[Plugin] Ransomware Protection - Deprecated


Squid

Recommended Posts

1 hour ago, squirrellydw said:

should all the squidbait shares be public or is it better to have them as Secure?

Better as public.  You want to make them as accessible as possible

 

1 hour ago, squirrellydw said:

My Disk shares say Read Only Mode, is that correct?  If not how do I fix it?  Thanks

I had a typo that was preventing the disk shares / comments from being properly restored.  Updating the plugin corrects the typo, and will also remove the existing comments (if you had done multiple test trips).  However, a reboot may be required after installing the update for unRaid to pickup the comment changes...

Link to comment
On 5/18/2017 at 6:46 PM, Squid said:

It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to you.  IE:  It's your absolutely last line of defense, and should never be your first and/or only...

 

https://github.com/Squidly271/ransomware.bait/

 

Have you ever though of making it a CLI tool and portable to other Linux distros? I know this is last line of defense material, but its lightweight and excellent for what it does. I can easily see this becoming a tool businesses would love in their arsenal. Seriously man, you've got a winner here. I love unraid, but small medium business and corporate uses other distro's. This could be a big deal!

Link to comment

@Darksurf How would you transition the shares to Read-Only mode on other Linux variants? Or do you mean to make it a passive-only that monitors then when it gets tripped to send a Notification? I suppose it could just have hook-files to be executed on tripped, then leave it up to others to get the nitty-gritty for their specific situations.

Link to comment
48 minutes ago, BRiT said:

@Darksurf How would you transition the shares to Read-Only mode on other Linux variants? Or do you mean to make it a passive-only that monitors then when it gets tripped to send a Notification? I suppose it could just have hook-files to be executed on tripped, then leave it up to others to get the nitty-gritty for their specific situations.

It would boil down to either editing the samba.conf file or even better, just stop the samba service 'systemctl stop samba.service' and send notifications and log problems.

Link to comment

I just had to chime in. I'm loving this program. I'v had two alarms. Seem false thou.  something deleted 

 

Time Of Attack:Sat, 27 May 2017 14:07:42 -0500

Attacked File: /mnt/user/YaBills\home2-conquered/

 

&

 

Time Of Attack:Sat, 27 May 2017 23:57:06 -0500

Attacked File: /mnt/user/crashed-Fame/.SquidBait-DO_NOT_DELETE.docx
 

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
23926        1000       DENY_NONE  0x20081     RDONLY     NONE             /mnt/user/crashed-Fame   SquidBait-DO_NOT_DELETE.jpg   Sat May 27 23:56:54 2017
23926        1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/crashed-Fame   .   Sat May 27 23:56:53 2017

 

Even thou it might be false. I still love the fact it there. Plus it help me learn how to protect myself and not get comfortable. 

 

Backup are our friends. Thank you again for this plug-in and adding to unRaid

 

Link to comment
  • 3 weeks later...

I've installed this plugin but seem to keep having false positives, I'm not using any shares (they exist but nobody is using anything able to see the shares or accessing them)  I'm just setting up the actual unRaid and keep getting notifications about bait files triggered....

Edited by ceyo14
Link to comment
On 6/12/2017 at 11:57 PM, ceyo14 said:

I've installed this plugin but seem to keep having false positives, I'm not using any shares (they exist but nobody is using anything able to see the shares or accessing them)  I'm just setting up the actual unRaid and keep getting notifications about bait files triggered....

Hard to say.  Generally, something is modifying / deleting the file(s).

Link to comment
  • 3 weeks later...

Hey Squid,

 

Been reading a little about this and it sounds awesome. You are a very gifted person to design and implement something like this. I do have a few questions and don't think they have been asked but if they have please forgive me.

 

1) Is it better to have bait files or bait shares. I have about 15 shares SMB/NFS.

2) Will NFS be implemented on this? I have about 6 NFS shares. 

3) Being i have NFS Shares would the bait files or bait shares be created for those shares as at this time NFS is implemented.

4) I automatic backups going on for systems in my house. Would this trigger a false alarm?

5) What are the most secure way to implement this, using bait files or bait shares?

6) what are the odds of someone reading this and implementing ransomware to ignore your bait files or shares and go after every other file instead? 

7) Does this tell you the file or shares where items would be deleted?

 

So sorry for so many questions and if they have been asked before i am sorry. Thanks for any help in advance and this does sound like an awesome plugin. 

