Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Plugin] Ransomware Protection - Deprecated

Featured Replies

  • Author

Are you going to add protection of shares on unassigned devices?

Yes.  Once all the file system checks are finished then the plg will be released..
  • Replies 449
  • Views 115.3k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • @Squid Fingers crossed he doesn't delete the thread to destroy the evidence..... 

  • I know this thread is positively ancient, but I'm one of the apparently rare few still running this plugin on both my Unraid boxes running v6.11...and just testing it again now due to all the people s

  • It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to

Posted Images

  • Author

width=300https://s3.amazonaws.com/lowres.cartoonstock.com/computers-email-virus-e_mail-attachment-computer_virus-bfrn373_low.jpg[/img]

 

- Major Update to the UI

- Lost track of the number of little issues that got fixed

- Added in specialized baitshares

- 6.2.1+ ONLY

- Still working on the manual (and the unassigned devices read-only got missed in this release)

 

YOU MUST UNINSTALL ANY PREVIOUS VERSIONS OF THIS PLUGIN PRIOR TO UPDATING

- Ideally, to prevent any inadvertent tripping of the old plugin, go to ransomware settings, disable the service, REBOOT, uninstall the plugin, and then REBOOT again.  This will guarantee that no traces of the old version are running to ensure a smooth upgrade procedure.  (Yes I know I'm a PITA  ;) )

 

UI Updates:

Tabbed / Non Tabbed depending upon Dynamix Display Settings.

Status vs Bait File vs Bait Shares vs Actions now separated from each other (with their own individual Apply Buttons)

Big additions to the UI are easy viewing of the logs, and seeing what file creation errors happened.  Most of the time, file creation errors will be the result of a file name collision (ie: the file that it tried to save as a bait file already existed on the array).  Filename collisions you will have to manually delete those files if they are orphaned due to a bug or what not on earlier versions of this plugin.

 

Bait Files

This is the same as before, with the named bait files going into either the Root of shares or all folders of shares (still have the ability to exclude shares -> note that specific bait shares are automatically excluded)

 

Bait Shares

If enabled, the plugin will create a number of specialized bait shares which should draw the attention of any ransomware attack to them instead of your data files.

 

Each bait share contains approximately 50,000 bait files (mixture of pdf, docx, xlsx, jpg) randomly named in english within randomly named folders in something that kinda resembles a naming convention that a business might use (ie: sometimes there's dates after the file name, word separators of spaces, periods, dashes, etc)

 

You will set the "Prefix" of the bait share, (Defaults to Squidbait), and a random word will get appended to each share so that it'll be easy for you (and those with legitimate access to the server) to avoid going into them.  The default is to append the random name after the prefix (which will wind up grouping all of the shares together on a list.  You also have the option to put the random name in front of the prefix, which will wind up scattering  the shares alphabetically amongst your normal shares.

 

The 50,000 odd bait files take up minimal space of on your array (because they are actually all hardlinks  Here is the disk usage for using 20 bait shares:

 

unRaid 6.2.2: averaging 380 bait created per second, btrfs disk usage: (~1.09GB usage immediately after format) (6.3RC3 averages 6000 per second)

Untitled_zpsz9e7plao.png

 

unRaid 6.2.2: averaging 410 bait created per second, reiserfs disk usage: (~40meg usage immediately after format) (6.3RC3 averages 4600 per second)

Untitled_zpsdimtgakw.png

 

unRaid 6.2.2: averaging 380 bait created per second, xfs disk usage (~1.1 GB usage immediately after format)(6.3RC3 averages 4800 per second)

Untitled_zpsza8satgi.png

 

(As an aside, during my file system tests, I hit 69 million bait files on XFS before I ran out of disk space on a 5gig Virtual Hard Drive)

 

The number of bait files within each share is not adjustable, and is well within the file system limitations (couldn't determine an upper limit for XFS hardlinks.  BTRFS is 65,535, and reiserfs is 64,535)

 

Also note the huge speed increase with bait file generation when utilizing 6.3+  This is entirely due to the upgrade to PHP7 in those releases, and drops the generation time for 20 shares down to a minute or two from around an hour+ in 6.2.2 

 

Note that the one thing you do not want to do is adjust the share settings for the created bait shares.  You *want* them to be as easily accessible as possible.  Setting them to be hidden via the GUI is basically going to negate the whole point of them since a ransomware attack will not see those shares.

