Using Nas4Free to deal with ransomware

[hastdotwhat]

Crypto ransomware has been getting worse and worse over time (see e.g. this article from Ars), and it's spreading to OS X and Linux as well (although the very early attempts aren't as polished yet as the Windows stuff, just give it a few more release cycles and they'll be just as devastating).

The scary thing about this stuff is that it also affects backups, so you're just as screwed if you regularly back up your data as if you don't. In fact regularly backing up makes things worse, since it increases the chance of replacing the non-locked backup data with locked data.

This is something that Nas4Free could help with. To do this, you designate a few random files as canary files that should never be modified. If Nas4Free detects that a modified version of the file is being uploaded (i.e. one that's been locked by ransomware), it could perform actions like alerting the user and diverting new backups to a quarantine directory until the all-clear is given.

Does anyone have any thoughts on this? I'd toyed with the idea of adding a script to manage this, but the minimal playing I've done has ended up as a bit of a hack (GUI integration in particular is something that looks complex if you're an outsider), and if it was a standard Nas4Free feature it would help other users as well.

[b0ssman]

just use zfs snapshots.

if the file was modified. you get the real file from the snapshot.

but same problem as with backups. so its an inherent problem.

[hastdotwhat]

Hmm, that assumes you're running ZFS (i.e. you've got a fairly serious NAS), and that you're keeping snapshots that go back an arbitrarily long way in order to allow rollback (which in turn means you've got a ton of storage to dedicate to storing multiple generations of data). I was targeting this more at protecting things set up for friends and family (the sort of people that are more likely to get hit by this kind of malware), repurposed older PCs that help them in the event of a crash, but nothing like the sort of thing in your sig for example .

[raulfg3]

(which in turn means you've got a ton of storage to dedicate to storing multiple generations of data).

error, snapshot do not cost in data terms. (Do not duplicate data)

https://en.wikipedia.org/wiki/ZFS#Snapshots_and_clones


Please read more about snapshot works on ZFS.

[hastdotwhat]

(which in turn means you've got a ton of storage to dedicate to storing multiple generations of data).

error, snapshot do not cost in data terms. (Do not duplicate data)

Snapshots (well, ZFS ones) are COW, not magic-on-write, if your data has been encrypted by ransomware then 100% of your data has changed so at a minimum you've doubled your storage requirements just from that. In addition as your data changes during normal use, you need to store the changed data as well.