NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Ransomware Protection Idea
It's all in the news lately and things are only going to get worse. Ransomware. But for ReadyNAS owners, I have an idea for a protection scheme. I'd like to get some feedback on its viability/rel...
We don't recommend taking snapshots on iSCSI targets or using bit-rot protection with them (we link enabling/disabling bit-rot protection to enabling/disabling CoW) due to the fragmentation that can result.
However for ordinary SMB shares this idea could work well. You would need to allow space for the encrypted files (best to keep volume usage excluding snapshots under 50%) and you should have multiple copies of your data on multiple devices.CoW works better with some use cases than others. So if you are making a huge number of writes in place to files you are better to rely solely on backups rather than complement it with the use of snapshots.
Snapshots are useful for a range of things but I wouldn't rely on them as my sole defence against ransomware or other possible problems. There's no replacement for backing up your data. Backing up your data and using snapshots on both the primary and backup NAS can work well.
It's possible ransomware could evolve so that if it directly compromised a NAS (e.g. if you enabled SSH with password authentication and left the default password set) snapshots would be an ineffective defence. It's more likely that a Windows PC would be compromised e.g. due to a user opening an attachment they shouldn't.
We don't recommend taking snapshots on iSCSI targets or using bit-rot protection with them (we link enabling/disabling bit-rot protection to enabling/disabling CoW) due to the fragmentation that can result.
However for ordinary SMB shares this idea could work well. You would need to allow space for the encrypted files (best to keep volume usage excluding snapshots under 50%) and you should have multiple copies of your data on multiple devices.
CoW works better with some use cases than others. So if you are making a huge number of writes in place to files you are better to rely solely on backups rather than complement it with the use of snapshots.
Snapshots are useful for a range of things but I wouldn't rely on them as my sole defence against ransomware or other possible problems. There's no replacement for backing up your data. Backing up your data and using snapshots on both the primary and backup NAS can work well.
It's possible ransomware could evolve so that if it directly compromised a NAS (e.g. if you enabled SSH with password authentication and left the default password set) snapshots would be an ineffective defence. It's more likely that a Windows PC would be compromised e.g. due to a user opening an attachment they shouldn't.
I admit I didn't think it through to the point of standard SMB shares, but I guess you're right. That makes things even easier!
But I would caution anyone against selecting the Allow Snapshot Access checkbox when configuring the snapshot feature. Unless I'm mistaken, this would leave the snapshot data vulnerable to the rogue encryption of the ransomware and would thereby defeat the purpose.
I've had SSH turned on, as I've needed to get checksum data for individual files on an ad-hoc and automated basis. However, due to the risk you've highlighted here—and the risk of being denied support—I've decided to implement the idea as an add-on instead (stay tuned). So in the meantime I've turned SSH off. I'll do without that capability for the time being.
Thanks,
Jeff Bowman
Fairbanks, AlaskaWith allow snapshot access enabled the snapshot would still be read-only.
If we suspect the app has caused problems that may similar support implications to using SSH especially if the app hasn't been qualified by us.> With allow snapshot access enabled the snapshot would still be read-only.
Well very good, then. That's even better :-)
> If we suspect the app has caused problems that may similar support implications to using SSH especially if the app hasn't been qualified by us.
Yes, I understand. My plan is to put it up on GitHub and submit it for inclusion at the store.
The basic idea behind it: it'll be a PHP app that listens on a port for a request that contains the full path to file to check, as well as the type of checksum (MD5 or SHA1). It'll then run the appropriate command and return the result. Pretty simple, really.
I need this so I can check the accuracy of backups after they run. But if NetGear wants to add it as a built-in feature I sure won't complain ;-)
Thanks,
Jeff Bowman
Fairbanks, Alaska
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