Still To Come

Still have to add in Unassigned Devices handling to read-only

A complete manual / help text to describe the various options, etc

- Just kept on running out of time and wanted to get this out there.

This is looking awesome, Squid!

 

Is there any way to preserve the date/time stamp in the directory structure when you write the bait files? I often sort by date/time because I'm looking for the newest directories that have been added by SB or CP, and at the moment, almost all of my directories have a 10/16 date stamp (the last time I launched the plugin).

I've found a bug.

 

 

I've got a mixture of cache-only, array-only, private and public shares.  I accidently triggered the plugin  by moving some files.  What went wrong is that after re-enabling SMB, my Private Array-only shares didn't restore user permissions to Read-write, they were stuck on read.

 

 

The more annoying problem, was for those shares my comments were lost and the "Read Only Mode. Restore normal settings via Ransomware Protection Settings" was still there.

 

 

I think I have another bug.  I have bait share enabled and recreate bait files (the share option) to 'No' - for some reason it's deleting all my bait shares at the moment, when I was expecting them to stay where there were after the initial creation.

  • Author

I've found a bug.

 

 

I've got a mixture of cache-only, array-only, private and public shares.  I accidently triggered the plugin  by moving some files.  What went wrong is that after re-enabling SMB, my Private Array-only shares didn't restore user permissions to Read-write, they were stuck on read.

 

 

The more annoying problem, was for those shares my comments were lost and the "Read Only Mode. Restore normal settings via Ransomware Protection Settings" was still there.

 

 

I think I have another bug.  I have bait share enabled and recreate bait files (the share option) to 'No' - for some reason it's deleting all my bait shares at the moment, when I was expecting them to stay where there were after the initial creation.

I'll check it out after work.  Are the backup copies of the share cfg files on the flash drive (/config/plugins/ransomware.bait/can'tRemember)

 

Sent from my LG-D852 using Tapatalk

 

 

I'll check it out after work.  Are the backup copies of the share cfg files on the flash drive (/config/plugins/ransomware.bait/can'tRemember)

 

Sent from my LG-D852 using Tapatalk

 

 

Sorry, not sure - I took the plugin off as it kept triggering alarms when it was deleting the bait shares.

  • Author

...as it kept triggering alarms when it was deleting the bait shares.

This is the key thing here, and I know what's going on.  Gotta further increase the safeguards to prevent this situation.  (Its also why I had that messed up upgrade routine)
  • Author

Is there any way to preserve the date/time stamp in the directory structure when you write the bait files? I often sort by date/time because I'm looking for the newest directories that have been added by SB or CP, and at the moment, almost all of my directories have a 10/16 date stamp (the last time I launched the plugin).

Won't help you now, but going forward, this weekend's update will have this in there (optional, defaults to preserving the date/time of the folder)  (Actually an awesome idea as I work with my shares the same way, and it never really popped into my head)

Is there any way to preserve the date/time stamp in the directory structure when you write the bait files? I often sort by date/time because I'm looking for the newest directories that have been added by SB or CP, and at the moment, almost all of my directories have a 10/16 date stamp (the last time I launched the plugin).

Won't help you now, but going forward, this weekend's update will have this in there (optional, defaults to preserving the date/time of the folder)  (Actually an awesome idea as I work with my shares the same way, and it never really popped into my head)

 

Sweet!  Looking forward to it!

  • Author

width=200http://www.relatably.com/q/img/funny-quotes-about-life-getting-better/1375690139173477_tall.jpg[/img]

 

- Improvements in stop services

- Fixed: Depending upon settings, an attack on user shares could trigger multiple attacks on bait shares

- Added: Optional preserving of folder modification time when creating bait files

- No longer log smb status if smb wasn't enabled

- Set UD mounted shares to be read-only in case of attack

 

Well I was going to write about how cool it was to have 1 million bait files :) but then I started updating other plugins.  Turns out there is a conflict with the 10.29 version of Ransomware Protect and the 10.29c version of Dynamix Bleeding Edge:

 

Fatal error: Cannot redeclare my_parse_ini_file() (previously declared in /usr/local/emhttp/plugins/dynamix/include/Helpers.php:243) in /usr/local/emhttp/plugins/ransomware.bait/include/helpers.php on line 88

 

Also see https://github.com/limetech/webgui/commit/ca7c521ca25804df46c5e309913b7a2f33f7450c

  • Author

Well I was going to write about how cool it was to have 1 million bait files :) but then I started updating other plugins.  Turns out there is a conflict with the 10.29 version of Ransomware Protect and the 10.29c version of Dynamix Bleeding Edge:

 

Fatal error: Cannot redeclare my_parse_ini_file() (previously declared in /usr/local/emhttp/plugins/dynamix/include/Helpers.php:243) in /usr/local/emhttp/plugins/ransomware.bait/include/helpers.php on line 88

 

Also see https://github.com/limetech/webgui/commit/ca7c521ca25804df46c5e309913b7a2f33f7450c

But I was first with that update to handle the potential issue!

