Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Plugin] Ransomware Protection - Deprecated

Featured Replies

  • Author
1 hour ago, squirrellydw said:

should all the squidbait shares be public or is it better to have them as Secure?

Better as public.  You want to make them as accessible as possible

 

1 hour ago, squirrellydw said:

My Disk shares say Read Only Mode, is that correct?  If not how do I fix it?  Thanks

I had a typo that was preventing the disk shares / comments from being properly restored.  Updating the plugin corrects the typo, and will also remove the existing comments (if you had done multiple test trips).  However, a reboot may be required after installing the update for unRaid to pickup the comment changes...

  • Replies 449
  • Views 114.9k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • @Squid Fingers crossed he doesn't delete the thread to destroy the evidence..... 

  • I know this thread is positively ancient, but I'm one of the apparently rare few still running this plugin on both my Unraid boxes running v6.11...and just testing it again now due to all the people s

  • It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to

Posted Images

@Squid  Thanks update and reboot fixed it.  Cache drive still says Read Only Mode.

  • Author
3 hours ago, squirrellydw said:

@Squid  Thanks update and reboot fixed it.  Cache drive still says Read Only Mode.

oops.  Go to Main, Cache Devices, Click on Cache, and you can manually edit the comment out...

thanks that worked

On 5/18/2017 at 6:46 PM, Squid said:

It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to you.  IE:  It's your absolutely last line of defense, and should never be your first and/or only...

 

https://github.com/Squidly271/ransomware.bait/

 

Have you ever though of making it a CLI tool and portable to other Linux distros? I know this is last line of defense material, but its lightweight and excellent for what it does. I can easily see this becoming a tool businesses would love in their arsenal. Seriously man, you've got a winner here. I love unraid, but small medium business and corporate uses other distro's. This could be a big deal!

@Darksurf How would you transition the shares to Read-Only mode on other Linux variants? Or do you mean to make it a passive-only that monitors then when it gets tripped to send a Notification? I suppose it could just have hook-files to be executed on tripped, then leave it up to others to get the nitty-gritty for their specific situations.

48 minutes ago, BRiT said:

@Darksurf How would you transition the shares to Read-Only mode on other Linux variants? Or do you mean to make it a passive-only that monitors then when it gets tripped to send a Notification? I suppose it could just have hook-files to be executed on tripped, then leave it up to others to get the nitty-gritty for their specific situations.

It would boil down to either editing the samba.conf file or even better, just stop the samba service 'systemctl stop samba.service' and send notifications and log problems.

I just had to chime in. I'm loving this program. I'v had two alarms. Seem false thou.  something deleted 

 

Time Of Attack:Sat, 27 May 2017 14:07:42 -0500

Attacked File: /mnt/user/YaBills\home2-conquered/

 

&

 

Time Of Attack:Sat, 27 May 2017 23:57:06 -0500

Attacked File: /mnt/user/crashed-Fame/.SquidBait-DO_NOT_DELETE.docx
 

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
23926        1000       DENY_NONE  0x20081     RDONLY     NONE             /mnt/user/crashed-Fame   SquidBait-DO_NOT_DELETE.jpg   Sat May 27 23:56:54 2017
23926        1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/crashed-Fame   .   Sat May 27 23:56:53 2017

 

Even thou it might be false. I still love the fact it there. Plus it help me learn how to protect myself and not get comfortable. 

 

Backup are our friends. Thank you again for this plug-in and adding to unRaid

 

  • 3 weeks later...

I've installed this plugin but seem to keep having false positives, I'm not using any shares (they exist but nobody is using anything able to see the shares or accessing them)  I'm just setting up the actual unRaid and keep getting notifications about bait files triggered....

Edited by ceyo14

  • Author
On 6/12/2017 at 11:57 PM, ceyo14 said:

I've installed this plugin but seem to keep having false positives, I'm not using any shares (they exist but nobody is using anything able to see the shares or accessing them)  I'm just setting up the actual unRaid and keep getting notifications about bait files triggered....

Hard to say.  Generally, something is modifying / deleting the file(s).

  • 3 weeks later...

Hey Squid,

 

Been reading a little about this and it sounds awesome. You are a very gifted person to design and implement something like this. I do have a few questions and don't think they have been asked but if they have please forgive me.

 

1) Is it better to have bait files or bait shares. I have about 15 shares SMB/NFS.

2) Will NFS be implemented on this? I have about 6 NFS shares. 

3) Being i have NFS Shares would the bait files or bait shares be created for those shares as at this time NFS is implemented.

4) I automatic backups going on for systems in my house. Would this trigger a false alarm?

5) What are the most secure way to implement this, using bait files or bait shares?

6) what are the odds of someone reading this and implementing ransomware to ignore your bait files or shares and go after every other file instead? 

7) Does this tell you the file or shares where items would be deleted?

 

So sorry for so many questions and if they have been asked before i am sorry. Thanks for any help in advance and this does sound like an awesome plugin. 

Edited by kjoconis

  • Author
1 hour ago, kjoconis said:

You are a very gifted person to design and implement something like this

@RobJ's ideas

 

1 hour ago, kjoconis said:

Is it better to have bait files or bait shares. I have about 15 shares SMB/NFS.

