Jump to content
  • 0

Idea for new feature: cryptolocker defender.


glfp

Question

Hi, 

 

yesterday I helped a friend of mine to recover it PCs from Cryptolocker attack (all file crypted and renamed as .encripted). Here in Italy in this period is similar to a total was with thousand of casualities ...

 

I really really fear about a cryptolocker on my pool ...  :wacko:

 

Could be a good idea to intercept any tentative to create a .encrypted (or similar suffix) file ? I suppose Criptolocker first try to create the encrypted one, then delete the original...

 

It could be a possibile (optional) new feature ? 

 

Many Thanks !

 

Gian Luca

Torino, Italy

 

 

Link to comment
Share on other sites

12 answers to this question

Recommended Posts

  • 0

You should check out this thread:

http://community.covecube.com/index.php?/topic/1846-best-practices-securing-the-file-server-from-ransomware/&do=findComment&comment=12939

 

 

 

I don't think any storage subsystem is the right place to do this. If you are in a work environment look for guidance on cryptolocker FSRM policies for your windows file servers.

 

yes and no.  

 

Specifically, there is a specialized type of driver called "file system filters". These sit on top of the file system, and intercept every operation involving the file system.  This is how antivirus programs function (the real time protection), some disk encryptions software, pre-emptive defragmentation, data deduplication in Windows Server, as well as various other related features. 

 

So it is possible to create a filter that could in essence "lock down" folders or files from modification.

But that may be more of a stop gap effort, as it's relatively trivial to bypass the file system filters (this is what DrivePool does for the pooled disks). 

 

 

But adding this into StableBit DrivePool (or even StableBit Scanner)? No, it doesn't really fit with what the software does. However, i've flagged the request for alex, though this is something that we have been thinking about already.

Link to comment
Share on other sites

  • 0

New variations of ransomware encrypt unmapped network shares, i suggest to NOT share the whole pool and start using FTP to backup your files. I locked down my pool, put Antivirus on it the Drivepool server and the Virtual Machines and opened up only folders that are temporary, like torrent downloads,temp etc, duplicated stuff are out of reach in the network and are accessed only through FTP. Also, Crashplan is a nice choise to backup your client pc's since it doesnt use shares or ftp but its own secure protocol.

 

Be strict and proactive and you're pool will be safe.

 

 

http://www.bleepingcomputer.com/news/security/dma-locker-ransomware-targets-unmapped-network-shares/

Link to comment
Share on other sites

  • 0

Well, there are a few additional things to help here:

 

  • Never, EVER use an administrative account, or use credentials for an admin account on another system.  Windows Server and Windows Pro create administrative shares by default and (as far as I remember, cannot be disabled). This means that each drive letter has a shared folder, including the system drive (eg, c$, d$, e$, etc), and these shares default to "everyone" for permission and fall back onto NTFS permissions. Meaning an admin has full access here. 

    Meaning that an administrative login will give full access of other systems, and can spread the malware with ease. 

    For Windows Server Essentials, it means that you should NEVER use the domain admin account for normal usage. (you can set a normal domain user as a local admin per computer, so there isn't a need to use a domain admin account).
     
  • Always use restrictive permissions.  Eg, do not get write or modify permissions on folders or shares to groups. Give them to specific users, and only users that need these permissions.  Everything else should be read, execute and list permissions only. 
     
  • Don't download for untrusted sources. And if you must, quarantine the files (eg, use a virtual machine to test and scan first). 
     
  • Always use a virus scanner on systems that directly download data from the internet, and keep it up to date. 
     
  • Back up data to an "off site" solution. One that isn't easily accessible. 

 

 

Also, something else that helps is a good hardware firewall. Personally, I use Sophos UTM, and it scans most of the downloads on the network, as well as web scanning.  This means that things are much less likely to make it onto my network.  pfSense has some web filter options (but are very complicated to set up IMO), Untangle has paid options here, as well. And There are other solutions, also.  

 

Additionally, most modern virus scanners have a firewall/web filter option as well.

For instance. BitDefender does, but doesn't advertise and scans all traffic, including HTTPS without real consent.  ESET's Smart Security product does, also (but they have NOD32 which is just a virus scanner). Etc.

Link to comment
Share on other sites

  • 0

 

But adding this into StableBit DrivePool (or even StableBit Scanner)? No, it doesn't really fit with what the software does. However, i've flagged the request for alex, though this is something that we have been thinking about already.

 

Why not ? 

