Battling Ransome/Crypto-ware: Drive Shares
-
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
Another, although it may or may not be viable, would be to move to some other type of storage method. NextCloud, Sharepoint, Alfresco, all of these have ample protection against Ransomware if they are used in the correct way.
-
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
Snapshots don't take up much space under normal operations. When the entire file changes, such as when it's encrypted, you're writing a lot of changes and usually it runs out of space so you can recover some stuff, but not all your stuff.
-
@mike-davis said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
Snapshots don't take up much space under normal operations. When the entire file changes, such as when it's encrypted, you're writing a lot of changes and usually it runs out of space so you can recover some stuff, but not all your stuff.
Not sure how Snapshots would be unable to recover in this instance. Once the disk is full the encryption will fail to write to it.
-
@gjacobse said in Battling Ransome/Crypto-ware: Drive Shares:
There is a growing shift of practices to battle ransomware which looks for other drives to munch on, by not mapping network shares, the ransomware doesn't have anyplace to jump to, and therefore is isolated to the single computer it managed to get attached to - at least in theory and until they are written to start doing a blind search across the network for open ports / shares
But hasn't ransomware already been doing this for some time?
-
Not mapping drives is really just an attempt at security through obscurity. The actual technology hasn't changed, the access hasn't change. All that has changed is where the share is listed.
-
@mike-davis said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
Snapshots don't take up much space under normal operations. When the entire file changes, such as when it's encrypted, you're writing a lot of changes and usually it runs out of space so you can recover some stuff, but not all your stuff.
In theory, what would fail in that case would be the snapshot of the encryption and the healthy recovery snapshots would still be there unaffected.
-
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
-
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.
-
Yeah I agree with @StrongBad, this article is a bit late. The malware is already seeking out non mapped network shares that the user account has access to.
Also, if you're going to change a user's workflow like this, why not go all the way and move to something like SharePoint or NextCloud as mentioned by @coliver. These solutions probably offer the single best defense outside of backups against cryptoware.
It's best when integrated directly inside the applications themselves, and not something provided by the OS. In other words, you can use WebDav to map a network drive to NextCloud (and probably SharePoint as well), but then you're just opening these solutions up exactly the same as a traditional network drive.
But, if you integrate the storage directly into Word/Excel/Outlook, etc, like SharePoint does, then the malware has to learn how to work through these applications to do their work.
-
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.
OK, I haven't used these very much - though the last time I did, they were time based, not change based (is that still the case?) I'm not sure if an initial snap is taken after a file is added or not, so that's another thing to be concerned about.
-
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
They use the Shadow copy subsystem. They are called "Previous Versions" by Windows. IIRC they are very similar to LVM snapshots, because that's what they copied from, and do differential snaps on a file update.
OK, I haven't used these very much - though the last time I did, they were time based, not change based (is that still the case?) I'm not sure if an initial snap is taken after a file is added or not, so that's another thing to be concerned about.
I'd have to look again. It may very well be time based, could of sworn they had a on-modify switch.
-
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.
-
@scottalanmiller said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.
Cool - I just wasn't sure if Server 2016 for example had introduced a VM style snap of their volumes.
Thanks. -
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@scottalanmiller said in Battling Ransome/Crypto-ware: Drive Shares:
@dashrender said in Battling Ransome/Crypto-ware: Drive Shares:
@coliver said in Battling Ransome/Crypto-ware: Drive Shares:
So one of the protections would be to implement snapshots on those shared drives. It's fairly easy to do and, surprisingly, doesn't use that much disk space in modern Windows server versions.
I haven't used Snaps in Windows - are you talking about Shadow copy? or VM style snaps?
ShadowCopy is the only one in Windows. VM snaps are just platform aware block storage snaps and cannot be done from an OS.
Cool - I just wasn't sure if Server 2016 for example had introduced a VM style snap of their volumes.
Thanks.Not that I am aware of.
-
Pretty sure that ShadowCopy is still time only.