Bait Files are more secure, but more prone to inadvertent trips.  Bait Shares are more convenient and less prone to inadvertent trips

 

1 hour ago, kjoconis said:

Will NFS be implemented on this? I have about 6 NFS shares. 

Your #1 attack vector by far is via SMB.  NFS, a while ago I had asked for help on how to make a NFS share read-only in unRaid's implementation, but nobody could / would answer the question (short of modifying the permissions on the files which I don't want to do)

1 hour ago, kjoconis said:

I automatic backups going on for systems in my house. Would this trigger a false alarm?

If the automatic backups delete any files in the destination share that doesn't exist on the source, and those files are bait files, then yes.  An attack is an attack.

1 hour ago, kjoconis said:

What are the most secure way to implement this, using bait files or bait shares?

Bait Files in all directories and Bait Shares.  Unless you're in 100% control of the files on the server though, Bait Files in the root only with Bait Shares.  If you don't have 100% control (other users regularly accessing / deleting their own files from folders, etc, Bait Shares only are your best bet).  My self, I use 20 Bait Shares (containing ~1,000,000 bait files) and bait files within root of shares only.

1 hour ago, kjoconis said:

what are the odds of someone reading this and implementing ransomware to ignore your bait files or shares and go after every other file instead? 

If a malware author was going to try and work around this implementation, it would be nothing for them to ignore the default naming of the Bait Files.  But, you can change those how you wish to avoid that problem.  But, you have the option to create and use your own Bait Files.

 

Bait Shares.  Anything is possible, but the file names are all randomized, and are named in a variety of different ways that IMHO simulate the naming of files that would be present in somebody's work computer.  

 

Would any of the authors go through the trouble of trying to get around this plugin?  Doubt it, but you never know.

1 hour ago, kjoconis said:

Does this tell you the file or shares where items would be deleted?

 

On an attack, there is an attack log that does specify which particular file was attacked.

 

 

 

Best that I can say is that of the 2 users that I know of in this forum that have been hit with a ransomware attack (wannacry), neither one of them were running this plugin.  I wish they were.

Edited by Squid

Squid:

 

I will chime in and give you a big 'thanks' for the plugin. Installed and seems to be working great on my rig.

 

One thing that would be nice - I would like to get an email whenever the system detects and sets the shared to read only. I see that there is the ability to run a custom script on detection.

 

Would you or anyone else out there be able to knock up a quick email script that would work with GMail? I do not have the Linux chops to pull this off in any reasonable time. I figured if I had to do this myself, email would be obsolete by the time I was able to make it work ;-)

 

I figured it would be pretty trivial for someone to throw a script together. I am OK to make modifications to a script, but would like to see a sample.

 

Cheers,

Brian (fellow Canuk, by the looks of you signature)

  • Author
11 minutes ago, bjmcintosh said:

One thing that would be nice - I would like to get an email whenever the system detects and sets the shared to read only. I see that there is the ability to run a custom script on detection.

Admittedly, I'm not in the "right frame of mind" at the moment, but I'm sure that sure that it does that automatically without any option to disable.  Assuming of course that you have set up notifications properly in unRaid.

 

13 minutes ago, bjmcintosh said:

(fellow Canuk, by the looks of you signature)

 

39 minutes ago, bjmcintosh said:

I would like to get an email whenever the system detects

Do you not have unRAID Notifications setup? You really should and for a lot more reasons than just this plugin.

Trurl - thanks for the reminder. Duh - did not have notifications set up at all.

 

I will play with a ransomware file and, when triggered, I should see a notification.

 

Thx,

Brian

 

PS: Squid - thanks for the Canada rant!

I am going to use unbalance to move some files around and make room for a new disk in my array. Would it be easiest to shut down ransomware protection, then recreate bait files as if it is a new install?

  • Author
2 hours ago, bjmcintosh said:

I am going to use unbalance to move some files around and make room for a new disk in my array. Would it be easiest to shut down ransomware protection, then recreate bait files as if it is a new install?

Stop the service, then delete the files, then move, then recreate

 

Thanks - I figured this was the way to go. Thanks for the confirmation.

 

Brian

  • 2 weeks later...

Hi all,

 

When I stop the services I find the plugin is back on after reboot. How do I turn it off a little more permanently (other than uninstalling)?

 

Cheers, Deeks

  • Author

Disable both the use shares and use bait files.

Sent from my LG-D852 using Tapatalk

Thanks for pointing this out, probably would not have found out to disable both options straight away.

  • 3 weeks later...
  • Author
5 minutes ago, kjoconis said:

Hey Guys,

 

Finally installed this plugin and so far so great..Question..I have bait file placement in all folders and shares but i don't see the files..I even choose to not hide bait files but they are still hidden. I would rather not see them but i just wanted to know that they are their. Like i said i have bait files not hidden but they are still not showing....any thoughts...thanks guys..

Is bait files enabled?  Does bait files show as running?  What does it state for number of bait files being monitored?

2 minutes ago, kjoconis said:

what commands?? Sorry for newbi question..

I think you posted this in the wrong thread.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.