 

For sure, I understand that DrivePool is not an antivirus but I think it could be quite simple to implement a optional feature that could block any process (inside the NAS or external thru the shares) that try to create a .encrypted file (suffixes taken from a configurable list.....). Blocking this process, DrivePool results to block any tentative to manipulate the original file (supposing it FIRST create the encrypted one, then delete the original).

 

About the rest of the comments: I'm quite confused .... when I was on Windows Home Server all the suggestions was to NOT use an antivirus on the NAS demanding this control on the PC (client) that use the files inside the NAS. Now you said to install antivirus, firewall etc. Ok, thats a good suggestions, but until today I thinked "different" .... 

 

TIPS: about antivirus, at the end, Windows Defender intercept the cryptolocker on the PC (of my friend) but after some time .... so only about 10% of total files was encrypted .... 

 

Thank you for your comments (and sorry for my poor english...)

Link to comment
Share on other sites

  • 0

It's not from a virus scanner perspective, but because of how to implement it. 

 

Specifically, the less that the kernel driver for the pool has to do, the better. Checking for extensions for each file that accessed is not insignificant overhead.  Especially when dealing with file modifications. 

 

 

As for antivirus on the server, it absolutely depends.  Any antivirus not designed for it can cause issues. For instance, the client backup database is raw data, and likely to trigger false positives, just based on probability.  Additionally, it can interfere with the access and corrupt the database. 

 

Additionally, because it is a server OS, a lot of software will just outright refuse to install, requiring you to purchase a license for a server variant of their product. 

 

But generally, you want antivirus software installed on any system that is accessing content from the internet, to prevent any malicious programs from running on that system. 

 

 

 

 

 

And to clarify, while this isn't something specifically we've considered already, the principle for it is.  It doesn't really fit cleaning into StableBit DrivePool, and more so, we don't want to squeeze a bunch of things into StableBit DrivePool, especially if nobody will ever end up using them. 

That said, it is more in line with something else that we'd like to do as a separate product. 

Link to comment
Share on other sites

  • 0

Ok, tried setting up Sophos UTM in a VM under Hyper-V on my Windows 10 file server but couldnt make it work, got 2 cards setup as external wan and internal lan but could not connect to the WebGUI to set it up, i think i need a new box exclusively for Virtual Machines and leave the stablebit fileserver alone, what are you thoughts on it? fileserver with Hyper-V or  dedicated Hyper-V box?

Link to comment
Share on other sites

  • 0

Ok, tried setting up Sophos UTM in a VM under Hyper-V on my Windows 10 file server but couldnt make it work, got 2 cards setup as external wan and internal lan but could not connect to the WebGUI to set it up, i think i need a new box exclusively for Virtual Machines and leave the stablebit fileserver alone, what are you thoughts on it? fileserver with Hyper-V or  dedicated Hyper-V box?

After the initial installation, you need to manually specify an IP address to connect to the box, as it doesn't have the DHCP role installed/configured.  It does set that up as part of the installation wizard, but until then....

Check out this link for details: https://drashna.net/blog/2014/09/installing-sophos-utm/

 

And yeah, if you're using virtualization a lot, a dedicated box is a better idea for it. THat way if something goes wrong, it doesn't affect anything else.  Also, it means that you don't have to split the CPU and Memory between the VMs *and* the file server. 

Also, that said, you should definitely have multiple NICs. Honestly, I'd recommend 3 minimum.  2 to dedicate to the VMs (especially as you'll basically need to do  this with Sophos) and 1 NIC to manage the host system. 

Link to comment
Share on other sites

  • 0

Thanks Christopher, i did manually setup a manual ip fom the internal network lancard to connect to the sophos vm from the windows 10 host, as found in user guides and your guide  but i couldn't connect with neither microsoft edge nor chrome from the same box, tried multiple times without success and rolled back, the best solution now, as you suggested and i agree,  is a dedicated vm box with 3 adapters, keep the file server and the vm host separate and tidy is the best way to do it.

 

Found the microatx case for the Hyper-V box, isn't it a beauty?

 

http://www.chieftec.eu/en/chassis/mini-tower/xt-01b.html

 

C0397141_10.JPG

Link to comment
Share on other sites

  • 0

If that's the case, then it may have been the wrong NIC.  It can be confusing, how it's setup. I know I had issues with that... and have issues every time I set up the OS.... 

 

 

At least on hyperV, it should be dead simple to switch what NIC goes where. :)

 

 

And yeah, that's a very nice case.  Though, I'm a fan of Mini-ITX and rackmount cases. :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...