All your files are belong to us
Try as they might, ransomware crooks can't hide their tells when playing hands
Common behaviors shared across all families of ransomware are helping security vendors better spot and isolate attacks. This according to a report from British security shop Sophos, whose breakdown (PDF) of 11 different malware infections, including WannaCry, Ryuk, and GandCrab, found that because ransomware attacks all have …
-
Friday 15th November 2019 08:00 GMT KittenHuffer
What I want is a file system that keeps incremental copies of files, and flashs up a warning when it suddenly goes from 0.01% of files updated per day to 10% of files updated. As long as I have enough spare storage to handle the encryted versions of the files until the alarms gets raised I should be able to wind the clock back to before the encrption phase of the infection started. And since the cost of storage is dropping faster than the size of the files I really want to keep is increasing I reckon it should be possible.
I'm sure this is where some other commentard is gonna tell me of just such a file system!
-
Friday 15th November 2019 09:05 GMT rmason
@kittenhuffer
Not a file system, but I can make suggestions.
Most of the new AV offering from various vendors do pretty much this.
Things like sophos interceptX sit on your servers and learn what "normal" usage is. A baseline. Then once all trained and enabled it would do just as you describe. If a server is suddenly getting an unusual amount of file edits/writes then bam, it kills the services and stops the process. Loads of other vendors do it, but we have sophos so that's the one I have experience of.
If your file shares are on windows boxes, then look into FRSM : You can configure it to help with ransomware type scenarios too.
https://medium.com/savagesec/minimizing-ransomware-risk-with-fsrm-847d70f6212b
-
Friday 15th November 2019 09:35 GMT Kientha
100% this. If you haven't looked at the changes to Endpoint Protection over the past couple years, it's something I'd seriously recommend. The market has shifted (and is still shifting) quite significantly with the big players changing around and Microsoft ATP really shaking things up. Then you have newer players like Elastic (Previously Endgame) offering very different solutions both in pricing and offering that didn't even exist a couple years ago but have a real chance of knocking the long time players off the top spots in the market!
-
-
Friday 15th November 2019 15:51 GMT Doctor Syntax
"I'm sure this is where some other commentard is gonna tell me of just such a file system!"
Not such a file system but certainly such a system. Open/NextCloud keeps versioned files (it's the V in WebDAV) and there are a couple of server side apps that claim to detect such behaviour.
But that's a client-server system. Maybe what we need is a new architecture that fits that into one box. Your user-facing WP, spreadsheet or whatever doesn't directly read and write files but asks for such services from the server. Maybe two VMs would be enough to run client and server or, for the
truly paranoidsensibly security minded, two separate processors. For added security the formats of the updated files could be checked before being saved. -
Friday 15th November 2019 16:30 GMT Robert Helpmann??
What I want is a file system that keeps incremental copies of files, and flashs up a warning when it suddenly goes from 0.01% of files updated per day to 10% of files updated.
What you are looking for is a HIDS or HIPS application (or NIDS or NIPS if you are concerned with multiple systems). There are plenty of vendors that will be happy to take your money and even some free tools that will cover your stated goal.
-
Friday 15th November 2019 17:37 GMT Paul Crawford
"commentard is gonna tell me of just such a file system!"
Yes there is, any of the so called "copy on write" file systems can do this - you can have snapshots are regular intervals with very little cost as the file system only fills up with changes and the cost of each snapshot is simply another FAT-equivalent block. So if someone tried to encrypt all your files you would see a massive decrease in the free space as the changed files have to be written to another location. Once you have stopped the crypto rampage you can go back in time to any of the snapshots and get the good files again.
The big problem with this is if the malware has admin privileges and can disable/delete snapshots, but if your files are on a NAS that the victim computer can't get such rights then you are OK. Take a look at FreeNAS which uses ZFS as the file system - it can have periodic snapshots enabled for just this sort of thing. And for any other fat-fingered mistake.
Other files systems I know of are not as readily available, such as IBM's GPFS or the NetApp system, and Linux's Btrfs is still a bit too new for my liking. I'm sure there are others as well...
-
Friday 15th November 2019 23:29 GMT J. Cook
Yep. One of the Netapp's redeeming features is that the snapshot system built into the WAFL filesystem* is read only by default and design- you have to tell the filer to clone the snapshot (aka snapclone) in order to generate a writable copy.
That saved our bacon at least once. Microsoft's shadow copy (vss) is good, but the problem is that it's a windows box- if it's compromised, it's game over.
* explains why Netapp's documentation used to refer to the filer as 'toaster'. And now I have a hankering for waffles....
-
-
