Ransomware - about the attack, protection methods and best practices

July 2, 2021

I've been noticing a flurry of news lately about this type of attack sometimes with corporate victims. Let's remember Garmin , Colonial Pipeline  and recently even a hospital in Romania .

Ransomware is an attack where files are encrypted and thus access to the data is stopped until the key to decrypt the files is obtained, usually by paying a sum of money to the attackers. Payment is required in Bitcoin or other crypto-currency to be harder to trace, crypto-currencies have provided an easier way for this type of attacks.

Most of the time this attack is possible because systems lack updates, antivirus is not active or updated, and best practices are not implemented.

The methods to counteract this type of attack presuppose the existence of backup and disaster recovery systems that are well established and functional. I've been using FreeNas for over 10 years, which in the meantime has become TrueNAS . It is based on FreeBSD  and uses ZFS which is a mix between a file system  and a volume manager . ZFS combines the advantages of a RAID (protects against hardware failure) with a protection against data corruption .

There are other players trying to offer similar solutions. Synology offers NAS based on Butter FS btrfs but it is not yet mature enough to compete with ZFS. Qnap offers NAS with ZFS but there are security issues in the software or some ZFS options are missing.

Working in IT, friends and acquaintances often ask me about problems they have or to give them some ideas about a solution they need. The following list contains some examples I've come across:

  • Office 2013 in 2021
  • Windows XP or Windows 7 - I don't like how Windows 10 looks and I don't see why I need to change it if this works too
  • Windows updates disabled - I don't want it to follow me, then the PC will run more slowly
  • it won't happen to me
  • I have back-up, look, on this external hard drive
  • look, we have this NAS (usually an entry-level device that itself has security issues)
  • I keep my files on the D partition, I'm protected

Commercial NAS devices that boast all kinds of features offer protection in case a drive fails but... RAID IS NOT A BACKUP

Recommendations and protection methods :

  • take advantage of the options provided by Microsoft, keep Windows and Office updates up to date
  • Windows defender must be active and updated
  • use OneDrive as your first line of defense to store the documents and files you need
  • if possible invest in a storage solution that offers a wide range of protection, I use FreeNAS / TrueNAS . ZFS offers some features that protect data and ensure the possibility of restoring  in case of need, for example: bit rot  and ZFS snaphots
  • consider off-site storage of backups, a network folder on an entry level NAS offers no protection - as I'll show below

Demo :

* DO NOT TRY WHAT YOU WILL SEE BELOW IF YOU DO NOT KNOW EXACTLY WHAT YOU ARE DOING. I DID THE TESTS ON AN ISOLATED VIRTUAL MACHINE *

Samples and malware are available for testing on theZoo  and tutorialjinni.com

For the demo below I set up a virtual machine (in TrueNAS - not the best option for VMs but it does the job) following the most common scenarios:

  • documents on Desktop/My documents - locally on the C drive
  • documents stored on the D partition
  • documents stored on a network folder using SMB

I decided to use Conti because it is commonly used, affects all versions of Windows , affects VSS Volume Shadow copy Service  and also attacks SMB (network folders).

On the virtual machine I enabled VSS for both drives (C and D) and file history as primary protection methods. VSS is normally only available for Windows server but can be enabled with the command:

wmic shadowcopy call create Volume=c:\

Drive D is mounted as Zvol  in TrueNAS  and periodic snapshots are active.

The network folder is an SMB share of a Dataset  in TrueNAS with periodic active snapshots.

Periodic snapshots of a Dataset with SMB share is similar to VSS in Windows, both offer the option to " restore previous versions ". The difference is that VSS is stored on the local drive and is vulnerable to attack while the snapshot in TrueNAS is read-only available to clients and as such is not vulnerable to attack.

* Remember: RAID provides hardware redundancy, protects against data loss caused by hardware failure . Does not protect against deletion/corruption of stored data.

To illustrate documents I created 4 files: an Excel, a Word, a Powerpoint and an Access. All files are stored on Desktop, D drive and network folder.

* to be able to run Conti ransomware I had to disable Windows defender. Without this step the attack is impossible which brings us to one of the protection methods: Windows updated plus active and updated antivirus.

When I ran Conti.exe apparently nothing would happen. It will run in the background and start encrypting any files it finds.

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.