[Plugin] Ransomware Protection - Deprecated


Squid

Recommended Posts

This sounded like an awesome plugin to use but each time I have tried to fire it up it activates almost right away.  This is what it's saying

 

ime Of Attack:Tue, 11 Apr 2017 18:03:07 -0400

Attacked File: /mnt/user/BoxsterBait-about/



Samba version 4.5.7
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
25974   nobody       users        10.0.1.28 (ipv4:10.0.1.28:50237)          SMB3_02           -                    -
8034    rharvey      users        10.0.1.18 (ipv4:10.0.1.18:62150)          SMB3_02           -                    AES-128-CMAC
31605   nobody       users        10.0.1.20 (ipv4:10.0.1.20:49671)          SMB3_11           -                    -
31605   nobody       users        10.0.1.20 (ipv4:10.0.1.20:49671)          SMB3_11           -                    -

Service      pid     Machine       Connected at                     Encryption   Signing
---------------------------------------------------------------------------------------------
Movies       8034    10.0.1.18     Mon Apr 10 10:21:39 2017 EDT     -            AES-128-CMAC
BlueIris     31605   10.0.1.20     Fri Apr  7 09:30:25 2017 EDT     -            -
Blue Iris Data on SSD 31605   10.0.1.20     Fri Apr  7 09:30:25 2017 EDT     -            -
BI           31605   10.0.1.20     Tue Apr 11 16:00:33 2017 EDT     -            -
VMBackups    8034    10.0.1.18     Mon Apr 10 10:21:39 2017 EDT     -            AES-128-CMAC
cache        8034    10.0.1.18     Mon Apr 10 10:21:39 2017 EDT     -            AES-128-CMAC
flash        25974   10.0.1.28     Fri Apr  7 09:24:29 2017 EDT     -            -
Downloads    8034    10.0.1.18     Mon Apr 10 10:21:39 2017 EDT     -            AES-128-CMAC

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
31605        99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Barn.20170411_161316.bvr   Tue Apr 11 16:13:19 2017
31605        99         DENY_NONE  0x100080    RDONLY     NONE             /mnt/user/BlueIris   .   Fri Apr  7 09:31:00 2017
31605        99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Family.20170411_160826.bvr   Tue Apr 11 16:08:29 2017
31605        99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Pool.20170411_161217.bvr   Tue Apr 11 16:12:20 2017
8034         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/cache   BI   Mon Apr 10 10:22:40 2017
25974        99         DENY_NONE  0x100081    RDONLY     NONE             /boot   .   Fri Apr  7 11:53:12 2017
31605        99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Third.20170411_161335.bvr   Tue Apr 11 16:13:38 2017
31605        99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Front.20170411_160859.bvr   Tue Apr 11 16:09:01 2017
8034         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_11_Apr_2017/xml   Tue Apr 11 08:35:26 2017
31605        99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Living.20170411_160031.bvr   Tue Apr 11 16:00:33 2017
8034         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/Movies   Aftermath   Mon Apr 10 10:22:40 2017
31605        99         DENY_NONE  0x100080    RDONLY     NONE             /mnt/user/Blue Iris Data on SSD   .   Fri Apr  7 09:31:00 2017
31605        99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Garage.20170411_160936.bvr   Tue Apr 11 16:09:39 2017
8034         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_07_Apr_2017/nvram   Mon Apr 10 10:22:40 2017
8034         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/cache   Blue Iris Data on SSD   Mon Apr 10 10:22:40 2017
8034         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_11_Apr_2017/nvram   Tue Apr 11 08:35:29 2017
8034         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_07_Apr_2017/xml   Mon Apr 10 10:22:40 2017

******************************************************************************************

Time Of Attack:Wed, 12 Apr 2017 09:03:51 -0400

Attacked File: /mnt/user/BoxsterBait-blossom/



Samba version 4.5.7
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
8077    rharvey      users        10.0.1.18 (ipv4:10.0.1.18:61365)          SMB3_02           -                    AES-128-CMAC
8078    nobody       users        10.0.1.28 (ipv4:10.0.1.28:63522)          SMB3_02           -                    -
8678    nobody       users        10.0.1.20 (ipv4:10.0.1.20:58030)          SMB3_11           -                    -
8678    nobody       users        10.0.1.20 (ipv4:10.0.1.20:58030)          SMB3_11           -                    -

Service      pid     Machine       Connected at                     Encryption   Signing
---------------------------------------------------------------------------------------------
Movies       8077    10.0.1.18     Tue Apr 11 18:09:34 2017 EDT     -            AES-128-CMAC
cache        8077    10.0.1.18     Tue Apr 11 18:09:34 2017 EDT     -            AES-128-CMAC
BI           8678    10.0.1.20     Wed Apr 12 08:21:48 2017 EDT     -            -
flash        8078    10.0.1.28     Tue Apr 11 18:09:25 2017 EDT     -            -
Blue Iris Data on SSD 8678    10.0.1.20     Tue Apr 11 18:25:14 2017 EDT     -            -
BlueIris     8678    10.0.1.20     Tue Apr 11 18:25:14 2017 EDT     -            -
VMBackups    8077    10.0.1.18     Tue Apr 11 18:09:34 2017 EDT     -            AES-128-CMAC
Downloads    8077    10.0.1.18     Tue Apr 11 18:09:34 2017 EDT     -            AES-128-CMAC

