[Plugin] Ransomware Protection - Deprecated


Squid

Recommended Posts

I was looking at fixing the compatibility yesterday, and decided it was just too much of a major redesign effort to get it to properly handle things in the event of an attack.

 

The plugin will detect properly.  The issue is that smb will not restart once stopped and redone for readonly access, which forces you to stop / start the array to get things back to normal.  If you can live with that, then there's no reason to uninstall.  

 

That, and since day one, I have always felt that this was a reactive approach vs a proactive approach, and your best line of defense is to stop everything at the source.  (And if you were observant, this plugin was never branded under the CA moniker)

 

To actually answer your question, its doubtful.  Hard for me to get into something that I don't use

 

Link to comment

The best approach imho is to shut off everything. Just bomb out the server.  Force stop everything if required.

 

It's an attack so I'd rather the server went offline than lose my data (all though I have a 3-2-1 backup approach).

 

Is it possible to shut off all disks and terminate network connections to prevent a smart virus from attacking remote backup servers?

Edited by jj_uk
Link to comment
12 hours ago, BRiT said:

Anyone who is concerned about their data, if it's read-only patterns, should be using 'chattr +i' to make the data immutable.

Anyone using btrfs can also just setup regular snapshots, they can be read-only so a good protection against ransomware.

  • Upvote 1
Link to comment

Hello Squid,

 

I would really appreciate if you could update this plugin 

 

I would be fine with having to manually restart the array after a ransomware detection

 

if all it can take is visiting a site with a bad advert ...

https://blog.malwarebytes.com/threat-analysis/2015/04/booby-trapped-hugo-boss-advert-spreads-cryptowall-ransomware/

 

I spent several weeks years ago fighting with facebook over an advertising site they had in their ad rotation with a hijacked robots.txt file

It led to a website locking up your browser and claiming your computer was infected

... and their answer was cool you tracked down all the involved ip's and url's down ...

we could care less about protecting you from this

it's not our job and not our problem ... not our website ...

they suggested maybe I just put the url's in my hosts file as 127.0.0.1

I asked about all the users that might fall for that scam in question.

Facebook's stance on this issue may have changed since ... but at the time I was pretty angry.

 

Thanks for your time,

and putting up with my rant ...

Bobby

Link to comment
  • 4 weeks later...

Got hit with what I think was a false positive this morning at about 06:01:32. I think a bait file suddenly disappeared while unraid was running Community Applications appData Backup. It reported a possible attack on /mnt/user/BackupbyCABackup_usb/.SquidBanking-DO_NOT_DELETE.xlsx

 

When I look at the log, I noticed Community Applications appData Backup started running at about 0600 at this was in the log. The only line in the system log around that time referencing that folder is this:

 

Jul  7 06:01:31 Tower CA Backup/Restore: Using command: /usr/bin/rsync  -avXHq --delete  --log-file="/var/lib/docker/unraid/ca.backup2.datastore/appdata_backup.log" /boot/ "/mnt/user/BackupbyCABackup_usb/" > /dev/null 2>&1
 

I'm not 100% familiar what it being done on this line, but after looking up the options for rsync it appears the destination folder has any extraneous files removed by the --delete option. So I assume what happened is the backup was removing the bait files in the folder when it backed up to that share, causing a report of ransomware. Odd that this action hasn't happened before though the backup is set to run at 0600 on the 7th day of every month... so the program is expected to run. I just never had a ransomware attack notice before. Wondering if one of the programs was recently changed and caused the new notice with a change in something

 

I'm adding the folder to the exclude from placing a bait file in the folders. Thought that was already set, but I guess I didn't.

 

Am I correct in what looks to be the cause of this notice?

Edited by tnorman
Link to comment

BTW the attack history shows this: (i've removed part of the ip address which actually corresponds to my main computer. And I changed the username to tempuser. Not sure why it is reporting this user but it is the only one I regularly use for transfering via Samba.)

 

Time Of Attack:Sat, 07 Jul 2018 06:01:32 -0600
Attacked File: /mnt/user/BackupbyCABackup_usb/.SquidBanking-DO_NOT_DELETE.xlsx
Samba version 4.6.12
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
2997    tempuser    users        192.168.*.*(ipv4:192.*.*:56861)    SMB3_11           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing
---------------------------------------------------------------------------------------------
IPC$         2997    192.168.*.*  Fri Jul  6 17:13:32 2018 MDT     -            -

No locked files

Link to comment

So just got told by the Fix Common Problems plugin that newransomware.bait.plg is deprecated.

 

"This plugin has been deprecate and should no longer be used due to the following reason(s): While this plugin should still be functional, it is no recommended to continue to use it."

 

 

Link to comment

K. I didn't check the change log. Thank you for the info.

 

So just got told by the Fix Common Problems plugin that newransomware.bait.plg is deprecated.

 

"This plugin has been deprecate and should no longer be used due to the following reason(s): While this plugin should still be functional, it is no recommended to continue to use it."

 

 

Link to comment
  • 3 weeks later...
On 7/10/2018 at 6:44 PM, tnorman said:

While this plugin should still be functional, it is no recommended to continue to use it."

 

@Squid sorry to ask but exactly why are you marking it as not recommended?, does it not perform as you expected or does not 100% protect against ransomware and thus gives a false sense of security?. sorry looking at this remotely so i dont have access to CA or changelog (cant see it in OP), interested in protecting myself a bit more against ransomware.

Link to comment
On 8/1/2018 at 4:54 AM, binhex said:

 

@Squid sorry to ask but exactly why are you marking it as not recommended?, does it not perform as you expected or does not 100% protect against ransomware and thus gives a false sense of security?. sorry looking at this remotely so i dont have access to CA or changelog (cant see it in OP), interested in protecting myself a bit more against ransomware.

