[Plugin] Ransomware Protection - Deprecated


Squid

Recommended Posts

Sorry.  I tested that the day after your post.  And on both of my systems with Hide Dot Files enabled, Windows doesn't show the files unless I have it display hidden files.  Not quite sure whether its your Windows messing up or something in your smb-extra.cfg / smb.cfg files.

Link to comment
On 10/12/2017 at 5:37 AM, Squid said:

Sorry.  I tested that the day after your post.  And on both of my systems with Hide Dot Files enabled, Windows doesn't show the files unless I have it display hidden files.  Not quite sure whether its your Windows messing up or something in your smb-extra.cfg / smb.cfg files.

Thanks for checking. My smb-extra.cfg is empty. I cannot seem to locate smb.cfg anywhere under /boot. 

Link to comment
  • 2 months later...

I installed this plugin a few days ago and I'm having tons of what appear to be false positives. I can't quite understand why and hope someone can help. Last night for example I had more than a dozen attacks with the following or similar log:

 

Jan 1 03:18:09 Tower root: ransomware protection:
Jan 1 03:18:09 Tower root: ransomware protection:Service pid Machine Connected at Encryption Signing
Jan 1 03:18:09 Tower root: ransomware protection:---------------------------------------------------------------------------------------------
Jan 1 03:18:09 Tower root: ransomware protection:
Jan 1 03:18:09 Tower root: ransomware protection:No locked files
Jan 1 03:18:09 Tower root: ransomware protection:
Jan 1 03:18:09 Tower root: ransomware protection:Gathering Inventory Of Old Bait Files
Jan 1 03:18:09 Tower root: ransomware protection:Found 40 previous bait files.
Jan 1 03:18:09 Tower root: ransomware protection:Starting Background Monitoring Of Bait Files
Jan 1 03:18:49 Tower root: ransomware protection:Deleted 29 bait shares
Jan 1 03:18:49 Tower root: ransomware protection:Creating Folder Structure
Jan 1 03:18:49 Tower root: ransomware protection:Double attack detected. Possible misconfigured settings allowing a share (downloads?) to be deleted locally
Jan 1 03:18:49 Tower root: ransomware protection:..
Jan 1 03:18:49 Tower root: ransomware protection:Possible Ransomware attack detected on file /mnt/user/suppose-Squidbait/.SquidBait-DO_NOT_DELETE.docx
Jan 1 03:18:49 Tower root: ransomware protection:SMB Status:
Jan 1 03:18:49 Tower root: ransomware protection:
Jan 1 03:18:49 Tower root: ransomware protection:Samba version 4.5.10
Jan 1 03:18:49 Tower root: ransomware protection:PID Username Group Machine Protocol Version Encryption Signing

 

I'm confident there is no malware on my machine, or network, so I'm not sure how to identify what is the trigger here or what settings to change to avoid these false positives. Can anyone help

Link to comment

odd. you can go to the plugin settings, stop the service and click delete all bait, and start the service so it can generate new bait. See if that fixes your issue. the only way there should be false positives is if the bait is going missing. I also don't use bait shares, just bait files.

Link to comment
14 minutes ago, be4con said:

dozen attacks

Something on your network is modifying/deleting those file(s)

 

In the actual attack history, there may be clues as to what IP address is triggering it.  It is a "double attack" which means that many mods happened in a very quick succession so its probably benign and could very well be a misconfigured app on your server or something like that.

 

Question though.  Is mover running when that took place?

  • Like 1
Link to comment

What is mover? I guess as I'm asking that question the answer is no :)

 

I think the issue is to do with incomplete deletion of previous bait files, if that's possible.

 

I originally had the plugin set to place bait files in all folders but found that was causing me issues. So I deleted previous bait files and then set to place in root only. It looks like the deletion of existing bait files didn't complete before a server reboot, and then it looks like it picked up again on restart and that triggered the attack warnings. Does that sound possible?

 

After ensuring all files had finished deleting it seems the false positive stopped.

 

I do have another problem though. Suddenly many of my files have changed permissions and I am being denied the access to delete or modify them. This seems to have happened since I installed the plugin. Any idea how I get my permissions back for 'nobody'?

 

EDIT - it looks like this Ransomware plugin is misbehaving. After posting above, I ran fix permissions (docker safe) and still couldn't modify the files. So, I checked my shares (which I should have done previously I guess) and Unraid reports that all my shares are in read only mode due to the Ransomware plugin:

 

image.png.0ad4ebe10f8a3b7a525b1c4a9ea76493.png

 

 

However when I go to the plugin settings it reports that the SMB is not in read only mode. So I'm stuck with files in read only due to this plugin but can't correct that because the plugin claims they aren't.

