There is a particularly devious type of malicious software that locks users out of their own computer systems until an individual agrees to pay a ransom to the hackers. In these cases, the FBI has surprisingly suggested just ponying up the dough.
It's not the type of advice one would typically expected from the FBI, but that's exactly what was recommended by Joseph Bonavolonta, the assistant special agent in charge of the FBI's CYBER and Counterintelligence Program Boston office.
"The ransomware is that good," said Bonavolonta at the 2015 Cyber Security Summit in Boston, as quoted by Security Ledger. "To be honest, we often advise people just to pay the ransom."
Yeah, it's RT, but I did a search, and that or similar headlines popped up on dozens of news sites. I clicked a couple of them, and the stories match. Try this one,
https://thehackernews.com/2015/10/fbi-ransomware-malware.html
Personally, I can almost certainly afford to nuke and reinstall, unless they get my RAID array. Then - I'd have to think hard.
(Score: 2) by Hyperturtle on Friday October 30 2015, @01:55AM
I am not sure what you are saying. Are you saying that because a file was in use and someone noticed something was wrong and they killed power to her workstation, and as such it prevented her machine from eventually reaching the NAS? You said "started encrypting what it could on the network drives" and then "restored the network filesystems". I do not understand the difference between these two things. I do understand the difference between a SAN and NAS, but you said NAS, so that to me is "file share on the network", no different than any other mapped drive.
What kind of NAS protects against this if her machine had write access to it for the image to be stored? Did the NAS itself actually consist of a backup server of some kind, that then pulled data with a different account that was unrelated in any way to hers, so that if a virus like this hit it, it would not have access to it because it didnt have an account with permissions to exploit with since it couldn't use hers?
RAID is not backup. NAS is not backup. NAS is just a file share on the network that might be a single SD card, a USB stick, a disk drive, or a fancy case with multiple drives running some sort of OS to manage it that... serves files and has file system access, like a vulnerable windows share or linux share. NAS is often just "non-microsoft tax file share for network accessible storage".
Having file storage on the network and calling it NAS instead of "Not even a raid" or "yeah its a raid but" still is not a backup, and if the user can write to it, then so can the virus.
But I agree that offline backups are the best type.
I do realize that you said this was a company you knew (FoAF in other words), so you may not have much detail, but you had enough detail to describe it as NAS with a ZFS file system. What I am getting at is that if a user can access it to write to it, it could be pencil and paper and they can still spill ink on it. The paper and pencil have nothing to do with the user managing to screw it up.
Sorry if I come across as harsh, but I have known clever people to defeat safeguards in products to make things more convenient and easy and then still repeat the claims on the tin even though the tin has something else in it.
(Score: 2) by VanderDecken on Friday October 30 2015, @06:44AM
Ok, let me try this again.
If it's providing a network filesystem, I'm calling it a NAS. If it's providing a block device over the network, I'm calling it a SAN. Terms can get muddy, especially when marketing steps in, but let's go with those definitions. (In reality, most modern boxes can provide either. Whether it's ethernet, fibrechannel, or whatever doesn't matter at a high level.)
In this case, the server was exporting a CIFS share backed by a ZFS filesystem, and ZFS was set to take automatic snapshots every 5 minutes or so. From the client machine perspective, yes it looks like a disk. When the malware hit, it was in the process of encrypting those portions of the CIFS share accessible to the admin assistant. The fact that someone else noticed the problem before the malware was done is irrelevent; it could have finished encrypting the whole thing and it wouldn't have mattered.
So the recover procedure was:
No, a NAS by itself is not a backup, and RAID is not a backup, but exporting a log structured filesystem (and with snapshots enabled) on a RAID means that you can do most recovery operations without going to traditional backups. You still need the traditional backups for archival and disaster recovery scenarios, though, including the case of losing more disks than your RAID has redundancy (at whatever level).
Does that help?
The two most common elements in the universe are hydrogen and stupidity.
(Score: 2) by Hyperturtle on Friday October 30 2015, @05:19PM
Yes indeedy!
My goal really was to provide for posterity a description from someone like you (and me) that having a network share to store backups on doesn't mean it's a backup -- it means its another copy.
People mistake raid for backups, and copies for backups, and indeed a raid can host copies of backups, and you can backup copies onto a raid, and if you have a raid 10, you have a parity copy hardware backup of those drives in raid 0 and... I didn't think you made the mistake.
I had a day of dealing with stupid, so please pardon if I stooped to an uninformative level. I would mod your reply informative, but I wanted to let you know that I see you answered my question and it is informative.
Lots of people out there, despite all the drum beating, do not get it, and other people still beat the drum at the whiff of others not getting it.
(my replying again doesn't win us points, though, but at least I am happy, right? well if that's not so good--think of all the posterity you helped!)