The exact message is a generic "deprecated" message.

 

Basically, I don't use the plugin anymore, and don't believe that this is the correct approach.  A more pro-active system vs a reactive system like this is better IMHO.  Added to that, but some of the features (namely switching to readonly instead of what it does not and simply stop all access period) no longer operate under 6.5, requiring a major rewrite.

  • Like 1
  • Upvote 1
Link to comment
14 hours ago, Squid said:

Basically, I don't use the plugin anymore, and don't believe that this is the correct approach.  A more pro-active system vs a reactive system like this is better IMHO.  

 

Can you elaborate on "a more pro-active system"?

 

While I was never a fan of the gigantic number of bait files, I certainly see advantage in relying on a system whose O/S is isolated from the rest of my network.  Otherwise, my server's overall safety is determined by the least secure machine (and user) in my house.  

Link to comment
6 minutes ago, johnny121b said:

a more pro-active system

Anti-virus is a plus.  Training your family to not click on links in an email is another.  Not executing a downloaded program without running it through a virus check.  chattr -i is probably the best for when you can use it.

 

Not mapping drives to a VM / barebones machine, and instead use IP addresses.  Won't stop it, but it does at least make it harder

Edited by Squid
Link to comment
17 minutes ago, Squid said:

Anti-virus is a plus.  Training your family to not click on links in an email is another.  Not executing a downloaded program without running it through a virus check.  chattr -i is probably the best for when you can use it.

 

Mmmmm....yeah.  That's not realistic....and not a better solution.  Malware is by-definition, proactive.  It's no longer enough to be suspicious of Nigerian Prince emails.  Bad things can arrive via ads- that you don't even click on, via a webpage or popup....all without user interaction.  You can do everything right...and still become a victim.  Anyways...really sad to see it fall by the wayside after having its functionality torpedoed by UnRAID's advancement.  Thanks for the work you did on it all-the-same.

 

 

Link to comment
38 minutes ago, johnny121b said:

You can do everything right...and still become a victim

Which is why you need to keep everything OS, browsers, software all up to date at all times

 

39 minutes ago, johnny121b said:

really sad to see it fall by the wayside after having its functionality torpedoed by UnRAID's advancemen

It's more than that.  Once I've completely lost interest in something, (and I no longer use it), when an unRaid change / enhancement winds up affecting functionality, I tend to deprecate the app or set it so that there's a maximum version that it will run on.  As @pluginCop will attest to, I'm hardest on myself in policing the app eco-system for unRaid.  unRaid's user base deserves the best applications / plugins.  Anything less than that is unacceptable.

 

In this case, I've deprecated it.  It still operates.  All the deprecation really does is make it a tad harder to install from scratch if you've never had it installed before, and let the user know that it'll be a miracle for any updates to happen to it.

 

 

Link to comment
15 minutes ago, BRiT said:

That's why you should be browsing the internet within a walled off VM Sandbox that doesn't have access to any of your data, if you want to truly protect it.

 

I AM probably the biggest risk on my network, but it isn't realistic to expect everyone in my house to live in a bubble.  I DO protect my data with backups, but restoring a large system would be a major task- a threat in-and-of-itself.  I'm not going to go nuts trying to lock down tablets and laptops, forbid PLEX, cripple my system's usability, and generally quadruple my workload while annoying everyone in the house (including myself), all for a dubious gain.  All-the-while, I have a server sitting there, 95% idle, that could be keeping a watchful eye on things, that isn't subject to the latest Windoze update, that isn't having things installed on it daily, that isn't surfing the internet, that has nothing more to do.....  I don't begrudge Squid for his choice, but that does not make offloading diligence to an 8-year old or a housewife....a better one.  

 

At the moment, this doesn't even affect me.  I'm stuck on 6.5.3 because of other issues.  I just pursued the point because I wanted to see IF there was something I wasn't aware of....as hinted by one of Squid's comments above.

 

Link to comment
11 minutes ago, johnny121b said:

At the moment, this doesn't even affect me.

Actually, it does.  The changes to make the plugin work on 6.5 also affect 6.3.5 (which is what I assume you meant) if you're running the last version of the plugin.

 

13 minutes ago, johnny121b said:

offloading diligence to an 8-year old or a housewife

Personally, I disagree there.  Not clicking random links in an email for example is something that has to be banged into everyone from birth.  None of the mobile devices in my house are connected to the same network as the rest of my equipment.  They're all on the guest network, as no one here ever uses mobile to actually access files except media in which case it runs through Plex anyways.

 

16 minutes ago, johnny121b said:

I'm not going to go nuts trying to lock down tablets and laptops

This plugin was the last security barrier.  And it could only protect your files that are stored on the array.  If you're subjected to an attack sure all of your movies would be safe.  But everything else on your network is now pooched.  The attack isn't coming through unRaid.  Its coming from another device on your network, and it will hit everything on the network.

 

You don't have to go nuts, or even be paranoid about all of this.  Basic precautions will suffice.  Even something as simple as forgoing public shares and only giving your son / wife RW access to the shares that they need it on will protect your files from the attack vector originating from their user.  Or giving Plex read-only access to your media - doesn't affect functionality at all).  

  • Upvote 1
Link to comment

So I uninstalled the plugin before forgetting to cleanup all the squidbait files. I'm trying to search for it in the community applications to install again so I can remove all the files/folders generated by the plugin but I can't seem to find it anymore. What's the best way to remove all these files/folders?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.