Blog Combating Ransomware with TrueNAS

JoshDW19

Community Hall of Fame
Joined
May 16, 2016
Messages
1,077
Ransomware is making headlines globally but is not receiving a coordinated response from world leaders or the IT industry. Malicious groups ranging from online street thugs to full-blown state-sponsored military operations are infecting computers and holding them for ransom using encryption with little regard for who might be impacted. It’s often not even clear if a successful ransom payment will result in the timely return of the victim’s data.

Governments cannot be expected to solve this problem, and in fact may penalize you for paying a ransom to “terrorists”. IT decision makers must urgently look outside of their standard toolkit because hackers are always looking for new attack vectors to compromise systems. iXsystems TrueNAS offers a robust approach to combating ransomware that embraces mainstream IT solutions while providing additional layers of security that can be integrated into any organization’s ransomware protection strategy.

The Nuts and Bolts of Ransomware

image-1.png


A large portion of systems that fall victim to ransomware are running Microsoft Windows and rely on Windows technologies such as Group Policy and the Volume Shadow Copy Service (VSS) to keep intruders at bay and mitigate the damage they do. While this approach will prevent some attacks, these approaches often miss the most common yet nefarious ransomware attack vector: a privileged user downloading unintentional malware that infects and encrypts every resource that they have access to. The more privileged the user, the more damage they can inadvertently cause — up to full and total destruction performed with Administrative access.

In addition to user workstations, consumer-grade NAS systems such as QNAP, Synology, and WD CloudNAS have also fallen victim to high-profile and widespread ransomware attacks. NAS systems like these that are Internet accessible are particularly vulnerable. Where built-in applications and services have root access to the system, each application enabled makes the whole system more vulnerable. Extreme care should be taken before exposing any storage service to the internet, and if required, should be done using a variety of techniques such as incorporating VPNs, Encryption, and two-factor authentication (2FA).

Additionally, many high-profile targets are compromised and analyzed months in advance before a ransomware attack. Adversaries perform reconnaissance to identify and target backup strategies and identify anything that provides an advantage when launching their attack. If necessary, reinforce your network security tools and procedures as they are often the first defense for your storage security.

Ransomware Payments Should be Your Last Resort, Not Your First

The true secret to combating ransomware is to treat it like any other threat to your data and build a robust storage infrastructure that can provide end-to-end data integrity with rapid restoration capabilities. This is where TrueNAS with its OpenZFS file system helps safeguard exabytes of data across the globe from not only ransomware but also the traditional threats that a good data protection strategy is designed to address. From user error to bit rot, you should be ready for anything, and TrueNAS provides key capabilities that give you an upper hand against all risks to your data, including:

  • Bitrot protection, thanks to continuous filesystem checksumming
  • Redundancy, thanks to flexible volume configuration
  • Protection from disrupted writes thanks to a “copy-on-write” design
  • Instant point-in-time, immutable backups thanks to snapshots
  • Fully-validated bit-level backup thanks to snapshot-based replication
  • Optional dataset or full-disk encryption for privacy and compliance
  • Optional high-availability for robust service delivery
  • Cloud backup integration with all leading providers
  • Replication and backup to non-TrueNAS hosts via rsync
  • Windows malware immunity thanks to Unix operating systems
  • SMB share protection with WORM profile options

TrueNAS Goes the Extra Mile for Data Security

security-scaled.jpeg


In practice, a network of TrueNAS systems deliver industry-standard sharing protocols including SMB, NFS, iSCSI, AFP, and FTP to servers and workstations with the key difference being that essential data protection operations are invisible to users and out of reach of known ransomware. Should a connected system be infected, the administrator can selectively roll back the impacted storage and optionally clone the infected state for forensic analysis. Backup operations also take place transparently to users and are online for continuous inspection with optional air-gapping. This infrastructure can be further secured with:



  • Tightly restricted Internet access with OpenVPN options for remote access
  • Third party Application protections via industry standard containerization technologies
  • Role-based Access Control (RBAC) and auditing with TrueCommand
  • End-to-end encrypted administrative access
  • Least-privileged Active Directory joining authority
  • Optional two-factor authentication for administrative access, including UI and SSH



Isn’t Open Source a Security Disadvantage?