 

image.png.34b7195720b9c85cf6dfd1cff15d7ef2.png

 

Help!

 

If I uninstall the plugin will my files return to RW? Is there anything else I can do?

Edited by be4con
Link to comment

When you write files and have a cache drive, the machine will offload those writes to the SSD because its faster, then the mover will force those files off the SSD/cache drive onto the HDD storage. the mover runs on a cron job IIRC to automatically move files from cache to long term storage.

 

Sometimes the system will just add a label to the HDD or the share that they are read only, sadly if you fix the problem and it goes back to R/W that label can still remain. you can manually go into the setting of the drive or share and remove that label. its only meant for you to notice in case of a problem. I use the plugin and I have no issues. I've been using it for a long time now. Plugin works like a boss. Make sure something or someone isn't "organizing" your files by deleting or moving ANY bait files even if they are visible. this will trigger the plugin to go on lockdown.

Link to comment
On 1/6/2018 at 6:06 AM, Darksurf said:

When you write files and have a cache drive, the machine will offload those writes to the SSD because its faster, then the mover will force those files off the SSD/cache drive onto the HDD storage. the mover runs on a cron job IIRC to automatically move files from cache to long term storage.

 

Sometimes the system will just add a label to the HDD or the share that they are read only, sadly if you fix the problem and it goes back to R/W that label can still remain. you can manually go into the setting of the drive or share and remove that label. its only meant for you to notice in case of a problem. I use the plugin and I have no issues. I've been using it for a long time now. Plugin works like a boss. Make sure something or someone isn't "organizing" your files by deleting or moving ANY bait files even if they are visible. this will trigger the plugin to go on lockdown.

Thanks, but that isn't what happened. Whilst I was waiting for a response I did work out that I could manually set each shares back to R/W so I shouldn't have panicked, but the plugin had left the both the comment and set all the shares to read only. That persisted regardless of what I did with the plugin.

 

I resolved it by setting the shares manually back to R/W and deleting the comments. I then uninstalled the plugin. There is no question that, in this respect, it wasn't behaving as it should do on my server. I have also found that if you set the plugin to recreate bait files/shares on restart then that seems to trigger false +ves - it is the plugin deleting the previous shares that seems to trigger the alerts. Again, I doubt this is what is supposed to happen so it may just be me who is seeing this. If I change the option to use existing shares/files then those false +ves stop.

 

in addition to this issue with persistent 'read only' status it is also not hiding the bait shares or bait files despite both being selected. That's not a biggie but it does make the network tree look a mess in Windows with all the bait shares showing. How do others deal with that?

 

I really want to love this plugin, and I totally appreciate the effort that went into creating it. I have just reinstalled it so we will see if it behaves better on my server this time.

Link to comment
6 hours ago, Ryonez said:

Also the plugin says it requires the inotify plugin from nerd tools. Nerd tools doesn't have this available to install.

inotify has been included in unRaid for a bit now

 

The images being like that are because of changes that photobucket made ~ 6 months ago.  You'll see images like that scattered across the web 

Link to comment
Quote

The images being like that are because of changes that photobucket made ~ 6 months ago.  You'll see images like that scattered across the web 

 

I know, I do see images like that around. Which is why my initial impression is this plugin is out of date. Especially with it asking for things it doesn't need if it doesn't really need them.

Will you be updating the plugin at any point? Does it still work?

By the way I've been using a few of your plugins, you've done some damn fine work. Thank you for your work!

Link to comment
  • 1 month later...

I have been reading about how this plugin works, and I have an alternative method that might work as well (rumor has it that @Squid likes feature creep). Hopefully I didn't miss a post in this thread where someone already talked about this method; I tired to read through the whole thing before posting.

 

I have some experience detecting ransomware in Windows environments, and we use a slightly different method to detect it on file shares that could be appealing to some here. Instead of using bait files we just monitor files against a list of known extensions and file-names used by ransomware, and use a white-list to override it for application specific extensions that we might have in our environment.


The pros:
- You know when I file gets modified without relying on the ransomware to pick your bait files/shares first

- You don't have bait files/shares

The cons:

- One of your actual files has to be encrypted before you know it's happening (though if a bait file is not picked first, you may still be in the same boat or worse)

- You are relying on a list to be kept up-to-date

 

I would love to now offer you some code and a more concrete explanation of how I think this could be implemented, but it has been some time since I had to do anything beyond the most basic scripting in Linux. I'm also assuming that this is possible, and not a burden on the system; I just don't have enough experience to guess at at this point.

Widows reference materials (the first link maintains a list of known bad files/extensions here):
https://fsrm.experiant.ca/

https://community.spiceworks.com/how_to/100368-cryptolocker-canary-detect-it-early

 


Another alternative is some kind of behavior monitoring (i.e. watching for encryption), but I suspect that is far more difficult to implement. (We use this as well, but pay handsomely for the feature.)

