Ransomware and Mapped Drive

K

kalale

Active Member
Joined
Oct 16, 2008
Messages
42
Reaction score
0
Hello,

I had a Ransomware attack (.Locky)on one of the users and also infected the mapped drives, Lucky for me I had a working backup for the previous day. I would like to know if theres an alternative to having mapped drives that one can use to avoid them getting infected, I do my backups on external drives which are also mapped. I also assume that even cloud based backup would be infected if the infected files are backed up.

What would be the best backup solution to avoid attacks like this
 
We use WebDAV shares ourselves with around 500+ users. Its proved for us to be the most powerful and we're currently in final phases of testing with a large auditing firm.

With WebDAV and server-side magic you can do things like file versioning (each change generates a different version), you can have the files stored in git as a backend, one can also use AWS and AWS versioning as a backend if that blows your hair back. You could even run timed snapshots/deduplication/compression depending on the backend storage (zfs, lvm, btrfs).
 
Hi

A bit of bad news I'm afraid, locky does not require mapped drives. If the user account has access to the share the ransomware will in time scan and start overwriting the files.

Easiest recovery is shadowcopy if you pick up on the infection quickly enough.
 
kalale said:
Hello,

I had a Ransomware attack (.Locky)on one of the users and also infected the mapped drives, Lucky for me I had a working backup for the previous day. I would like to know if theres an alternative to having mapped drives that one can use to avoid them getting infected, I do my backups on external drives which are also mapped. I also assume that even cloud based backup would be infected if the infected files are backed up.

What would be the best backup solution to avoid attacks like this
Click to expand...

Tell the users to stop being stupid. Stop opening links and clicking on "yes" for everything. Also block all .zip and .rar attached emails, by using proper firewalls and last but not least, deploy a proper AV that allows you to block ransom/crypto ware.

Ransomware is not an "attack" situation, it is admin and user related.
 
I've found that having volume shadowcopy running on ALL network shares can save hours, combined with an image based backup (such as Macrium) running on the server. This has save my bacon MANY times.
 
MightyQuin said:
Tell the users to stop being stupid. Stop opening links and clicking on "yes" for everything. Also block all .zip and .rar attached emails, by using proper firewalls and last but not least, deploy a proper AV that allows you to block ransom/crypto ware.

Ransomware is not an "attack" situation, it is admin and user related.
Click to expand...

Please advise of an AV that successfully blocks crypto/ransomware. We run ESET at all our clients with updates running daily. I've seen it get through Kaspersky and ESET. We are now running Cyberoam firewalls at our large clients with packet level AV scanning in an effort to also fight this crap.
Blocking zip and rars at an email level will help most people but what about users who need to receive them?
 
killerbyte said:
Please advise of an AV that successfully blocks crypto/ransomware. We run ESET at all our clients with updates running daily. I've seen it get through Kaspersky and ESET. We are now running Cyberoam firewalls at our large clients with packet level AV scanning in an effort to also fight this crap.
Blocking zip and rars at an email level will help most people but what about users who need to receive them?
Click to expand...

We also run Cyberoam at some clients (who can afford it) as well Trend Micro Worry-Free Business Security Services Advanced.

No-one ever needs to receive ANY .zip or .rar files via email.
 
MightyQuin said:
We also run Cyberoam at some clients (who can afford it) as well Trend Micro Worry-Free Business Security Services Advanced.

No-one ever needs to receive ANY .zip or .rar files via email.
Click to expand...

Try convincing them of that :mad:

/listens to the sounds of bitching, pissing, moaning and squealing about the draconian IT department (until the fudge hits the fan then everyone disappears)
 
AfricanTech said:
Try convincing them of that :mad:

/listens to the sounds of bitching, pissing, moaning and squealing about the draconian IT department (until the fudge hits the fan then everyone disappears)
Click to expand...

We only convince one person...the CEO. The rest of the staff can go fuk themselves. Emailing .zip and .rar has become irrelevant. Sharing in the Cloud via Dropbox or O365, to name but a few, is what is happening now.
 
MightyQuin said:
We also run Cyberoam at some clients (who can afford it) as well Trend Micro Worry-Free Business Security Services Advanced.

No-one ever needs to receive ANY .zip or .rar files via email.
Click to expand...

