NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Ransomware Protection Idea
It's all in the news lately and things are only going to get worse. Ransomware.
But for ReadyNAS owners, I have an idea for a protection scheme. I'd like to get some feedback on its viability/reliability.
This setup assumes use of the device for backup purposes only, and that all files on it are copies of other files that reside elsewhere on the always-connected network.
It's pretty simple, really...
- Turn off all SMB access to the ReadyNAS
- Create an iSCSI/LUN
- Enable daily snapshots for the LUN (or your preferred interval)
- Create an iSCSI connection to the LUN from your computer
- Configure your computer's backup utility to target the LUN (as a drive letter)
This all is in tandem with running a capable AV solution, of course.
In the event of an attack:
- Reinstall the OS
- Destroy the encrypted files
- Restore from the newest unaffected snapshot
My theory is that this will be reliable because the attack can only see what's inside the LUN—it can't get to the snapshots. ReadyNAS uses CoW for snapshots, yes? Then there shouldn't be too much data usage, given a reasonable snapshot frequency.
This approach also has the advantage that the device is able to stay network-connected all the time. All other RW protection schemes I've encountered require manually connecting only at commencement and for the duration of the backup—a cumbersome option at best, greatly increasing the risk of human error. After all, the basic purpose of a computer is to perform two functions (outside of gaming)—1) record keeping and 2) automation of tedious menial tasks. Take away #2 and you're crippling yourself of half the machine's intended benefit.
Your opinion, please. Is this a scheme you'd consider putting into place on your own system? What weaknesses do you see?
Thanks,
Jeff Bowman
Fairbanks, Alaska
We don't recommend taking snapshots on iSCSI targets or using bit-rot protection with them (we link enabling/disabling bit-rot protection to enabling/disabling CoW) due to the fragmentation that can result.
However for ordinary SMB shares this idea could work well. You would need to allow space for the encrypted files (best to keep volume usage excluding snapshots under 50%) and you should have multiple copies of your data on multiple devices.CoW works better with some use cases than others. So if you are making a huge number of writes in place to files you are better to rely solely on backups rather than complement it with the use of snapshots.
Snapshots are useful for a range of things but I wouldn't rely on them as my sole defence against ransomware or other possible problems. There's no replacement for backing up your data. Backing up your data and using snapshots on both the primary and backup NAS can work well.
It's possible ransomware could evolve so that if it directly compromised a NAS (e.g. if you enabled SSH with password authentication and left the default password set) snapshots would be an ineffective defence. It's more likely that a Windows PC would be compromised e.g. due to a user opening an attachment they shouldn't.
4 Replies
Replies have been turned off for this discussion
We don't recommend taking snapshots on iSCSI targets or using bit-rot protection with them (we link enabling/disabling bit-rot protection to enabling/disabling CoW) due to the fragmentation that can result.
However for ordinary SMB shares this idea could work well. You would need to allow space for the encrypted files (best to keep volume usage excluding snapshots under 50%) and you should have multiple copies of your data on multiple devices.CoW works better with some use cases than others. So if you are making a huge number of writes in place to files you are better to rely solely on backups rather than complement it with the use of snapshots.
Snapshots are useful for a range of things but I wouldn't rely on them as my sole defence against ransomware or other possible problems. There's no replacement for backing up your data. Backing up your data and using snapshots on both the primary and backup NAS can work well.
It's possible ransomware could evolve so that if it directly compromised a NAS (e.g. if you enabled SSH with password authentication and left the default password set) snapshots would be an ineffective defence. It's more likely that a Windows PC would be compromised e.g. due to a user opening an attachment they shouldn't.I admit I didn't think it through to the point of standard SMB shares, but I guess you're right. That makes things even easier!
But I would caution anyone against selecting the Allow Snapshot Access checkbox when configuring the snapshot feature. Unless I'm mistaken, this would leave the snapshot data vulnerable to the rogue encryption of the ransomware and would thereby defeat the purpose.
I've had SSH turned on, as I've needed to get checksum data for individual files on an ad-hoc and automated basis. However, due to the risk you've highlighted here—and the risk of being denied support—I've decided to implement the idea as an add-on instead (stay tuned). So in the meantime I've turned SSH off. I'll do without that capability for the time being.
Thanks,
Jeff Bowman
Fairbanks, AlaskaWith allow snapshot access enabled the snapshot would still be read-only.
If we suspect the app has caused problems that may similar support implications to using SSH especially if the app hasn't been qualified by us.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
