Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Plugin] Ransomware Protection - Deprecated

Featured Replies

  • Author

I haven't had a chance to play with this as of yet, but I'm really intrigued now.

I know on trigger it sets things to ReadOnly. Is there a way to "Return to Previous" State. Some of my Drives I have different settings depending on users, Disk Shares, User Shares

 

Would be nice to simply return to whatever settings I had on that particular drive/Share so I don't have to figure out what was changed and how it was before.

Yes there's a button to restore the settings

 

Sent from my LG-D852 using Tapatalk

 

 

  • Replies 449
  • Views 115.4k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • @Squid Fingers crossed he doesn't delete the thread to destroy the evidence..... 

  • I know this thread is positively ancient, but I'm one of the apparently rare few still running this plugin on both my Unraid boxes running v6.11...and just testing it again now due to all the people s

  • It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to

Posted Images

  • Author

Since you changed it to set SMB to Read Only upon detection, is their still value in stopping the array?

 

~Spritz

Depends upon your level of paranoia

 

Sent from my SM-T560NU using Tapatalk

One possibility is that if you have some rogue software somewhere on your network, not only might it modify / encrypt your files, but it could also be sending information "back home".  My view would be that I would want the server to have share access blocked until I had a chance to get control of things.

That's actually how the beeps are handled.  Through a user set stop script.  Next update should be this weekend

 

Sent from my LG-D852 using Tapatalk

 

Just got around to installing this....

 

Now I see your ugly mug/Chode in the root of every one of my shares....  Like a frigging virus!  ;D

 

o0sVku8.jpg

 

Having said that, I'm impressed, deleted a file and it did what it says on the tin.  Awesome work mate....

 

Now about that picture, do you not think something like this would be a bit more palatable?

 

seuMImp.png

  • Author

Just got around to installing this....

 

Now I see your ugly mug/Chode in the root of every one of my shares....  Like a frigging virus!  ;D

 

o0sVku8.jpg

 

Having said that, I'm impressed, deleted a file and it did what it says on the tin.  Awesome work mate....

 

Now about that picture, do you not think something like this would be a bit more palatable?

 

seuMImp.png

The key is what does your wife think?

 

Sent from my LG-D852 using Tapatalk

 

 

 

The key is what does your wife think?

 

Sent from my LG-D852 using Tapatalk

 

She says she's never gone for good looking men....

 

I'm sure there should have been a before in the sentence at some point she must have just forgot it...  ::)

  • Author

 

The key is what does your wife think?

 

Sent from my LG-D852 using Tapatalk

 

She says she's never gone for good looking men....

 

I'm sure there should have been a before in the sentence at some point she must have just forgot it...  ::)

My wife runs off her ideal man every once in a while and I think to myself, why did you marry me?

 

But right now, I'm testing out the dedicated bait shares and have 20 test shares operational containing approximately 1,000,000 pictures of myself in the hopes that I can brainwash her somehow    ;)

 

You do realize though that you can change that picture yourself

You do realize though that you can change that picture yourself

Thanks for this fantastic plugin! Does exactly what it says and helps me feel a bit more secure :-). Just a couple of questions :

 

If the bait is already set, and then we add the bait folder with custom files, does it replace the existing ones?

 

Also, if we change our mind from all folders to just root, do the extra bait files get deleted?

 

Thanks again!

  • Author

The published version deletes all the bait at every start so yes to all the questions.  Next rev on the weekend that will be optional but with a button to manually delete everything

 

Sent from my LG-D852 using Tapatalk

 

 

Since you changed it to set SMB to Read Only upon detection, is their still value in stopping the array?

 

I would say yes, as it's more likely to cause the major disruption that's appropriate for the potential disaster that's happening!  Do you really want to allow something to possibly continue destroying files on networked machines, so long as it doesn't interrupt your movie?  If you aren't well backed up elsewhere, then this is comparable to a small fire in the house, or the sound of a thief with your jewelry and valuables.

How about having the ability to have a custom script run when it's triggered?

This way folks could have extra/special things happen without having to have it hardcoded into the plugin..

 

I think this is a good idea.  It lets anyone customize the response as they wish, and add extra warnings and special notifications, beyond the standard ones.  And perhaps start file integrity tools running to begin identifying what's changed.

And perhaps start file integrity tools running to begin identifying what's changed.

This...

 

More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode.

How about having the ability to have a custom script run when it's triggered?

This way folks could have extra/special things happen without having to have it hardcoded into the plugin..

 

I think this is a good idea.  It lets anyone customize the response as they wish, and add extra warnings and special notifications, beyond the standard ones.  And perhaps start file integrity tools running to begin identifying what's changed.

 

Yes, thats what I had in mind.. for me it could tell my router to cut off access to the net for the unraid server so it doesnt "leak" any info..

  • Author

And perhaps start file integrity tools running to begin identifying what's changed.

This...

 

More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode.

Why do I have the sneaking suspicion that my deprecated Checksum Tools is going to make a revival in the next year?

And perhaps start file integrity tools running to begin identifying what's changed.

This...

 

More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode.

