• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

NAS and Ransomware

Pghpooh

Pghpooh

Senior member
Read a few articles about ransom ware taking over computers. Another thing I read is ransom ware can get into any attached drives. I have a desktop with the C drive and a second 1 tb drive for storage. Supposedly ransom ware can affect that other drive.

What about a NAS drive???? Since a NAS is attached to the router, can ransom ware attack and get into the NAS??
 
Sure it can if you have write access directly to shares and its on the network. Depends on the virus.

Ransomeware is a pita. You have to stop it at the perimeter via a decent IPS. Url filtering, email scanning, blocking executables from email attachments, etc... Training users is the first step to not open unknown attachments. Using regular AVS and scanning for and finding it on desktops means it is probably too late.
 
Yeah, it can spread to your has pretty easily. Had that happen at work once - IT wiped pretty much everything and restored from backups.
 
I suppose you could make a read only NAS, and that would protect it.
Then you would need to log in as an admin to add files.
 
Elixer said:
I suppose you could make a read only NAS, and that would protect it.
Then you would need to log in as an admin to add files.
Click to expand...

I read some suggestion about this very problem the other day. Some one suggested making a special backup user with write access to the backup disks. Then stripping write access from everyone else. Then you run all backups through the backup user. I'm sure it could be defeated but I'd imagine most ransomware isn't that sophisticated.
 
Pghpooh said:
What about a NAS drive???? Since a NAS is attached to the router, can ransom ware attack and get into the NAS??
Click to expand...
It may be possible some "network aware" ransomware could start to do that. In reality though the common sense advice still stands : NAS by itself is not a "backup" despite many treating it as such. And RAID is about redundancy of uptime, not hack-proof security of data. Anyone with a NAS setup should still have at least one additional "offline" external drive unplugged 99% of the time to safeguard critical data against not just malware / ransomware but other threats. I knew someone who lost his NAS + all 4 drives from an indirect lightning strike related electrical surge. Went straight though a UPS and fried all the controllers at once. Likewise, you could mirror 4x drives in RAID1 and enjoy the security that having 4x copies of the same thing does vs HDD failure. But if someone breaks in and walks off with the NAS and all 4x drives inside, you're screwed unless you have just 1x extra copy stored elsewhere, even if it's something simple like a USB stick or BD-RE tucked away safely.
 
Every local disk and any network share where you have access, even on administrative c$ shares can be affected/encrypted.

You have only two options for a NAS:

- offline backup, but this may be a problem if you detect the problem too late
you need several backup disks then

- a versioning filesystem with snapshost that are readonly in a way that even an admin cannot modify/delete/encrypt them
ZFS is such a solutions as ZFS snaps are readonly and they cannot be destroyed from a SMB share. Even thosands of snaps are possible and the needed space is only the amount of modified datablocks to the former snap.
 
I haven't seen a variant yet that sniffs shares and encrypts through UNC paths but mapped drives will get it first in the later variants. One user at an office that relies on mapped drives caught CryptoWall 3.0 and it started destroying files on the mapped drives before modifying anything on the local disk, making the identification of the offending machine take a bit longer to complete because in the past, the instructions for bitcoin payment (HELP_DECRYPT.JPG) are plopped first into the profile's Documents folder. For this reason, I would be very choosy as to what is mapped and only use UNC shortcuts the rest of the time. Unfortunately a lot of third party apps require shares to be mapped so there is no way around it but to ensure that backups are solid.
 
Some ransomware has even specifically targeted NAS. They are often open to the Internet and Synology had a security hole that was targeted a few years back.

Michael
 
I always have offline backups, I use a virtual machine running linux for web surfing, mail etc. it is on a seperate vlan which is configured on my cisco switch and its a dmz lower security level on my asa 5506x

For the nas i do keep some mapped drives as readonly since there is no need to modifiy those files.
 
So when you guys set your NAS as read only, how do you approach adding data to it?

As I'm planning on building a NAS with ZFS, I figure I'll have a majority of my storage as specifically for media server purposes, but I'm definitely interested in setting aside some for an iSCSI zvol to use as a mount point for a local AD domain, mostly for lab-type work but also for practical purposes. But also, I do want to use OwnCloud to play around with that.

So I'm just trying to get things figured out in my mind as to how I can get the kind of access I want, but maintain thorough security. All of this will be behind a Sophos XG router/firewall, and I will definitely need to do a ton of research to ensure I get that configured correctly.
 
A simple way is lets say you have 40gb of data you do not delete or modify, ie pictures etc.. Make that folder read only and map it as its own drive.

You can setup a second folder as your working folder ie adding images etc.. But at the end of the day,week etc.. You move those to the read only folder
 
Hugo Drax said:
A simple way is lets say you have 40gb of data you do not delete or modify, ie pictures etc.. Make that folder read only and map it as its own drive.

You can setup a second folder as your working folder ie adding images etc.. But at the end of the day,week etc.. You move those to the read only folder
Click to expand...

So, for best practices, do you just change permissions for transfer, or do you create an account with a strong password with write access to utilize for that transfer? Or a combination, where you set an account for that purpose but disable it when not actively needed?
 
HI
Thanks for the info!!!
I think I am going to use some of my income tax refund to buy 2 or 3 external drives and use those drives to back up my computers. Once the backup is done,,, disconnect the external drives and lock them is a safe!!! LOL
Thanks again!!!!
 