Edited by kjoconis
Link to comment
1 hour ago, kjoconis said:

You are a very gifted person to design and implement something like this

@RobJ's ideas

 

1 hour ago, kjoconis said:

Is it better to have bait files or bait shares. I have about 15 shares SMB/NFS.

Bait Files are more secure, but more prone to inadvertent trips.  Bait Shares are more convenient and less prone to inadvertent trips

 

1 hour ago, kjoconis said:

Will NFS be implemented on this? I have about 6 NFS shares. 

Your #1 attack vector by far is via SMB.  NFS, a while ago I had asked for help on how to make a NFS share read-only in unRaid's implementation, but nobody could / would answer the question (short of modifying the permissions on the files which I don't want to do)

1 hour ago, kjoconis said:

I automatic backups going on for systems in my house. Would this trigger a false alarm?

If the automatic backups delete any files in the destination share that doesn't exist on the source, and those files are bait files, then yes.  An attack is an attack.

1 hour ago, kjoconis said:

What are the most secure way to implement this, using bait files or bait shares?

Bait Files in all directories and Bait Shares.  Unless you're in 100% control of the files on the server though, Bait Files in the root only with Bait Shares.  If you don't have 100% control (other users regularly accessing / deleting their own files from folders, etc, Bait Shares only are your best bet).  My self, I use 20 Bait Shares (containing ~1,000,000 bait files) and bait files within root of shares only.

1 hour ago, kjoconis said:

what are the odds of someone reading this and implementing ransomware to ignore your bait files or shares and go after every other file instead? 

If a malware author was going to try and work around this implementation, it would be nothing for them to ignore the default naming of the Bait Files.  But, you can change those how you wish to avoid that problem.  But, you have the option to create and use your own Bait Files.

 

Bait Shares.  Anything is possible, but the file names are all randomized, and are named in a variety of different ways that IMHO simulate the naming of files that would be present in somebody's work computer.  

 

Would any of the authors go through the trouble of trying to get around this plugin?  Doubt it, but you never know.

1 hour ago, kjoconis said:

Does this tell you the file or shares where items would be deleted?

 

On an attack, there is an attack log that does specify which particular file was attacked.

 

 

 

Best that I can say is that of the 2 users that I know of in this forum that have been hit with a ransomware attack (wannacry), neither one of them were running this plugin.  I wish they were.

Edited by Squid
Link to comment

Squid:

 

I will chime in and give you a big 'thanks' for the plugin. Installed and seems to be working great on my rig.

 

One thing that would be nice - I would like to get an email whenever the system detects and sets the shared to read only. I see that there is the ability to run a custom script on detection.

 

Would you or anyone else out there be able to knock up a quick email script that would work with GMail? I do not have the Linux chops to pull this off in any reasonable time. I figured if I had to do this myself, email would be obsolete by the time I was able to make it work ;-)

 

I figured it would be pretty trivial for someone to throw a script together. I am OK to make modifications to a script, but would like to see a sample.

 

Cheers,

Brian (fellow Canuk, by the looks of you signature)

Link to comment
11 minutes ago, bjmcintosh said:

One thing that would be nice - I would like to get an email whenever the system detects and sets the shared to read only. I see that there is the ability to run a custom script on detection.

Admittedly, I'm not in the "right frame of mind" at the moment, but I'm sure that sure that it does that automatically without any option to disable.  Assuming of course that you have set up notifications properly in unRaid.

 

13 minutes ago, bjmcintosh said:

(fellow Canuk, by the looks of you signature)

 

Link to comment
2 hours ago, bjmcintosh said:

I am going to use unbalance to move some files around and make room for a new disk in my array. Would it be easiest to shut down ransomware protection, then recreate bait files as if it is a new install?

Stop the service, then delete the files, then move, then recreate

 

Link to comment
  • 2 weeks later...
  • 3 weeks later...
5 minutes ago, kjoconis said:

Hey Guys,

 

Finally installed this plugin and so far so great..Question..I have bait file placement in all folders and shares but i don't see the files..I even choose to not hide bait files but they are still hidden. I would rather not see them but i just wanted to know that they are their. Like i said i have bait files not hidden but they are still not showing....any thoughts...thanks guys..

Is bait files enabled?  Does bait files show as running?  What does it state for number of bait files being monitored?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.