NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Premissions and CryptoLocker
ReadyNAS 312 systems deployed in various locations. Most workstations are accessing NAS hosted data via mapped drives in a peer networking environment. Everyone around here is clucking about Cry...
SMB access is essential for most task orient functions. Disabling SMB access is not practical with task oriented workers with low technology knowledge and rudimentary skills. The firm needs to keep making and selling their widgets. This stuff is to be a tool to help, not an impediment.
******** Below is a short discussion of the issue and a possible work-around **************
CyberLocker and ReadyNAS Setup
CyberLocker malware is currently causing substantial issues with client/server configurations. Generally speaking, CyberLocker
• Currently only infects Windows based systems with CIFS type networks.
• Runs the ‘chain’ of available drives, both locally and mapped drives, looking for documents that it then encrypts using a RSA 256 bit algorithm.
• Because the use of mapped drives is often the only practical manner of sharing information on a network most networks are vulnerable to this attack.
• All popular documents are encrypted based on their respective file extension – music, pictures, Office documents (Word, Excel, Powerpoint, etc.), most any document that contains user created content.
• Apparently the malware process avoids unknown document types in attempt to make the system appear functional until most/all of the user documents are encrypted.
• The system still boots and has web access – that is how the user is able to pay the ransom.
• After sufficient numbers of documents have been encrypted the user is informed that the event has occurred via prominent screen display and they can either pay a ransom for the RSA key to unencrypt them or leave them encrypted.
• Early versions of the malware gave an absolute 72 hour deadline prior to destroying the key so that no documents could be recovered. Recent antidotal discussions have indicated that there is more flexibility in the timeframe but the cost of the recovery key after the initial 72 hour timeframe is escalated approximately six-fold.
• Actual removal of the malware is fairly straight-forward and most AV tools in use can do it readily. The issue is how to recover the encrypted data.
By all standards this is very disruptive but from the standpoint of the malware infecting organization, it is effective as the only recourse is to pay them or loose documents.
If the user has good backup then the high probability is that that backup will remain unencrypted. That said, it is only a matter of time before the malware recognizes these document types and in turn encrypts them.
If the backup was removed from the environment, either physically or logically, then its contents are safe from encryption.
Following up on that alternative is the idea to ‘hide’ the backup files such that the malware cannot locate them.
The ReadyNAS device allows the creation of a share in the traditional manner using RAIDar but if the CIFS “Hide this share when a user browses the ReadyNAS for available shares” option box is checked box then the data is essentially hidden from the Windows environment. Quoting from the option description “If enabled, users will not see the share unless they explicitly specify the share name in the browse path. Please note that enabling this option will disable access to the share from other file protocols.”
• This is about as good as it gets from the perspective of the CyperLocker defense. The malware must know the ReadyNAS device name and also know the specific directory name containing the data that is being hidden.
• There is no mapped drive to lead the malware to the data.
• The data can remain mounted online and available for the knowledgeable individual to access.
• Drive mapping from the Windows environment is restricted to those individuals who have access to and need to know about the backup data location use UNC naming conventions.
• Most backup software is able to deal with UNC naming conventions for the purposes of data storage and retrieval.
Depending on the capability of the backup software used, it may be possible to set permission level authority on the actual process doing the backup in addition to other types of restrictions. The Windows security model has adequate capabilities, it is a function of the backup software to use those capabilities.
******** Below is a short discussion of the issue and a possible work-around **************
CyberLocker and ReadyNAS Setup
CyberLocker malware is currently causing substantial issues with client/server configurations. Generally speaking, CyberLocker
• Currently only infects Windows based systems with CIFS type networks.
• Runs the ‘chain’ of available drives, both locally and mapped drives, looking for documents that it then encrypts using a RSA 256 bit algorithm.
• Because the use of mapped drives is often the only practical manner of sharing information on a network most networks are vulnerable to this attack.
• All popular documents are encrypted based on their respective file extension – music, pictures, Office documents (Word, Excel, Powerpoint, etc.), most any document that contains user created content.
• Apparently the malware process avoids unknown document types in attempt to make the system appear functional until most/all of the user documents are encrypted.
• The system still boots and has web access – that is how the user is able to pay the ransom.
• After sufficient numbers of documents have been encrypted the user is informed that the event has occurred via prominent screen display and they can either pay a ransom for the RSA key to unencrypt them or leave them encrypted.
• Early versions of the malware gave an absolute 72 hour deadline prior to destroying the key so that no documents could be recovered. Recent antidotal discussions have indicated that there is more flexibility in the timeframe but the cost of the recovery key after the initial 72 hour timeframe is escalated approximately six-fold.
• Actual removal of the malware is fairly straight-forward and most AV tools in use can do it readily. The issue is how to recover the encrypted data.
By all standards this is very disruptive but from the standpoint of the malware infecting organization, it is effective as the only recourse is to pay them or loose documents.
If the user has good backup then the high probability is that that backup will remain unencrypted. That said, it is only a matter of time before the malware recognizes these document types and in turn encrypts them.
If the backup was removed from the environment, either physically or logically, then its contents are safe from encryption.
Following up on that alternative is the idea to ‘hide’ the backup files such that the malware cannot locate them.
The ReadyNAS device allows the creation of a share in the traditional manner using RAIDar but if the CIFS “Hide this share when a user browses the ReadyNAS for available shares” option box is checked box then the data is essentially hidden from the Windows environment. Quoting from the option description “If enabled, users will not see the share unless they explicitly specify the share name in the browse path. Please note that enabling this option will disable access to the share from other file protocols.”
• This is about as good as it gets from the perspective of the CyperLocker defense. The malware must know the ReadyNAS device name and also know the specific directory name containing the data that is being hidden.
• There is no mapped drive to lead the malware to the data.
• The data can remain mounted online and available for the knowledgeable individual to access.
• Drive mapping from the Windows environment is restricted to those individuals who have access to and need to know about the backup data location use UNC naming conventions.
• Most backup software is able to deal with UNC naming conventions for the purposes of data storage and retrieval.
Depending on the capability of the backup software used, it may be possible to set permission level authority on the actual process doing the backup in addition to other types of restrictions. The Windows security model has adequate capabilities, it is a function of the backup software to use those capabilities.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
