Ransomware?

[thepregnantgod]

Drashna, got an academic question for you.

 

Was reading the news about that newest ransomware thing going around and thought...crap.  If my media pool (100TB) got encrypted entirely, I'd be screwed.  You just can't back up 100TB anywhere.

 

In fact, I went Drivepool with duplication so I didn't have to worry about backup since if a drive fails, I have duplicates on the pool.

 

My question is, let's assume all files in a particular directory were encrypted by a ransomware.

 

1. Would drivepool duplicate that encryption?  Meaning, would both copies of a movie now be encrypted?

2. If not, how would I go through, painfully, and find all the unencrypted duplicates?  The only time I see the hidden "copytemp" is when my overclock fails and it gets interrupted.

3. If drivepool is susceptible to this - it might be a neat feature to add in (if possible) - this ransomware stuff is getting out of hand.

 

 

[Christopher (Drashna)]

This topic comes up every so often. Namely, when there has been a round of malware/ransomware like this. 

 

And I totally understand.  I have a 130TB pool, so I totally understand. 

 

And it depends on the specific malware.  However, most of the malware encrypts each file individually.  It looks for certain extensions usually (docs, pdfs, txt files, etc), and then encrypts each file.  

 

This unfortunately means that yes, this would affect the pool, and encrypt your files.   And yes, they'd be encrypted on the underlying disks.  

 

Worse yet, is that many of these malware will also purge VSS snapshots, so you couldn't even use Previous Versions to restore the files.  

 

 

As for decrypting, you do so on the pool. That would decrypt both copies, as you're modifying the files on the pool. 

 

 

And as for protecting the files ... yeah, this is absolutely something on our mind. However, not JUST for the pool.

Specifically, this is something that we plan on looking into (if not outright implementing) in StableBit FileVault. The product is still in the "Planning" stage, so there are no confirmed features as of yet. 

 

 

 

 

 

In the meanwhile, there are a number of things you can do to help mitigate this sort of issue. 

• Use a least privileged account.
  If you don't need write access to the pool, then don't grant it.  Period.  
  For media software, run it in an account that only has read access.  Etc. 
  Never use an administrative account. 
• Make sure that all of your software is up to date. Windows, Antivirus, etc. 
• Use some sort of "cryptolocker Prevention".  ThirdTier has a good guide, but I think it's paid anymore. 
  There is software suck as this: https://www.foolishit.com/cryptoprevent-malware-prevention/
  It locks down a lot of the files and folders on the system that will help prevent a lot of malware like this from even running.   However, it can break a lot of software, as it runs by doing the same stuff (chrome for instance, runs out of the AppData folder, which is a big no-no). 
• If you're using a Server version of Windows, you can install the FSRM role and use the "file screening" feature to block access to files. 
  This is much more complicated, so I won't post links here.  
   
• And the most obvious one: backup. Store the data offsite. 

[thepregnantgod]

Thanks, I was afraid you were going to say all of that.

[Christopher (Drashna)]

Yeah, ransomware/cryptolocker malware is scary as hell.  

 

And I'd rather be honest about it, that way, you can better protect yourself.

[Umfriend]

I was wondering whether the new Pool-of-Pool functionality could bring some relief. My thinking is:

1. Define two unduplicated Pools

2. Create a duplicated MOAP (Mother Of All Pools).

3. After duplication - Detach one of the Pools

 

Normally this would, I think. put the MOAP in read-only mode but this need not be a bad thing if it is for media that is not written to often? Periodically, you could attach the 2nd Pool, write to the MOAP whatever needs written, let DP do its thing and detach Pool #1 again.

 

Moreover, I wonder whether you could not still write to Pool #1, that one would not be in read-only-mode, if you would use that as the source for media players as well then Pool #2 is really a local 'kinda sorta' backup. The only downside is that you would have to write directly to the folders within the second or nested poolpart folder. But perhaps DP could allow a for a duplicated MOAP the read-only-mode to be suspended termporarily?

 

Just thinking (I might consider going x3 duplication even if something like this was easily manageable exactly for this reason)...