Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Massive ransomware attack? You mean I have to type zfs rollback? Oh the horror!

Status
Not open for further replies.

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,252

m0nkey_

Dedicated Sage
Joined
Oct 27, 2015
Messages
2,732
It makes me smile every time I see an organization hit by randomware. Something like this, while inconvenient, can easily be mitigated by keeping backups (and testing them regularly) and using snapshots, or even in Windows, file history (previous versions). Considering snapshots on ZFS and file history in Windows is easy to set-up on a server, there is no excuse not to do it.

If you haven't already done so, enable snapshots on your FreeNAS box. It may help you avoid this crap in the future.

http://doc.freenas.org/9.10/storage.html#periodic-snapshot-tasks
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,315
It makes me smile every time I see an organization hit by randomware. Something like this, while inconvenient, can easily be mitigated by keeping backups (and testing them regularly) and using snapshots, or even in Windows, file history (previous versions). Considering snapshots on ZFS and file history in Windows is easy to set-up on a server, there is no excuse not to do it.

If you haven't already done so, enable snapshots on your FreeNAS box. It may help you avoid this crap in the future.

http://doc.freenas.org/9.10/storage.html#periodic-snapshot-tasks
Depending on the scale of the systems affected, ZFS snapshots wouldn't be a magic silver bullet. The proper mitigation would have been to apply patches, and do proper systems hardening. The old practice of sitting on updates indefinitely is a huge liability in the present world. I patch immediately then fix problems as they arise. If you go more than 24 hours in a business environment, you're bordering on malpractice... well, that's a little bit of an overstatement. That said, most hospitals aren't in a position to do this. This is probably what it feels like to work IT there:
<stop hitting yourself.gif>

For home users on the other hand, snapshots are an extremely effective risk mitigation strategy.
 
Last edited:

IceBoosteR

Senior Member
Joined
Sep 27, 2016
Messages
503
I agree. Enable snapshots is a good idea, nevertheless backup your data frequently and also enable snaphots there too, if possible.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,252
This is probably what it feels like to work IT there:
In my experience, they tend to be absolute morons of the kind who will run XP for years after support ends, with no XP patch contract. Either that, or absolute morons of the kind who prevent users from changing monitor options on their laptops, making something as simple as setting up an external monitor require a support call.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,345
making something as simple as setting up an external monitor require a support call.
So you've worked for a government agency before. o_O

NOTHING is user adjustable on our computers.
 

FreeNASftw

Member
Joined
Mar 1, 2015
Messages
107
I'm in the point and laugh camp when it comes to Crypto... the tools to completely mitigate the data loss are free, and of the highly complex tasks that sysadmins are capable of, snapshots and backups can be set up by someone in middle school.
The funny thing for home users is that most of them actually have restore points/file history enabled and working anyway, they just don't know it or how to use it. Of the many individuals I've "recovered" from crypto, I think only twice have I had to do anything even remotely technical.
 

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
Interesting, I thought ransomware went after file history and restore points too.
 

FreeNASftw

Member
Joined
Mar 1, 2015
Messages
107
Interesting, I thought ransomware went after file history and restore points too.
Depends on the strain, I've only found two cases where the restore points had also been removed and therefore it actually required work to recover. Admittedly, I'm a one man band, I'm sure bigger shops with much more exposure have different observations.
 

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
8,275
One of my workers caught some ransomeware last year. He could have had an easy recovery with minimal loss if he would have been making routine backups but he wasn't. Now he does. And I'm just a bit suprised that my company IT folks couldn't prevent this from happening in the first place. They shrugged it off and we restored a backup that was almost a year old. Ever since then, besides backup up to a local server I also backup all my data to a company server. If one gets destroyed, hopefully the other doesn't. Plus the company server does keep snapshots so I can go back and pick a date to restore files, my local copy is just a full Acronis backup, I don't have the capacity to keep a lot of backups, the point with this local backup is for hard drive failure so we can easily restore when needed.
 

