is ZFS protected against "CRYPTO-WALL/LOCKER" ransomware virus infections?

[Borja Marcos]

I'd say that isolated network security zones are best-practice rather than paranoia. :D

Depends on the amount of complexity you are ready to handle. Anyway, a backup/storage strategy outside of the control of the victim computer's OS, hence unaccessible to the user, is an effective measure. Backups to an attached hard disk which can be obviously corrupted/destroyed by software running on the victim computer are not. That's one of the main points of FreeNAS as an effective protection.

 

[anodos]

Depends on the amount of complexity you are ready to handle. Anyway, a backup/storage strategy outside of the control of the victim computer's OS, hence unaccessible to the user, is an effective measure. Backups to an attached hard disk which can be obviously corrupted/destroyed by software running on the victim computer are not. That's one of the main points of FreeNAS as an effective protection.

One of the reasons why crypto-malware has become such a common issue is because it is an quick and easy way to monetize a security incident. I'd be very hesitant to tell anyone that FreeNAS is an effective protection against this type of malware because it will probably lead to complacency. Recently a user on the forums had the following situation:

1) Public-facing server was compromised and that server had SSH keys to account in FreeNAS jail.
2) Contents of FreeNAS jail was encrypted.
3) Jail had nullfs mount of dataset Tank/foo/bar
4) Snapshots were set for Tank/foo, but user neglected to check the "recursive" box.

All it takes is one small slip-up in your configuration (or an out of date snapshot). My perspective is that the best way of mitigating this sort of risk is in a traditional small / medium business environment is through client hardening, and designing the network architecture and management procedures so that compromise of one part of the network can be detected and does not directly lead to compromise of other parts of the network. Or in other words, do security.

As far as home users (windows environment with a few samba shares), I'd still do the following:

• Enable snapshots [difficulty - easy]
• Keep an offline backup [difficulty - easy]
• Use professional versions of windows (because of access to the local group policy editor and other features) [difficulty - easy, but costs some extra money]
• Create and use a separate non-administrator account for everyday tasks [difficulty - easy]
• Install EMET [difficulty - easy]
• Configure a software restriction policy whitelisting for non-administrative users [difficulty - moderate]
• Download admx templates for version of MS Office you're using, copy them to %systemroot%\PolicyDefinitions, then use gpedit.msc to harden MS Office install [difficulty - moderate]
• Harden adobe reader install. [difficulty - moderate]
• Once you have your system configured, image it using a utility such as clonezilla and store a copy of it on your NAS. [difficulty - easy]

 

[Borja Marcos]

You are absolutely right regarding the non existance of silver bullets and the requirement to configure your network and
servers properly. I wasn´t giving a full guide to mitigate the problem, but pointing out the reason why, in case it happens, FreeNAS
(or a similar system) is such an effective measurement.

However

My perspective is that the best way of mitigating this sort of risk is in a traditional small / medium business environment is through client hardening,

I am sorry, but I can´t disagree more with this phrase. Client hardening with a poorly designed operating system is bad enough. But client hardening when social engineering is the main way to execute the malicious software is utterly useless. It´s the user who will run the
software, so all of his/her files will be vulnerable.

Of course you can limit the programs that a user can run, etc, but there are plenty of political and technical reasons for it not to be applicable in many cases. Client hardening would be effective if workstation operating systems were redesigned so that the privileges of a user wouldn´t be an all or nothing matter. Imagine the multi-user approach turned into what I call "multi-application". Think of it as the extensive use of sandboxing, but as one of the design principles of the operating system rather than a clever add-on. But I digress.

Protection in such a case is not only a matter of preventing it from happening, but assuming that it will sooner or later and making sure that the damage will be really minimal.

Again, a backup system whose integrity can't be compromised by the user or his/her computer is the key. And a properly configured FreeNAS system (again, properly configured, together with a properly set up network) is an example of such a system.

For example, Mac OS X has a nice backup mechanism out of the box: Time Machine. However, storing the backups on an attached hard disk doesn't make them secure. Using a FreeNAS system with a good snapshoting policy, however, is an entirely different matter.

 

[anodos]

I am sorry, but I can´t disagree more with this phrase. Client hardening with a poorly designed operating system is bad enough. But client hardening when social engineering is the main way to execute the malicious software is utterly useless. It´s the user who will run the software, so all of his/her files will be vulnerable.

My baseline SRP whitelist contains the following path rules, and applies to as many filetypes as possible:

Code:

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRoot% - Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)% - Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% - Unrestricted
[Various disallowed subdirectories that I won't bother listing under %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRoot% ]
\\DOMAIN\Sysvol\ - Unrestricted

Default security level is Disallowed. The rest is fine-tuned based on environment (event log aggregation and looking for SRP errors is a good way of figuring this out fairly quickly). Software is deployed by GPO. Users lack admin rights.

Typically locky downloads to and executes from %TEMP%. This behavior is caught by the above SRP. Of course, the same (or better) could be achieved through applocker. Additionally, I have used GPO to disable or restrict Office macros.

The trick is to know your environment. In addition to the obvious stuff, this means going around and constantly engaging employees to understand their workflow and having a good relationship with management.
There are good security tools for windows. The problem is that very few people use them (especially in the small business world). Client / server hardening does work. There's a reason why the CIS Critical Security Controls consistently list it in the top 6.

Crimeware was a part of the 2016 Verizon DBIR. The recommended controls were:

Recommended controls
Where be me eye patch, matey?
We know that malware droppers, in many cases, succeed by exploiting known
vulnerabilities, so utilize those patches that your vendors release for your OS,
applications (cough, browsers, cough) and security tools.

Exes, stop calling!
Defending against malicious executables ranges from not allowing programs
to run scripts/macros (e.g., document-based programs) to having your email
server strip/remove executables or other file extensions as attachments in
emails. Less is more in this scenario, as you will be reducing the attack surface.

Don’t monkey around.
Don’t be like the three wise monkeys here. See, listen and discuss. As
suggested in last year’s report, capture malware analysis data in your own
environment; actually look into the different families of malware in your own
organization and, if at all possible, the entry point."