PliotronX said:
I haven't seen a variant yet that sniffs shares and encrypts through UNC paths but mapped drives will get it first in the later variants. One user at an office that relies on mapped drives caught CryptoWall 3.0 and it started destroying files on the mapped drives before modifying anything on the local disk, making the identification of the offending machine take a bit longer to complete because in the past, the instructions for bitcoin payment (HELP_DECRYPT.JPG) are plopped first into the profile's Documents folder. For this reason, I would be very choosy as to what is mapped and only use UNC shortcuts the rest of the time. Unfortunately a lot of third party apps require shares to be mapped so there is no way around it but to ensure that backups are solid.
Click to expand...

This bad boy:

http://www.bleepingcomputer.com/new...ypts-local-files-and-unmapped-network-shares/

We got hit with it last week.

"When Locky is started it will create and assign a unique 16 hexadecimal number to the victim and will look like F67091F1D24A922B. Locky will then scan all local drives and unmapped network shares for data files to encrypt. When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:"

We have backups, restored, and called it a day. Any time we get hit with it, the only real thing we can do is wait for a user(s) to complain, we have since installed kaspersky, it is supposed to know when a user changes a lot of files quickly, so that might help in the future.
 
Last edited:
ViviTheMage said:
This bad boy:

http://www.bleepingcomputer.com/new...ypts-local-files-and-unmapped-network-shares/

We got hit with it last week.

"When Locky is started it will create and assign a unique 16 hexadecimal number to the victim and will look like F67091F1D24A922B. Locky will then scan all local drives and unmapped network shares for data files to encrypt. When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:"

We have backups, restored, and called it a day. Any time we get hit with it, the only real thing we can do is wait for a user(s) to complain, we have since installed kaspersky, it is supposed to know when a user changes a lot of files quickly, so that might help in the future.
Click to expand...
*sigh*
BleepingComputer Article said:
Once a victim enables the macros...
Click to expand...

I guess for those of us in-the-know, a random Word file that shows up and asks you to enable macros might as well just skip the pretense and use a filename of "Please run this virus.exe."
 
Last edited:
PliotronX said:
I haven't seen a variant yet that sniffs shares and encrypts through UNC paths but mapped drives will get it first in the later variants. One user at an office that relies on mapped drives caught CryptoWall 3.0 and it started destroying files on the mapped drives before modifying anything on the local disk, making the identification of the offending machine take a bit longer to complete because in the past, the instructions for bitcoin payment (HELP_DECRYPT.JPG) are plopped first into the profile's Documents folder. For this reason, I would be very choosy as to what is mapped and only use UNC shortcuts the rest of the time. Unfortunately a lot of third party apps require shares to be mapped so there is no way around it but to ensure that backups are solid.
Click to expand...

Unfortunately, Windows "caches credentials", once you enter a password, even if you manually un-map a shared drive letter, which means that with the requisite programming, malware could still access those authenticated UNC paths.

Linux Mint's SMB support offers the option to forget the password, once you disconnect from the share, but I'm not aware of that option on Windows, unless there's a group-policy setting for not caching credentials during a login session. But then, that wouldn't help Win7 Home users much.
 
Jeff7 said:
*sigh*


I guess for those of us in-the-know, a random Word file that shows up and asks you to enable macros might as well just skip the pretense and use a filename of "Please run this virus.exe."
Click to expand...

Unfortunately, most users are not in the know. The best thing one can do is try your damnedest to prevent such things from ever reaching the user.

They get crafty. A company I temped at for a short stint had got what was at least a simpler virus through a false resume. Those are the worst, invoices you can try to figure out before opening; but what if you ever entertain accepting unsolicited resumes? Not at all a rare thing, and I have no idea how companies even accept resumes sent as email attachments - corporate IT must not get a say in that! lol ... or they really trust their defenses and perhaps HR-specific email training?

But yes, thankfully the strongest defense against a lot of this crap is simply having risk awareness and knowing best practices for handling suspicious attachments, downloads, and links. As you say, for us in the know, it's a hell of a lot easier to see the risks. But unfortunately, that's not enough these days: with all the web-based vulnerabilities, unless you run with the most stringent noscript and ad-blocking approaches on every single website, the zero-day threats are everywhere. I do when I know I'm about to head to a site that I believe questionable, loading it in Firefox with all my blocking tools, but that's truly not enough as even the best sites can suddenly get crap (even this site, unfortunately) if an ad network becomes a victim or numerous other possibilities.

I hope when I build my server that I can create a strong configuration in Sophos XG to add a strong protection layer to my browsing habits.
 
Jeff7 said:
*sigh*


I guess for those of us in-the-know, a random Word file that shows up and asks you to enable macros might as well just skip the pretense and use a filename of "Please run this virus.exe."
Click to expand...

I would have thought the same, but we had a user do all of the above :s
 
dave_the_nerd said:
It's yet another dialog box that the user interprets as "Dumb thing, nonsense, click here to continue doing what you want to do."
Click to expand...

Yup, not the first time. Luckily when we see the files start to encrypt, it shows how is doing it, because the owner changes. We block the MAC on the network, and call them to send in the computer so we can wipe it.
 
In general, opening attachments on my iphone is the safest way I know to avoid the risk of malware and I am smart enough not to open the random invoices and such I am sent.

Michael
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top