While on the topic of ransomware...
-
@guyinpv said in While on the topic of ransomware...:
@DustinB3403 said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.AetherStore.
Nice tech.
Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?
Only to a single system that would have the share mounted. So you'd simply have to protect that 1 system. But I'll let @Rob answer those questions.
-
I really think all that ransomware stuff only matter if a SOHO (or worst) windows place with bad configuration is in place.
Just one simple scenario that cannot be affected by the ransomware I've seen as of today: the smallest physical server you can imagine (2 cores, 4Gb ram), with a Centos VM on top of Xen (remote exploits of Xen are VERY rare and immediately patched), using rsnapshot that PULL the data to the local storage of the Centos VM.
The Centos VM can be made completely unaccessible from the network in ANY way, totally disabling ssh and blocking every connection with SELINUX, iptables and tcp wrapper all together.
The same for the Xen dom0 (usually is Centos, too), so the only way to interact with the backup VM will be to console-login the physical server, then console-login to the VM from "xl console"…If you know a ransomware that can deal with physical access, Xen, Centos and at least two long random password (Xen AND Centos VM), please tell me so.
All this stuff is free software, not a fancy or expensive anti-ransomware solution, just solid design and good software. -
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
-
@guyinpv said in While on the topic of ransomware...:
@DustinB3403 said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
This is why I'm wondering, why couldn't there be a way to have a network drive, or even a local drive, that is simply a protected entity and only certain programs can unlock and access, such as the backup software?
Double-click drive "F" and up pops a login screen. Simple right? It would allow the user and backup tools to access but, presumably, would be much harder for malware to figure out.AetherStore.
Nice tech.
Seems like it just creates what amounts to a "normal" drive though. Still vulnerable?
Yes, you still have to secure it as well. The storage can't be read by the malware on the machines it infects but it can be encrypted.
-
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
-
@Francesco-Provino said in While on the topic of ransomware...:
I really think all that ransomware stuff only matter if a SOHO (or worst) windows place with bad configuration is in place.
Just one simple scenario that cannot be affected by the ransomware I've seen as of today: the smallest physical server you can imagine (2 cores, 4Gb ram), with a Centos VM on top of Xen (remote exploits of Xen are VERY rare and immediately patched), using rsnapshot that PULL the data to the local storage of the Centos VM.
The Centos VM can be made completely unaccessible from the network in ANY way, totally disabling ssh and blocking every connection with SELINUX, iptables and tcp wrapper all together.
The same for the Xen dom0 (usually is Centos, too), so the only way to interact with the backup VM will be to console-login the physical server, then console-login to the VM from "xl console"…If you know a ransomware that can deal with physical access, Xen, Centos and at least two long random password (Xen AND Centos VM), please tell me so.
All this stuff is free software, not a fancy or expensive anti-ransomware solution, just solid design and good software.Yes, modern system administration protects systems at the system level. It's LAN base file sharing that is the key point of vulnerability if people keep that stuff.
-
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
-
@guyinpv said in While on the topic of ransomware...:
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
The same time it would take the application to push it out to a share.
So it does not matter.
-
@guyinpv said in While on the topic of ransomware...:
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
Basically yes. Just a large backup file that you could compress to your heart's content. Could be incremental or full, up to you.
-
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
@scottalanmiller said in While on the topic of ransomware...:
@guyinpv said in While on the topic of ransomware...:
The idea of the backup software "pulling in" the backups is an interesting idea. No real inbound connection possible. The traditional "backup software", whatever that is, would just have to prepare the backup before hand. Or the backup server would have to get full access to everything that needs backing up.
[In the context of this discussion, I'm really talking about backup solutions for plain old Windows boxes]
Right, so for Windows, for example, backup might be handled by a combination of Veeam Endpoint Protection (I'm at VeeamOn) and some PowerShell. Use Veeam to make a locally held backup. Then reach "in" with PowerShell or SSH and pull it out to someplace safe.
What does the locally held backup look like? Is it generating something along the lines of a giant compressed, encrypted, single file?
How long would that take, to essentially "zip up" a large user profile into a single file? Let's say about 1TB. Are these incremental backups I would suspect?
Basically yes. Just a large backup file that you could compress to your heart's content. Could be incremental or full, up to you.
Not exactly. That is not how Veeam Endpoint Backup works.
It makes a Full backup on day 1.
It makes incrementals until it hits your set max retention value.
Then the next day it makes a new incremental and then merges the oldest incremental back into the full for a new full.
So daily (after the system finally hits the max incremental on local disk) you would be backing up this entire local folder over the wire. -
I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.
-
@curious_mindz said in While on the topic of ransomware...:
I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.
Detaching your backups is how you protect your backups. Sure you could add things like AppLocker, but if you have properly separated systems then you have nothing to worry about.
-
@curious_mindz said in While on the topic of ransomware...:
I didnt see anyone talk about preventing Crypto virus from encrypting files. We used AppLocker and it resolved the issue for us, if you are not using an enterprise OS then you can use Software Restriction Plicies.
This discussion is not on preventing cypto. this part of the discussion was on dealing with the backups in a way that they cannot become tainted.