Defeating CryptoLocker Attacks with ZFS

OpenZFS

Plextec is a Canadian managed services provider that uses FreeNAS exclusively to provide Windows and GNU/Linux virtual servers to over 200 companies using XenServer. I spoke with Plextec CTO Todd Ladouceur about how Plextec routinely defeats CryptoLocker ransomware attacks with ZFS and FreeNAS.

Michael: Todd, what are CryptoLocker attacks?

Todd: CryptoLocker attacks are a category of clever yet nefarious personal computer malware that infects a PC via a tantalizing email message or link and silently encrypts your local disks and any network shares you are connected to. When finished encrypting, the malware holds your data for ransom, giving you on average three days to make a decision between paying the ransom or having your data destroyed forever. Organizations of all sizes have been hit by these “ransomware” attacks including police departments and hospitals and an early estimate put the damages at $30 million. The worst situation we have seen was when a user got infected on a Friday afternoon while catching up on email and dreaming about the weekend. The CryptoLocker malware took hold and had all weekend to encrypt every network share their system was connected to plus their local drive, wreaking havoc across the organization.

Michael: Can you stop CryptoLocker attacks with antivirus software?

Just about every antivirus vendor has a fix for the various CryptoLocker attacks but they simply can’t keep up with how quickly CryptoLocker attacks evolve. The organizations behind them are obviously well-funded and because the malware uses encryption, removing it does nothing to restore your data. In fact, to remove the malware could result in the instant loss of all your data because it is the one known tool that can decrypt it. Unfortunately, many CryptoLocker attacks attempt to destroy your backups on services like DropBox or in Windows Shadow Copies.

Michael: What role does ZFS play in combating CryptoLocker attacks?

Todd: We share FreeNAS-backed virtual machine images to our XenServer hosts over NFS and snapshot each VM’s dataset on a 30 minute and hourly basis with a retention of one week for the 30 minute ones and one month for the hourly ones. We then replicate these snapshots to one or two additional FreeNAS servers. When a virtual machine is hit with CryptoLocker, we step through the snapshots on one of the replica systems until we find a point in time just before the attack. We clone the known-good snapshot and share it back to XenServer. We make sure the VM passes all of our quality checks and performs as expected, and then copy it back to the primary server through the XenCenter. We could just roll back the primary system but this strategy allows us to preserve the compromised VM for a few days for forensic purposes.

Michael: How long does the restoration process take?

Todd: On average we can get a Windows server back in production with full validation in under two hours. In a pinch we could simply roll back the primary server but we prefer maintain that extra layer of accountability. With ZFS we know our replicas are bit-for-bit identical to the originals so we do not hesitate in relying on them. A recovery from tape or an online provider would cost a fortune in time, money or both, and would not provide the assurances that ZFS gives us.

Michael: Are CryptoLocker attacks common?

Todd: They are way too common. We have had over ten clients hit with CryptoLocker malware and some of them multiple times. Some would easily be out of business because of it and I hate to think what would happen to us as their IT provider. The threat is real and ever evolving. We constantly revise how we can recover from CryptoLocker attacks more quickly and also educate our clients about how to protect themselves from these and other attacks. We have read about blocking CryptoLocker attacks with group policies and administrative controls but there is no way these steps can keep up with the ever-evolving threat.

Michael: Do you think FreeNAS and TrueNAS are safe from CryptoLocker attacks?

Todd: Absolutely. CryptoLocker attacks work on the file level rather than the block level, keeping our virtual machine images immune as long as you snapshot them regularly and retain enough snapshots to return to a point in time before the attack. To be vulnerable you would have to share your whole VM store over NFS to a compromised Windows client but even then the snapshots would still bring you back to safety because they are at the block level.

Basically, CryptoLocker is a joke with ZFS.

Todd Ladouceur
CTO, Plextec

For more information on FreeNAS Certified and TrueNAS storage systems, visit www.ixsystems.com/truenas or call 1-855-GREP-4-IX.