DrKK

FreeNAS Generalissimo
Joined
Oct 15, 2013
Messages
3,630
It makes me smile every time I see an organization hit by randomware. Something like this, while inconvenient, can easily be mitigated by keeping backups (and testing them regularly) and using snapshots, or even in Windows, file history (previous versions). Considering snapshots on ZFS and file history in Windows is easy to set-up on a server, there is no excuse not to do it.
I like how you think @m0nkey_ ; you are effectively arguing that this is a bit of technodarwinism in the open marketplace, and that when businesses devote insufficient resources to, or choose badly, their technical employees, then the ransomware h4xors are actually, somewhat unexpectedly, inadvertently performing a service---a prophylaxis, as it were.

I like how you think.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,252
Interesting, I thought ransomware went after file history and restore points too.
Probably, but ZFS snapshots on a FreeBSD server connected via SMB are safe, unless they manage to propagate to the server or otherwise establish a root SSH session to it, which is in the realm of a targeted operation, not some script kiddie wielding ransomware.
 

Arwen

Neophyte Sage
Joined
May 17, 2014
Messages
1,162
On the more serious side, since this latest attack affected hospitals, we have to consider some new things.

Going back in history, the Enron Scandal caused millions of people to be affected, including ones in California.
Since it was a felony crime, any deaths could have the felony murder rule applied against the instigators. I
think we should have gone after the criminals harder, if deaths occured. Like jail without bail, and potentially
serial killing charges, (if enough people died).

Now today we have ransom ware impacting hospitals and patient records. With it being a felony, (based on
the amount of extortion), any deaths can have any locally applicable felony murder rules applied. I seriously
doubt that any distributors of the ransom ware expected to have murder charges against them. But, I would
be willing to have my law enforcement agencies go after them pretty hard, IF ANY SINGLE PERSON DIED.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,297
Of course, the felony murder rule varies from jurisdiction to jurisdiction. In most U.S. jurisdictions, it only applies with the commission of a violent felony, not with any felony at all. In the UK, it's been abolished entirely.
 

Arwen

Neophyte Sage
Joined
May 17, 2014
Messages
1,162
Of course, the felony murder rule varies from jurisdiction to jurisdiction. In most U.S. jurisdictions, it only applies with the commission of a violent felony, not with any felony at all. In the UK, it's been abolished entirely.
Thanks for the reminder. Though perhaps in those cases, manslaughter chargers could be applied as a second choice.

I am just tired of these massive get rich schemes that affect millions of people, like the Enron Scandal and this ramson ware attack. Step
on the people responsible hard enough, it may reduce the people willing to risk life imprisionment without the possibility of parole. And
if warranted, (like violent foreigners), confinement in the Florence SuperMax.
 

FreeNASftw

Member
Joined
Mar 1, 2015
Messages
107
Thanks for the reminder. Though perhaps in those cases, manslaughter chargers could be applied as a second choice.

I am just tired of these massive get rich schemes that affect millions of people, like the Enron Scandal and this ramson ware attack.
People are idiots, you're never going to fix that, and you're never going to stop people taking advantage of said idiots.

Step on the people responsible hard enough, it may reduce the people willing to risk life imprisionment without the possibility of parole.
And what about manslaughter charges for the criminal negligence of allowing such attacks to happen?



I'd be more worried about ingrained fundamental system problems like those that caused the GFC.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,315
In my experience, they tend to be absolute morons of the kind who will run XP for years after support ends, with no XP patch contract. Either that, or absolute morons of the kind who prevent users from changing monitor options on their laptops, making something as simple as setting up an external monitor require a support call.
Well, one could view the government / medical IT as inherently having a selective pressure where only the incompetent survive.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,315
It's probably worth noting that samba servers are not vulnerable to the "ETERNALBLUE" exploit that is being used to spread the malware, and so there is nothing special that we need to do other than general protection against ransomware.
 
Status
Not open for further replies.
Top