Defeating CryptoLocker Attacks with ZFS

OpenZFS

Plextec is a Canadian managed services provider that uses FreeNAS exclusively to provide Windows and GNU/Linux virtual servers to over 200 companies using XenServer. I spoke with Plextec CTO Todd Ladouceur about how Plextec routinely defeats CryptoLocker ransomware attacks with ZFS and FreeNAS.

Michael: Todd, what are CryptoLocker attacks?

Todd: CryptoLocker attacks are a category of clever yet nefarious personal computer malware that infects a PC via a tantalizing email message or link and silently encrypts your local disks and any network shares you are connected to. When finished encrypting, the malware holds your data for ransom, giving you on average three days to make a decision between paying the ransom or having your data destroyed forever. Organizations of all sizes have been hit by these “ransomware” attacks including police departments and hospitals and an early estimate put the damages at $30 million. The worst situation we have seen was when a user got infected on a Friday afternoon while catching up on email and dreaming about the weekend. The CryptoLocker malware took hold and had all weekend to encrypt every network share their system was connected to plus their local drive, wreaking havoc across the organization.

Michael: Can you stop CryptoLocker attacks with antivirus software?

Just about every antivirus vendor has a fix for the various CryptoLocker attacks but they simply can’t keep up with how quickly CryptoLocker attacks evolve. The organizations behind them are obviously well-funded and because the malware uses encryption, removing it does nothing to restore your data. In fact, to remove the malware could result in the instant loss of all your data because it is the one known tool that can decrypt it. Unfortunately, many CryptoLocker attacks attempt to destroy your backups on services like DropBox or in Windows Shadow Copies.

Michael: What role does ZFS play in combating CryptoLocker attacks?

Todd: We share FreeNAS-backed virtual machine images to our XenServer hosts over NFS and snapshot each VM’s dataset on a 30 minute and hourly basis with a retention of one week for the 30 minute ones and one month for the hourly ones. We then replicate these snapshots to one or two additional FreeNAS servers. When a virtual machine is hit with CryptoLocker, we step through the snapshots on one of the replica systems until we find a point in time just before the attack. We clone the known-good snapshot and share it back to XenServer. We make sure the VM passes all of our quality checks and performs as expected, and then copy it back to the primary server through the XenCenter. We could just roll back the primary system but this strategy allows us to preserve the compromised VM for a few days for forensic purposes.

Michael: How long does the restoration process take?

Todd: On average we can get a Windows server back in production with full validation in under two hours. In a pinch we could simply roll back the primary server but we prefer maintain that extra layer of accountability. With ZFS we know our replicas are bit-for-bit identical to the originals so we do not hesitate in relying on them. A recovery from tape or an online provider would cost a fortune in time, money or both, and would not provide the assurances that ZFS gives us.

Michael: Are CryptoLocker attacks common?

Todd: They are way too common. We have had over ten clients hit with CryptoLocker malware and some of them multiple times. Some would easily be out of business because of it and I hate to think what would happen to us as their IT provider. The threat is real and ever evolving. We constantly revise how we can recover from CryptoLocker attacks more quickly and also educate our clients about how to protect themselves from these and other attacks. We have read about blocking CryptoLocker attacks with group policies and administrative controls but there is no way these steps can keep up with the ever-evolving threat.

Michael: Do you think FreeNAS and TrueNAS are safe from CryptoLocker attacks?

Todd: Absolutely. CryptoLocker attacks work on the file level rather than the block level, keeping our virtual machine images immune as long as you snapshot them regularly and retain enough snapshots to return to a point in time before the attack. To be vulnerable you would have to share your whole VM store over NFS to a compromised Windows client but even then the snapshots would still bring you back to safety because they are at the block level.

Basically, CryptoLocker is a joke with ZFS.

Todd Ladouceur
CTO, Plextec

For more information on FreeNAS Certified and TrueNAS storage systems, visit www.ixsystems.com/truenas or call 1-855-GREP-4-IX.

5 Comments

  1. TrevorX

    Calling this Defeating CryptoLocker with ZFS is rather disingenuous. What you’re really doing is ensuring you have sufficient granularity of backups that you can go pretty much within a half hour window of when an attack commenced and reliably roll back to that point, because of VM snapshots. Sure, the NAS is obviously an important part of the equation, but running a virtualised environment is the main strength here. ZFS is really not doing anything special beyond what it usually does – provide 100% confidence in data reliability. But it is a huge stretch to say it is the crux of the solution; it simply isn’t, and pretty much exactly the same recovery safeguard could be implemented without it.

    Reply
    • Michael Dexter

      Because the CryptoLocker attacks are constantly evolving and do not require administrative privileges, there is no guaranteed means of preventing such attacks but there are there is a proven remedy. This remedy extends beyond VM snapshots to file shares and given how many CryptoLocker-style attacks go after backups such as those on DropBox, this is still one of the best options available.

      Reply
    • Carlos

      ZFS is as important to the equation as the VM:

      “ZFS is really not doing anything special beyond what it usually does – provide 100% confidence in data reliability” should be”

      should be:

      ZFS is really not doing anything special beyond what it usually does – provide 100% confidence in data reliability and SNAPSHOTS

      They key being that crypto locker attacks work at the file systems level and not on the block level (which is how ZFS stores its snapshots)

      Reply
  2. Reese Frier

    Looking to learn more about ZFS and how it can help our business.

    Reply
    • Michael Dexter

      Feel free to contact sales@ixsystems.com and the Michael Lucas and Allan Jude webinar describes quite a few other benefits.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *