Jump to content
Squid

[Plugin] Ransomware Protection - Deprecated

429 posts in this topic Last Reply

Recommended Posts

biglock.png

Ransomware Protection

 

This plugin is a specialized type of anti-virus designed to detect if a ransomware malware attack is happening on your server, and upon detection either take the server offline, or make all of your user shares read-only.

 

It operates by using "bait files".  These bait files can either be located within you normal user shares, or within specialized bait shares.  Once an attack happens on one of the bait files, (either the contents are changed (ie: encrypted) or deleted (ie: renamed and encrypted), the plugin will take whatever action you specify.

 

Response time is approximately 1/10th of a second.  Full details on the setup and operation of the plugin are contained within the "Help" tab on the plugin's settings page

 

You can install this plugin via Community Applications (the Apps tab) within the Plugins section (or just search for ransonware).  This plugin requires unRaid 6.2+

 

Untitled_zps6c0k0etk.png

 

Untitled_zpssdrms2cc.png

 

Untitled_zpsy5wj8sfl.png

 

Untitled_zpsawzvxbfk.png

Edited by Squid
  • Upvote 4

Share this post


Link to post

- Reserved for Reaction -

Don't be too harsh on me... Went the entire weekend without a beer doing this...

Share this post


Link to post

Wouldn't be better to modify permissions to read only instead of

 

- Stop SMB (optional) *

- Stop AFP (optional) *

- Stop NFS (optional) *

 

I don't know if a plugin has enough permissions to make such a change, though.

 

EDIT:

 

Forgot to say thank you :)

 

  • Upvote 1

Share this post


Link to post

Wouldn't be better to modify permissions to read only instead of

 

- Stop SMB (optional) *

- Stop AFP (optional) *

- Stop NFS (optional) *

 

I don't know if a plugin has enough permissions to make such a change, though.

 

EDIT:

 

Forgot to say thank you :)

Takes time.  But that actually have me a similar idea .

 

Sent from my LG-D852 using Tapatalk

 

 

Share this post


Link to post

Wouldn't be better to modify permissions to read only instead of

 

- Stop SMB (optional) *

- Stop AFP (optional) *

- Stop NFS (optional) *

 

I don't know if a plugin has enough permissions to make such a change, though.

 

EDIT:

 

Forgot to say thank you :)

Takes time.  But that actually have me a similar idea .

 

Sent from my LG-D852 using Tapatalk

How about...

Stop SMB/AFP/NFS

unmount drives

remount readonly

Start SMB/AFP/NFS

Share this post


Link to post

Wouldn't be better to modify permissions to read only instead of

 

- Stop SMB (optional) *

- Stop AFP (optional) *

- Stop NFS (optional) *

 

I don't know if a plugin has enough permissions to make such a change, though.

 

EDIT:

 

Forgot to say thank you :)

Takes time.  But that actually have me a similar idea .

 

Sent from my LG-D852 using Tapatalk

How about...

Stop SMB/AFP/NFS

unmount drives

remount readonly

Start SMB/AFP/NFS

Basically.  Stop and restart smb etc after modifying smb config for read only.

 

Sent from my LG-D852 using Tapatalk

 

 

Share this post


Link to post

This has to be considered the most disastrous event that can happen to your server, worse than a hard crash, worse even than multiple drive failures and loss of parity.  So I don't think you want to minimize the effect on the server, by trying to continue any streaming or transfers.  A movie or music stoppage might be a terrific and instant 'notification' of imminent disaster.  Perhaps it would be better to block all access, and put up a "Ransomware attack detected!  Resume read-only access? (Y/N)" dialog, on the current unRAID screen (plus send all notifications of course).  Then if they decide to, they can restart SMB access, resume the movie...  But I suspect they will have more important matters to attend to!  Like saving the server and figuring out which desktop is infected and now already encrypted!

 

The first step has to be blocking access.  I'd almost prefer a way to effectively take the server offline, "cut the network cable", but if stopping SMB, AFP, and NFS (and FTP?) effectively does that, and does it very quickly, then that's fine.  The next step would be to reconfigure the server, all access and permission changes, and stopping unnecessary or risky services.  I personally think the default action should be stopping the array, as it stops everything (except access to the flash disk(!), especially if the boot disk is exported read/write).  I originally thought stopping the array should be the first action, but it takes too long spinning up the drives, so stopping server access has to be first.  Then once the server is reconfigured to a safe state, send the notifications.  Just thinking out loud how I think it should go, you may already have it doing all or most of that.

 

You may want to spend more time with that CryptoDrop paper.  There were a number of important points made from their studies of ransomware in the wild.  One being that certain file types were attacked first by many of the attackers.  As I recall, pdf's were possibly the first thing encrypted, and other similar high value doc types.  I originally suggested jpg's because that's what we hear about most from anecdotal sources, but this paper says differently.  Another important finding was that they tend to go for the smallest files first, presumably so they can encrypt more of them faster.  Another very important finding was that many of them use randomized search strategies, ignoring the root folders, probably trying to avoid easy detections.  This makes it a much harder target for you, and means the bait has to be pretty well everywhere.

Share this post


Link to post

This has to be considered the most disastrous event that can happen to your server, worse than a hard crash, worse even than multiple drive failures and loss of parity.  So I don't think you want to minimize the effect on the server, by trying to continue any streaming or transfers.  A movie or music stoppage might be a terrific and instant 'notification' of imminent disaster.  Perhaps it would be better to block all access, and put up a "Ransomware attack detected!  Resume read-only access? (Y/N)" dialog, on the current unRAID screen (plus send all notifications of course).  Then if they decide to, they can restart SMB access, resume the movie...  But I suspect they will have more important matters to attend to!  Like saving the server and figuring out which desktop is infected and now already encrypted!

 

The first step has to be blocking access.  I'd almost prefer a way to effectively take the server offline, "cut the network cable", but if stopping SMB, AFP, and NFS (and FTP?) effectively does that, and does it very quickly, then that's fine.  The next step would be to reconfigure the server, all access and permission changes, and stopping unnecessary or risky services.  I personally think the default action should be stopping the array, as it stops everything (except access to the flash disk(!), especially if the boot disk is exported read/write).  I originally thought stopping the array should be the first action, but it takes too long spinning up the drives, so stopping server access has to be first.  Then once the server is reconfigured to a safe state, send the notifications.  Just thinking out loud how I think it should go, you may already have it doing all or most of that.

 

You may want to spend more time with that CryptoDrop paper.  There were a number of important points made from their studies of ransomware in the wild.  One being that certain file types were attacked first by many of the attackers.  As I recall, pdf's were possibly the first thing encrypted, and other similar high value doc types.  I originally suggested jpg's because that's what we hear about most from anecdotal sources, but this paper says differently.  Another important finding was that they tend to go for the smallest files first, presumably so they can encrypt more of them faster.  Another very important finding was that many of them use randomized search strategies, ignoring the root folders, probably trying to avoid easy detections.  This makes it a much harder target for you, and means the bait has to be pretty well everywhere.

Which is why the bait has the option to go everywhere.  Downsides is that it also increases the chances of innocent modifcation.  Excluded folders are today / tomorrow which after I released I realized is a must have.  Appdata gets automatically excluded because it'll give inotify a heart attack having that many subfolders to handle (my plex has 200,000 +) 

 

Pdf I just skimmed the paper but it's nothing to add another bait file included (and the user has the option to override and use whatever they want)

 

Yes or no confirmations on what to do in event of an attack I just don't see that as being an option.  Take the system down and deal with the aftermath.

 

Notifications are the last thing done after an action is taken, as that takes some time for dynamix to figure it out, send the email, etc.

 

Stopping SMB et al is my personal preference, but as I noted above, unRaid restarts the service every minute if its not running.  Still hoping Tom / Eric can help me out on that one, but as it stands it at least interrupts the attack and hopefully winds up cancelling it, and since unRaid stops the network services rather late in the stopping array procedure, its something that's got to be done anyways.

 

Upshot is that the framework for everything is done which is the hardest part of the plugin.  Adding extra actions etc is a cakewalk. 

 

Sent from my LG-D852 using Tapatalk

 

 

Share this post


Link to post

Yes or no confirmations on what to do in event of an attack I just don't see that as being an option.  Take the system down and deal with the aftermath.

 

I understand.  I felt I needed to make the point though, because the efforts above to restart SMB were concerning to me.  I could see users watching a movie, notice a brief pause, then settle back as the movie resumed, and only check for notifications hours later, while the ransomware continues merrily encrypting other stuff it can find on the network.  It really seems safer to bring everything to a halt, until an unRAID administrator makes the decision that it's safe to continue.

Share this post


Link to post

Yes or no confirmations on what to do in event of an attack I just don't see that as being an option.  Take the system down and deal with the aftermath.

 

I understand.  I felt I needed to make the point though, because the efforts above to restart SMB were concerning to me.  I could see users watching a movie, notice a brief pause, then settle back as the movie resumed, and only check for notifications hours later, while the ransomware continues merrily encrypting other stuff it can find on the network.  It really seems safer to bring everything to a halt, until an unRAID administrator makes the decision that it's safe to continue.

The effort that I'm going to investigate on restarting smb will be in read-only mode but if I can't get it bullet proof it won't be included

 

Sent from my LG-D852 using Tapatalk

 

 

Share this post


Link to post

This sounds incredible Squid!

 

Before stopping SMB/AFS/NFS, can the plugin capture anything about who is connected and what IP they are connected from?  That would help diagnose which client computer is responsible for triggering the bait.

 

Along these lines, is there a way to log when any file is added/changed/deleted via SMB/AFS/NFS?  Once the bait is triggered, a log like this would be invaluable in tracking down what was affected.

 

I really like the idea of restarting network services in read-only mode, particularly due to the risk of users deleting a bait file because they don't know what it is.  A DOS due to a false positive is going to be pretty disruptive for a small business; read-only mode would allow them to limp along until they get help.

 

Share this post


Link to post

Subscribed and watching.  This will be quite useful for a few clients I'm getting ready to setup with unRAID servers.

 

I'll be looking forward to the polished & tested version.

Share this post


Link to post

How about...

Stop SMB/AFP/NFS

unmount drives

remount readonly

Start SMB/AFP/NFS

Initial tests:

 

Remounting SMB as read-only:  No issues... works perfectly from the command line.  Will be added tomorrow.

 

AFP/NFS.  Since I don't run those particular protocols (and have no real way of running them anyways), I can't really check it out properly.  Maybe one of the real linux / Apple guys here can help me out on this one.

 

(and FTP?)

Problem with FTP is that there are multiple ways of running a server (built-in, plugins, numerous dockers)  How do you detect and stop them all?  FTP will remain on the backburner for a while.

Before stopping SMB/AFS/NFS, can the plugin capture anything about who is connected and what IP they are connected from?  That would help diagnose which client computer is responsible for triggering the bait.

Added in automatic logging of smbstatus prior to taking down smb which should help in some diagnosis of this. 

Once again, since I don't use AFP/NFS not quite sure if there's an equivalent command.  And, any command issued to determine status has to return results fast as any delays means potentially more files get encrypted.

 

Share this post


Link to post

Love it.  Some ideas

1 - top banner button,  Ransomware shield on (when active,  all shares in read only,  otherwise use share permissions)

2 -  depth/share.  How many levels down to place bait files.  Default 1.

3 -  when Ransomware shield triggered,  and active streams / open files is installed,  log who triggered and what file was being read.

Share this post


Link to post

- Reserved for Reaction -

Don't be too harsh on me... Went the entire weekend without a beer doing this...

 

https://xkcd.com/323/

Always knew it...  Development on CA definitely followed that curve

Share this post


Link to post

This plugin is preventing my array from starting on 6.3.0-rc1

 

Or possibly, it is stopping my array due to some sort of false-positive before I can even load the webUI.

 

After upgrading to unRAID 6.3.0-rc1, I was surprised to see that my array wasn't started. So I tried to start it manually, but it wouldn't. Then I tried booting in SAFE mode, and it booted up fine with the array started.

 

Then I happened to check my email and had some alerts from this plugin. So I removed the plugin, booted in normal mode, and it booted up with the array started.

