Battling Ransome/Crypto-ware: Drive Shares
-
Not mapping drives is really just an attempt at security through obscurity. The actual technology hasn't changed, the access hasn't change. All that has changed is where the share is listed.
-
@mike-davis said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
Snapshots don't take up much space under normal operations. When the entire file changes, such as when it's encrypted, you're writing a lot of changes and usually it runs out of space so you can recover some stuff, but not all your stuff.
In theory, what would fail in that case would be the snapshot of the encryption and the healthy recovery snapshots would still be there unaffected.
-
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
-
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.
-
Yeah I agree with @StrongBad, this article is a bit late. The malware is already seeking out non mapped network shares that the user account has access to.
Also, if you're going to change a user's workflow like this, why not go all the way and move to something like SharePoint or NextCloud as mentioned by @coliver. These solutions probably offer the single best defense outside of backups against cryptoware.
It's best when integrated directly inside the applications themselves, and not something provided by the OS. In other words, you can use WebDav to map a network drive to NextCloud (and probably SharePoint as well), but then you're just opening these solutions up exactly the same as a traditional network drive.
But, if you integrate the storage directly into Word/Excel/Outlook, etc, like SharePoint does, then the malware has to learn how to work through these applications to do their work.
-
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.
OK, I haven't used these very much - though the last time I did, they were time based, not change based (is that still the case?) I'm not sure if an initial snap is taken after a file is added or not, so that's another thing to be concerned about.
-
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.
OK, I haven't used these very much - though the last time I did, they were time based, not change based (is that still the case?) I'm not sure if an initial snap is taken after a file is added or not, so that's another thing to be concerned about.
I'd have to look again. It may very well be time based, could of sworn they had a on-modify switch.
-
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.
-
@scottalanmiller said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.
Cool - I just wasn't sure if Server 2016 for example had introduced a VM style snap of their volumes.
Thanks. -
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@scottalanmiller said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.
Cool - I just wasn't sure if Server 2016 for example had introduced a VM style snap of their volumes.
Thanks.Not that I am aware of.
-
Pretty sure that ShadowCopy is still time only.