 

But, no problems... I'll change the name of the function I'm using within the .page file.  Working on the manual for this right now anyways

 

Should have gone with squids_parse_ini_file... anyone can have my_parse_ini, only you can have squids :)

  • Author

Should have gone with squids_parse_ini_file... anyone can have my_parse_ini, only you can have squids :)

Fix is in RP to check for that function before declaring it now.  But really glad you posted that github link, as there is a major issue with the code as posted...  Once I finish the manual, I'll update RP

I feel like if it is triggered it should send a "wuphf" http://theoffice.wikia.com/wiki/WUPHF.com_(Website)

A 404 error?

 

Sent from my LG-D852 using Tapatalk

lol. I kinda have that now via texts, email, smartthings notifications & pushbullet. Someone comes to the door (motion detection) you would think some alarm system had gone off lol.

Should have gone with squids_parse_ini_file... anyone can have my_parse_ini, only you can have squids :)

Fix is in RP to check for that function before declaring it now.  But really glad you posted that github link, as there is a major issue with the code as posted...  Once I finish the manual, I'll update RP

 

You were looking at the first incarnation, meanwhile code is corrected.

 

You are always free of course to introduce your own code, but remember unRAID has a lot "my_..." functions (don't want to claim the name though).

 

- Fixed compatibility with Dynamix Bleeding Edge (but since I was first with the my_parse_ini_file fix, shouldn't Bleeding Edge have to fix compatibility with RP and CA since it also had the fix prior to Bleeding Edge??)

 

Sorry Squid. Too late  ;D

 

Bleeding Edge changes will come in next rc of unRAID, solution is simple: RP and CA can use the built-in functions.

 

  • Author

You are always free of course to introduce your own code, but remember unRAID has a lot "my_..." functions (don't want to claim the name though).

Yeah, I think eschultz thinks I'm on glue because I was commenting on the commit that clearly showed incorrect code and he's looking at something else.

 

And I also use a ton of the my_ functions.  Easy to remember and handle.  Easier to put in a conditional declaration rather than rename everything, since ultimately both your's and mine do the same thing (although I prefer mine  ;)  )

 

(And the conditional allows me to maintain compatibility with previous versions of unRaid)

 

Just joking around about blaming Dynamix for my very minor little woes 

You are always free of course to introduce your own code, but remember unRAID has a lot "my_..." functions (don't want to claim the name though).

Yeah, I think eschultz thinks I'm on glue because I was commenting on the commit that clearly showed incorrect code and he's looking at something else.

 

And I also use a ton of the my_ functions.  Easy to remember and handle.  Easier to put in a conditional declaration rather than rename everything, since ultimately both your's and mine do the same thing (although I prefer mine  ;)  )

 

(And the conditional allows me to maintain compatibility with previous versions of unRaid)

 

Just joking around about blaming Dynamix for my very minor little woes

 

You can always blame ME  ;)

 

  • Author

You are always free of course to introduce your own code, but remember unRAID has a lot "my_..." functions (don't want to claim the name though).

Yeah, I think eschultz thinks I'm on glue because I was commenting on the commit that clearly showed incorrect code and he's looking at something else.

 

And I also use a ton of the my_ functions.  Easy to remember and handle.  Easier to put in a conditional declaration rather than rename everything, since ultimately both your's and mine do the same thing (although I prefer mine  ;)  )

 

(And the conditional allows me to maintain compatibility with previous versions of unRaid)

 

Just joking around about blaming Dynamix for my very minor little woes

 

You can always blame ME  ;)

Nah.  I assume that dynamix is like RP and CA and has a mind and will of its own and pretty much does what it wants on its own accord during development

 

Sent from my LG-D852 using Tapatalk

 

 

How do I exclude a folder with a space in the name?

  • Author

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.