I saw a chart a while back with all the Antivirus programs, ESET, Symantec, Kaspersky, Panda, Avria, MSE ect, basically all of them, There was something like 20 on the list, out of all of them them only 1 antivirus managed to detect the given ransomware. Some unknown AV, cant even remember the name. But goes to show you Ransomware is a real threat at the moment with no real solution besides "Dont be stupid" :p
 
There are new versions of Locky going around now,
Basically every file extension except for system dependent extensions/folders will be encrypted.
So having shadow copies could soon not help...

We have our shared folder replicated via NAS to NAS with multiply versions.
 
kalale said:
Hello,

I had a Ransomware attack (.Locky)on one of the users and also infected the mapped drives, Lucky for me I had a working backup for the previous day. I would like to know if theres an alternative to having mapped drives that one can use to avoid them getting infected, I do my backups on external drives which are also mapped. I also assume that even cloud based backup would be infected if the infected files are backed up.

What would be the best backup solution to avoid attacks like this
Click to expand...

Have a look at my thread previously. https://www.linkedin.com/pulse/small-anti-ransomware-measures-frans-botes?trk=prof-post
 
killerbyte said:
Please advise of an AV that successfully blocks crypto/ransomware. We run ESET at all our clients with updates running daily. I've seen it get through Kaspersky and ESET. We are now running Cyberoam firewalls at our large clients with packet level AV scanning in an effort to also fight this crap.
Blocking zip and rars at an email level will help most people but what about users who need to receive them?
Click to expand...

Trend blocked it at one of my clients
 
MightyQuin said:
We also run Cyberoam at some clients (who can afford it) as well Trend Micro Worry-Free Business Security Services Advanced.
No-one ever needs to receive ANY .zip or .rar files via email.
Click to expand...

bekdik said:
Trend blocked it at one of my clients
Click to expand...

Like I said. If administered correctly with proper training and continuous guidance from TM, it does stop ransom ware.
 
Lament said:
I saw a chart a while back with all the Antivirus programs, ESET, Symantec, Kaspersky, Panda, Avria, MSE ect, basically all of them, There was something like 20 on the list, out of all of them them only 1 antivirus managed to detect the given ransomware. Some unknown AV, cant even remember the name. But goes to show you Ransomware is a real threat at the moment with no real solution besides "Dont be stupid" :p
Click to expand...

So many services online that encrypt viruses so they FuD.
 
Just from a home security point of view would a FreeNAS server that is making regular snapshots be sufficient to save ones information should the network shares become encrypted?

I am basically paranoid about our photo collection and I have also backed up to OneDrive but I know that won't save me in the case of ransomware.

I will also start doing a cold storage backup soon with an external drive, I should have done so sooner but I have been lazy.
 
Trend Micro's recently released Ransom/Crypto ware blocker works wonders.

Have not had one since installing the update
 
FoXtroT said:
Just from a home security point of view would a FreeNAS server that is making regular snapshots be sufficient to save ones information should the network shares become encrypted?
Click to expand...
Yep. Snapshots can only be managed at an OS level.
So long as you make regular snapshots you are safe.

Since snapshots in FreeNAS/ZFS are free, you can make them pretty often (eg. every 30 minutes).
Personally I would make one every 30 minutes and then delete them after a day (and replace for a single snapshot for that day).
This way you have backups every day and for the given day, every 30 minutes.

ZFS makes a copy when you change something (called copy on write). Because of this Snapshots are pretty cheap (it only tracks the changes between every snapshot).
But if you have a lot of changes it can become pretty expensive space wise.

So you do need to experiment a bit with the best solution for you.

FoXtroT said:
I am basically paranoid about our photo collection and I have also backed up to OneDrive but I know that won't save me in the case of ransomware.

I will also start doing a cold storage backup soon with an external drive, I should have done so sooner but I have been lazy.
Click to expand...
You should really do your research.
I currently use AWS S3 because FreeNAS supports it and it is actually pretty cheap if you upload the files with Infrequent Access (I setup a rule to move it to Glacier which costs $0.007 per gibibyte)

Not sure if it is the cheapest but I have lots of experience setting it up to reduce costs.
My costs with Amazon is still only like $2 every month, to me that is nothing.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X