Regardless, thank you for the plugin (and all the others).

-JTok

Quick Edit: Forgot to mention that I've seen fail2ban be used for something similar by reviewing samba logs. The original is in German, so here is the google translate link and the original. Not sure it makes sense to use in this case, but hey, I'm told that knowledge is power.
Translated:
https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fartikel%2FErpressungs-Trojaner-wie-Locky-aussperren-3120956.html&edit-text

Original:
https://www.heise.de/security/artikel/Erpressungs-Trojaner-wie-Locky-aussperren-3120956.html

Edited by JTok
forgot to include fail2ban method
Link to comment

having a minor issue. I was tidying up one of my shares of some junk files and in a mass delete set off the ransomware protection. Now all is fine that way... worked as advertised but i cant access the server at all from my pc now. I have no issue getting into it from my phone but even after resetting the SMB from read only I cant access it at all. Prob something simple but I just couldnt see it. 

 

EDIT

 

A server reboot solved it. can disregard

Edited by tazire
Link to comment

Have you tried the instructions from the users manual?

settings>Ransomware Protection (scroll to the bottom).



The Lock Icon
 

At any time, if you click the lock icon, your server will immediately go into read-only mode where all network shares through either SMB or AFP will be set to read-only mode. Useful if you want to manually trigger read-only for one reason or another. After read-only has been set either through clicking the icon, or via detected ransomware attack, the lock will be replaced by a different link which will allow you to restore read/write access.

Link to comment
  • 3 weeks later...

Just updated to Unraid 6.5 and the web gui has started timing out after a successful update and restart.

 

I am getting a number of these messages in my log and wondered if the plugin is busy doing something that is causing the gui to timeout?
 

Quote

 

Mar 15 12:56:28 Tower root: ransomware protection:Waiting For deletion of bait files to complete
Mar 15 12:56:58 Tower root: ransomware protection:Waiting For deletion of bait files to complete
Mar 15 12:57:28 Tower root: ransomware protection:Waiting For deletion of bait files to complete

 

 

Is this normal and I should just leave it to complete, or is the plugin misbehaving?

 

I am guessing there are a dozen of so of these messages ..

Edited by local.bin
Link to comment
36 minutes ago, local.bin said:

 

Ok sure.

 

It's been going for nearly an hour now and its a Xeon system, so no slouch..

Maybe you're having disk I/O problems. Anything else in the syslog?

Or maybe you have a ridiculous number of bait files? Did you have it putting bait in plex appdata or something?

Link to comment
1 minute ago, trurl said:

Maybe your having disk I/O problems. Anything else in the syslog?

Or maybe you have a ridiculous number of bait files? Did you have it putting bait in plex appdata or something?

 

Nothing in the logs no and I am not sure about plex; I don't think so, but have gotten back to the gui, but things are sluggish, so I have selected a stop to try and reboot.

 

If I can get the gui back fully I can check further, i guess.

Link to comment
  • 4 weeks later...
On 2/26/2018 at 2:48 AM, Squid said:

Just discovered that not everything is working 100% correct on 6.4  Working through it.  A reboot will probably fix the can't access shares after trigger thing.  Or alternatively, settings - SMB settings, disable then renable it

 

This issue seems to persist on 6.5 too.  Once I trigger a false alarm with the plugin by deleting a file in the monitored shares, the server shuts SMB down and resetting the plugin does not reset the SMB access.  It is totally gone and only a stop of the array and a restart of the array restores access.  I seem to recall the SMB shares would go to read only before on 6.3  They didn't completely go off-line.  I am only using bait shares and not using bait files.

Link to comment
  • 4 weeks later...

Has anyone figured out why it triggers an attack while copying files over to the shares? This just started to happen about end of Feb and to fix you have to reboot the server. I was having no issue with it before then and it has worked great up until then. No major changes that I know on my part unless an update changed it. Just curious I love the plugin but if it keeps doing this I am going to have to disable it since I load stuff to it from SMB connect often. Thanks ahead if someone has figured it out.

Link to comment
  • 1 month later...

Fix common problems is telling me that this plugin is no longer compatable and needs to be uninstalled. Plugin v2018.01.09.

 

Quote

newransomware.bait.plg Not Compatible with unRaid version 6.5.2

 

The author (or moderators of Community Applications) of the plugin template (https://raw.githubusercontent.com/Squidly271/ransomware.bait/master/plugins/newransomware.bait.plg) has specified that this plugin is incompatible with your version of unRaid (6.5.2).

 

You should uninstall the plugin here: Minimum OS Version: 6.2.1 Maximum OS Version: 6.4.1

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.