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
8678         99         DENY_NONE  0x100080    RDONLY     NONE             /mnt/user/BlueIris   .   Tue Apr 11 18:25:14 2017
8077         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/cache   BI   Tue Apr 11 18:11:02 2017
8678         99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Front.20170412_090026.bvr   Wed Apr 12 09:00:30 2017
8077         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_11_Apr_2017/xml   Tue Apr 11 18:11:02 2017
8077         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/Movies   Aftermath   Tue Apr 11 18:10:32 2017
8678         99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Living.20170412_082144.bvr   Wed Apr 12 08:21:48 2017
8077         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_11_Apr_2017/nvram   Tue Apr 11 18:11:02 2017
8678         99         DENY_NONE  0x100080    RDONLY     NONE             /mnt/user/Blue Iris Data on SSD   .   Tue Apr 11 18:25:14 2017
8077         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_07_Apr_2017/nvram   Tue Apr 11 18:10:32 2017
8077         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/cache   Blue Iris Data on SSD   Tue Apr 11 18:11:02 2017
8678         99         DENY_WRITE 0x12019f    RDWR       LEASE(RWH)       /mnt/user/BI   Family.20170412_090011.bvr   Wed Apr 12 09:00:15 2017
8077         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/user/VMBackups   vmsettings/_07_Apr_2017/xml   Tue Apr 11 18:10:32 2017
 

 

Link to comment

Finally got to update unRAID and reinstall this plugin. I'm using bait shares and have them set to be hidden, but when I connect to the server via smb the bait shares are still visible. Not sure if I'm misunderstanding the settings or if there's something else required?

Edited by wgstarks
Link to comment

You can only hide the files within, not the shares.  If the shares were hidden, any attack vector would need to know the exact share name in order to attack it (which is beyond unlikely).  Hidden files on the other hand are visible to any attack....  I name my bait shares zzz-SquidBait so that they are nicely out of the way and not in my face....

Link to comment

I don't think this is RP's fault, but it was my first thought...

 

I'm trying to write some files to a directory on my server and it's reporting that it can't because it's a "read-only file system". Of course RP was my immediate thought, however, RP is showing the lock icon with the text " Click The Lock To Immediately Set SMB/AFP to Be Read-Only" immediately under it, so it doesn't look like it's been triggered. There is nothing at all in the Ransomeware Log, and the Attack History shows the one accidental "attack" I did on myself back in January. (Proved the system works! :D)

 

Every single one of my shares, except flash, seem to be locked, but I don't know why. I don't see anything in the share settings or SMB settings that would have disabled this.

 

As I said, it doesn't look like it's RP's fault, but I figured you'd have a good idea what may have happened. I'm happy to post this as a general support issue if you'd prefer, Squid.

 

Diagnostics attached.

nas-diagnostics-20170422-1541.zip

Link to comment
8 minutes ago, trurl said:

Check filesytem on cache disk

Ding! Ding! Ding! You win the prize, Cache drive says "Read Only Mode.  Restore normal settings via <a href='/Settings/Ransomware'>Ransomware Protection Settings</a>"

 

However, I don't see anything in RP to enable it. I tried disabling RP then reenabling, but the cache share is still RO. I guess I could try locking then unlocking via RP, but, if I recall correctly, unlock resets things to they way they were, not the way I want them to be.

 

ACTUALLY, all the disks are mounted RO, not the shares.

Edited by FreeMan
Link to comment

Hello, I am a brand new Unraid user and I was glad to see an antiransomware plugin. A few years ago my wife was attacked and we lost all her photos. We had never heard of this attack before, it was before it became well known, so I deleted everything and never saw a payment request. Anyway one of the reasons I built this system is to safeguard the at home data. 

 

My question is, in Windows 10 I have my Unraid server set up with a few mapped drive letters for the big folders. I now see 15 Squidbait shares there and I must admit it is sort of too much for me to keep. I like a cleanish folder structure and these just make it so hard to find the few shares I do need to access. Is there a way to completely hide the Squidbait shares from Windows, I assume SMB access? If I disable the bait shares and keep the bait files would this lower my security? I know I can hide them but I read in a post here by hiding them they become invisible to an attacker and therefore useless. I also have the selection for Hide Bait Files to Yes but they are not hidden anywhere.

 

I just saw you sort of answered my question up thread just a few days ago but I won't edit this if it asks a different question.

Thank you.

Edited by billium28
Link to comment
10 hours ago, billium28 said:

in Windows 10 I have my Unraid server set up with a few mapped drive letters for the big folders.

Not really pertinent to this thread or your question, but mapping drives is a security risk itself, and for more than just ransomware. Malware doesn't even have to be network aware to attack mapped drives.