 

So something going on with this plugin and unRAID 6.3.0-rc1

Share this post


Link to post

This plugin is preventing my array from starting on 6.3.0-rc1

 

Or possibly, it is stopping my array due to some sort of false-positive before I can even load the webUI.

 

After upgrading to unRAID 6.3.0-rc1, I was surprised to see that my array wasn't started. So I tried to start it manually, but it wouldn't. Then I tried booting in SAFE mode, and it booted up fine with the array started.

 

Then I happened to check my email and had some alerts from this plugin. So I removed the plugin, booted in normal mode, and it booted up with the array started.

 

So something going on with this plugin and unRAID 6.3.0-rc1

Trying it now with rc1.

 

But if you haven't rebooted, can you give me your diagnostics.  Just about everything is logged on this plg.

Share this post


Link to post

This plugin is preventing my array from starting on 6.3.0-rc1

 

Or possibly, it is stopping my array due to some sort of false-positive before I can even load the webUI.

 

After upgrading to unRAID 6.3.0-rc1, I was surprised to see that my array wasn't started. So I tried to start it manually, but it wouldn't. Then I tried booting in SAFE mode, and it booted up fine with the array started.

 

Then I happened to check my email and had some alerts from this plugin. So I removed the plugin, booted in normal mode, and it booted up with the array started.

 

So something going on with this plugin and unRAID 6.3.0-rc1

Nevermind about the diagnostics.  You're correct.  However the problem actually isn't with this plugin per se.  Nerd Pack isn't working properly on 6.3.0-rc1

 

Going to the ransomware settings states that inotifytools isn't installed, and going to Nerd Pack settings just sits there on retrieving plugin information.  Now this is a case that I have to handle, where inotify was installed, but no longer is, so kudos for finding that bug...  But I think that dmascias also has something to do here...

Share this post


Link to post

This plugin is preventing my array from starting on 6.3.0-rc1

 

Or possibly, it is stopping my array due to some sort of false-positive before I can even load the webUI.

 

After upgrading to unRAID 6.3.0-rc1, I was surprised to see that my array wasn't started. So I tried to start it manually, but it wouldn't. Then I tried booting in SAFE mode, and it booted up fine with the array started.

 

Then I happened to check my email and had some alerts from this plugin. So I removed the plugin, booted in normal mode, and it booted up with the array started.

 

So something going on with this plugin and unRAID 6.3.0-rc1

Nevermind about the diagnostics.  You're correct.  However the problem actually isn't with this plugin per se.  Nerd Pack isn't working properly on 6.3.0-rc1

 

Going to the ransomware settings states that inotifytools isn't installed, and going to Nerd Pack settings just sits there on retrieving plugin information.  Now this is a case that I have to handle, where inotify was installed, but no longer is, so kudos for finding that bug...  But I think that dmascias also has something to do here...

Now that you mention it I did notice something about inotifytools in my syslog and should have made the connection. So I guess that means I will have to regenerate my .hash files again also. Still using your "deprecated" Checksum Suite after all this time.

Share this post


Link to post

So I guess that means I will have to regenerate my .hash files again also. Still using your "deprecated" Checksum Suite after all this time.

I still use it too.  I just have it run a generation on a weekly schedule just in case inotify missed anything.  But, dmacias is on it anyways...

Share this post


Link to post

Just a little status update here,

 

- SMB read-only mode works bang on.  Keeps everything running (but any active streams at the time of an attack will get dropped while SMB is reconfigured)

- Also added in a button to manually pop the server over to read-only mode quickly

- SMB status in logs looks like it'll give sufficient info on where an attack is coming from (or put another way, you'll at least know where an attack is NOT coming from)

- Since no one has come forward with AFP/NFS assistance as of yet, I'm going to be taking those options out of the settings. (But in the case of a stop array settings, it will still stop those services to break any extremely unlikely attacks coming through those vectors -> (We all use Windows and SMB don't we?)

- Since unRaid insists on restarting all services whenever they get stopped, on a stop Array setting, SMB is switched over to read-only mode because to completely stop the attack from continuing if unRaid restarts SMB on us before the unRaid gets to the stopping services part of stopping the array.

- Numerous little bug fixes.

 

Was trying to get this out tonight, but just plain ran out of time on the QC before I've got to go to bed...

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now