Quite the contrary. Having source code open and available provides significant benefits to security that closed-source products can’t provide. TrueNAS is backed by one of the largest Open Source communities today, the TrueNAS Community, who actively help with specifying requirements, development, validation, and field testing of the software. TrueNAS software is also completely open for transparency and external review to avoid the types of hacks that have become the norm for many closed-source pieces of software.

Time to Take Preventative Action with TrueNAS

Ransomware is a pervasive and evolving threat, but it does not change the fundamental rules and responsibilities of data protection. The TrueNAS family by iXsystems offers flexible storage solutions ranging in size from a few terabytes to many petabytes, with a comprehensive set of security tools, a unified user experience, and up to 24/7 technical support. For up to date information on TrueNAS security information, users should visit security.truenas.com.

Whether you are using TrueNAS CORE, Enterprise, or SCALE, TrueNAS provides the tools needed for data security. The TrueNAS Community Forum is an excellent place to discuss any concerns or ask questions of other experienced users. Contact iXsystems when you are ready for professional support to build secure data infrastructure for your organization.

The post Combating Ransomware with TrueNAS appeared first on iXsystems, Inc. - Enterprise Storage & Servers.

Continue reading...
 
Last edited by a moderator:

glauco

Guru
Joined
Jan 30, 2017
Messages
524
Timely post indeed...
On August 1, IT systems of Italy's Lazio region (where I live) were attacked by ransomware, and what's worse, backups were compromised. Strangely enough, regional government officials say no ransom demand was received yet. Perhaps because it's too hard to admit we have no choice but to pay the ransom? It's still very unclear how we can recover from such a disaster...
Latest press release (in Italian).
 

hulleyrob

Cadet
Joined
Aug 29, 2021
Messages
2
Excellant was just looking for some information on this after seeing "TrueNAS is a Network Attached Storage (NAS) software that shares and protects data from modern-day threats like ransomware and malware." on the main page.

Are there any tutorials on what should be done to combat these? I was thinking daily snapshots for the last 7 days or something like that etc

Will be building my first TrueNAS system in the next few weeks when everything aligns.

Thanks in advance
 

Arwen

MVP
Joined
May 17, 2014
Messages
3,600
@hulleyrob Combating ransomware depends on your infrastructure, NAS use and how much protection you want, (and what you are willing to pay for).

What I mean by pay for, is if your NAS use has enough file churn that any snapshots take a noticeable amount of space, you have to plan and pay for that additional space. It does not come free. ZFS snapshots start taking space when real side files are updated or erased.

So, daily snapshots, kept for 7 days can work. That allows you to go back in time between 6 and 6.9 days, depending on when your snapshot occurs and when you look at your snapshot data.
 

hulleyrob

Cadet
Joined
Aug 29, 2021
Messages
2
Hi Thanks for replying. With my use case I will usually be adding files but rarely deleting.

Is there anyway to monitor the number of files being changed as would happen in a ransomware scenario. Like give me an alert that the snapshots are increasing that may be a sign or something like that? Open to any ideas really.
 

awasb

Patron
Joined
Jan 11, 2021
Messages
403
You won't be safe per se. Usually when "incidents" occur, the infrastructure under attack is monitored. Sometimes over weeks, sometimes over months. The "professional" evil guys check, before they act. And they'll steal, before they encrypt.

And even if you wouldn't mind that data get's stolen: You'll need some ro _long_ term archive with _source-monitored_ _pull_ backups. Otherwise your backups could get poisoned.

Over here the pre-backup-checks/monitoring is done by tripwire:

 
Last edited:
Top