shares:

    @coliver said in Battling Ransome/Crypto-ware: Drive Shares:

    So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.

    I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?

    ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.

    Cool - I just wasn't sure if Server 2016 for example had introduced a VM style snap of their volumes.
    Thanks.

    Not that I am aware of.



  • Pretty sure that ShadowCopy is still time only.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.