Why do I have the sneaking suspicion that my deprecated Checksum Tools is going to make a revival in the next year?

 

Funny you say that, I thought the same thing, but I decided, for once, not to taunt you....  ;D

  • Author

And perhaps start file integrity tools running to begin identifying what's changed.

This...

 

More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode.

Why do I have the sneaking suspicion that my deprecated Checksum Tools is going to make a revival in the next year?

 

Funny you say that, I thought the same thing, but I decided, for once, not to taunt you....  ;D

Are you sick or dying or something?

Are you sick or dying or something?

 

Hey, I'm your friend remember, now if I'd been your arch nemesis.....

 

I'm not going to say a word about the daily update to CA though....

  • Author

Anyone using Dynamix File Integrity?  (I don't... Still use the checksum plugin -> sorry bonienl)

 

If so, can I get you to do the following and post the output after forcing File Integrity to create the hashes for the file created.

 

mkdir /mnt/user/test
echo "test" > /mnt/user/test/test
inotifywait -m @ /mnt/user/test/test

 

Need to know if I have to add a note to exclude the specific bait share folders from File Integrity (pretty sure I'm going to have to)

@Squid

This plugin is working great for me. SMB and AFP. Was doing a little testing and I get the attack warning screen (and selected shutdowns) when I delete one of the bait files, but this screen and the following reset screen only reference SMB. There's no mention of restoring the AFP server even though both get restored when I push the button. Just a suggestion.

  • Author

@Squid

This plugin is working great for me. SMB and AFP. Was doing a little testing and I get the attack warning screen (and selected shutdowns) when I delete one of the bait files, but this screen and the following reset screen only reference SMB. There's no mention of restoring the AFP server even though both get restored when I push the button. Just a suggestion.

Next rev states that...  Just a little behind schedule due to real life

Hello Squid

 

I currently have the Ransomware Bait File Placement set to "root only of shares" and Stop Array on Detection set to "Yes"

 

With these settings every works as wanted and gives me greatly needed protection

Thank you very much for this plugin

 

 

I was curious about excluding more directories ...

 

I have "two" giving me some consternation

 

one is of the form /mnt/user/*share*/.Recycle.Bin

and another is /mnt/user/music/iTunes/iTunes Media/Automatically Add to iTunes/

 

When I empty the .Recycle.Bin manually the Ransomware Plugin can trigger ...

(so I should stop it before and restart after)

as well as when iTunes tries to automatically add the files in it's automatically add directory.

 

But I want to splatter my arrays directories with way more Bait files and wasn't sure how hard this would be to change / add?

 

Thanks for your time,

Bobby

 

 

 

 

  • Author

Problem with extra bait files within normal shares is that it dramatically increases the odds of inadvertent tripping.  You can always use the custom bait folder and toss as many files in there as you like.

 

Next rev (couple days behind schedule) I'm using 200,000 bait files in specialized shares just for that purpose and leaving everything else with the stock 4 shares

 

After the next rev I'm planning on switching the bait in normal shares from files to instead hardlinks which will let you instead run multiple copies without taking up an extra space (and might also speed up the response time by a milisecond or two)

 

Sent from my LG-D852 using Tapatalk

 

 

A few observations:

 

1. Love the plugin! Thanks again for creating it! :)

 

2. Can't wait for the manual removal button, as I uninstalled the plugin before letting it remove all the Squid-y files and now have 50 million "Don't Touch my Super Secret Squid" Files strewn about my file structure! I plan on using custom named bait files (in case ransomware developers learn about this little beauty) and maybe only in the top level folders.

 

3. A nice-to-have feature might be some sort of persistent progress update on the seeding and deleting of Squid-y files... "X out of Y", or "10% seeded/deleted" or even just "X seeded/deleted" so we can see that it is still working.

 

Thanks Again!

  • Author

2. Can't wait for the manual removal button, as I uninstalled the plugin before letting it remove all the Squid-y files and now have 50 million "Don't Touch my Super Secret Squid" Files strewn about my file structure! I plan on using custom named bait files (in case ransomware developers learn about this little beauty) and maybe only in the top level folders.

It should have removed the monitored files during uninstallation.  *But*, it was possible for abandoned / orphaned bait files to have been created depending upon what was going on at the time.  This should be fixed already on next rev.  (Just tidying up some loose ends).    The syslog when creating the files would actually have listed the orphaned files.  Unfortunately not much you can do other than doing a search in Explorer for the file name and then deleting them there. 

3. A nice-to-have feature might be some sort of persistent progress update on the seeding and deleting of Squid-y files... "X out of Y", or "10% seeded/deleted" or even just "X seeded/deleted" so we can see that it is still working.

Ahead of you there:  (The Running section does change to indicate current status of creation / deletion)

 

Untitled_zpszwxqc13n.png

Unfortunately not much you can do other than doing a search in Explorer for the file name and then deleting them there. 

No biggie. I'll do that.

Ahead of you there:  (The Running section does change to indicate current status of creation / deletion)

 

Untitled_zpszwxqc13n.png

 

Fantastic! Can't wait for the new version! :)

Are you going to add protection of shares on unassigned devices?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.