 

Most applications can browse the network these days. I never map drives but can easily open and use files on the network.

  • Upvote 1
Link to comment
11 hours ago, billium28 said:

Hello, I am a brand new Unraid user and I was glad to see an antiransomware plugin. A few years ago my wife was attacked and we lost all her photos. We had never heard of this attack before, it was before it became well known, so I deleted everything and never saw a payment request. Anyway one of the reasons I built this system is to safeguard the at home data. 

 

My question is, in Windows 10 I have my Unraid server set up with a few mapped drive letters for the big folders. I now see 15 Squidbait shares there and I must admit it is sort of too much for me to keep. I like a cleanish folder structure and these just make it so hard to find the few shares I do need to access. Is there a way to completely hide the Squidbait shares from Windows, I assume SMB access? If I disable the bait shares and keep the bait files would this lower my security? I know I can hide them but I read in a post here by hiding them they become invisible to an attacker and therefore useless. I also have the selection for Hide Bait Files to Yes but they are not hidden anywhere.

 

I just saw you sort of answered my question up thread just a few days ago but I won't edit this if it asks a different question.

Thank you.

Using both bait shares and the bait files is ideal.  However, when using the bait files (within your existing shares), then the odds of false trips increases significantly.  (Personally, I only use the bait shares.  But, I've set the system to call them zzz-SquidBait so that there're at the bottom of any list and for the most part I don't even notice that they are there)

 

Hidden Bait Files won't lower the security.  However, hidden bait shares will effectively disable them, so I don't allow you to do that (at least easily)

Link to comment
  • 2 weeks later...
On 4/28/2017 at 9:24 AM, Squid said:

Using both bait shares and the bait files is ideal.  However, when using the bait files (within your existing shares), then the odds of false trips increases significantly.  (Personally, I only use the bait shares.  But, I've set the system to call them zzz-SquidBait so that there're at the bottom of any list and for the most part I don't even notice that they are there)

 

Hidden Bait Files won't lower the security.  However, hidden bait shares will effectively disable them, so I don't allow you to do that (at least easily)

Thank you for your reply, I will try renaming them and see how it looks. I will keep the bait files as precaution.

Link to comment
On 4/28/2017 at 9:09 AM, trurl said:

Not really pertinent to this thread or your question, but mapping drives is a security risk itself, and for more than just ransomware. Malware doesn't even have to be network aware to attack mapped drives.

 

Most applications can browse the network these days. I never map drives but can easily open and use files on the network.

I never thought of that so that works great as an alternative. I want this to be very secure so I will reset the drives now, thanks.

Link to comment
On 2017-4-18 at 1:31 PM, Squid said:

You can only hide the files within, not the shares.  If the shares were hidden, any attack vector would need to know the exact share name in order to attack it (which is beyond unlikely).  Hidden files on the other hand are visible to any attack....  I name my bait shares zzz-SquidBait so that they are nicely out of the way and not in my face....

 

Just so I'm completely understanding things: Does this not negate the benefit of having them randomly dispersed throughout your array? If they're at the end, is the ransomware not more likely to hit legit files first, assuming a-z progression?

 

Also: Massive thanks in general for creating this, especially given that worm that's on the loose at the moment. This one is Windows-only, but you never know.

Link to comment
 
Just so I'm completely understanding things: Does this not negate the benefit of having them randomly dispersed throughout your array? If they're at the end, is the ransomware not more likely to hit legit files first, assuming a-z progression?
 
Also: Massive thanks in general for creating this, especially given that worm that's on the loose at the moment. This one is Windows-only, but you never know.

Depends. Unless you're willing to purposely infect yourself to see what order it tries to infect. (but the paper I read said it was random) the bait shares concept tries to overwhelm the attack by giving it a million possible targets versus the couple thousand you may have of legit files.

Any security system is a trade-off between convenience and security. For myself not including the regular shares is a trade off I'm willing to make for the increased convenience

Sent from my LG-D852 using Tapatalk

Link to comment

Point taken. But if infection is random, surely you'd be better served by simply upping the number of bait shares, or increasing the number of files per share give the same protection than randomly naming shares?

 

Eg, on a 10 share system:

50 zz-prefixed shares would offer better protection vs. 30 randomly named ones.

Link to comment

True enough, but I was also hitting file system limits during development on how many links per file I could do.  And I needed to use links to keep the actual disk usage down to ~1Meg.   The chosen # of shares and files within won't return an error on any filesystem that unRaid supports, and I didn't want to get myself into a support nightmare with why doesn't this work on my system (and unRaid's fuse filesystem further complicates things since a linked file may or may not be on the same filesystem as the original.)

Edited by Squid
Link to comment
29 minutes ago, squirrellydw said:

@Squid can you tell me how I should set this up, what options I should use?  

 

Thanks

Myself, I only use bait shares.  Setup as a prefix of zzz-Squidbait placed altogether in the list.  And I don't recreate on stop / start.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.