Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday October 29 2015, @10:41AM   Printer-friendly
from the backups-just-do-it dept.

There is a particularly devious type of malicious software that locks users out of their own computer systems until an individual agrees to pay a ransom to the hackers. In these cases, the FBI has surprisingly suggested just ponying up the dough.

It's not the type of advice one would typically expected from the FBI, but that's exactly what was recommended by Joseph Bonavolonta, the assistant special agent in charge of the FBI's CYBER and Counterintelligence Program Boston office.

"The ransomware is that good," said Bonavolonta at the 2015 Cyber Security Summit in Boston, as quoted by Security Ledger. "To be honest, we often advise people just to pay the ransom."

https://www.rt.com/usa/319913-fbi-pay-ransomware-hackers/?utm_source=rss&utm_medium=rss&utm_campaign=RSS

Yeah, it's RT, but I did a search, and that or similar headlines popped up on dozens of news sites. I clicked a couple of them, and the stories match. Try this one,
https://thehackernews.com/2015/10/fbi-ransomware-malware.html

Personally, I can almost certainly afford to nuke and reinstall, unless they get my RAID array. Then - I'd have to think hard.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Hyperturtle on Friday October 30 2015, @01:55AM

    by Hyperturtle (2824) on Friday October 30 2015, @01:55AM (#256312)

    I am not sure what you are saying. Are you saying that because a file was in use and someone noticed something was wrong and they killed power to her workstation, and as such it prevented her machine from eventually reaching the NAS? You said "started encrypting what it could on the network drives" and then "restored the network filesystems". I do not understand the difference between these two things. I do understand the difference between a SAN and NAS, but you said NAS, so that to me is "file share on the network", no different than any other mapped drive.

    What kind of NAS protects against this if her machine had write access to it for the image to be stored? Did the NAS itself actually consist of a backup server of some kind, that then pulled data with a different account that was unrelated in any way to hers, so that if a virus like this hit it, it would not have access to it because it didnt have an account with permissions to exploit with since it couldn't use hers?

    RAID is not backup. NAS is not backup. NAS is just a file share on the network that might be a single SD card, a USB stick, a disk drive, or a fancy case with multiple drives running some sort of OS to manage it that... serves files and has file system access, like a vulnerable windows share or linux share. NAS is often just "non-microsoft tax file share for network accessible storage".

    Having file storage on the network and calling it NAS instead of "Not even a raid" or "yeah its a raid but" still is not a backup, and if the user can write to it, then so can the virus.

    But I agree that offline backups are the best type.

    I do realize that you said this was a company you knew (FoAF in other words), so you may not have much detail, but you had enough detail to describe it as NAS with a ZFS file system. What I am getting at is that if a user can access it to write to it, it could be pencil and paper and they can still spill ink on it. The paper and pencil have nothing to do with the user managing to screw it up.

    Sorry if I come across as harsh, but I have known clever people to defeat safeguards in products to make things more convenient and easy and then still repeat the claims on the tin even though the tin has something else in it.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by VanderDecken on Friday October 30 2015, @06:44AM

    by VanderDecken (5216) on Friday October 30 2015, @06:44AM (#256359)

    Ok, let me try this again.

    If it's providing a network filesystem, I'm calling it a NAS. If it's providing a block device over the network, I'm calling it a SAN. Terms can get muddy, especially when marketing steps in, but let's go with those definitions. (In reality, most modern boxes can provide either. Whether it's ethernet, fibrechannel, or whatever doesn't matter at a high level.)

    In this case, the server was exporting a CIFS share backed by a ZFS filesystem, and ZFS was set to take automatic snapshots every 5 minutes or so. From the client machine perspective, yes it looks like a disk. When the malware hit, it was in the process of encrypting those portions of the CIFS share accessible to the admin assistant. The fact that someone else noticed the problem before the malware was done is irrelevent; it could have finished encrypting the whole thing and it wouldn't have mattered.

    So the recover procedure was:

    1. Shut down the workstation
    2. Shut down the CIFS share
    3. Revert network storage to the latest snapshot that wasn't encrypted (this is provided natively by ZFS; it is not restoring from traditional backups)
    4. Reenable the CIFS share (everyone else is up and running at this point), and
    5. Reimage the infected workstation

    No, a NAS by itself is not a backup, and RAID is not a backup, but exporting a log structured filesystem (and with snapshots enabled) on a RAID means that you can do most recovery operations without going to traditional backups. You still need the traditional backups for archival and disaster recovery scenarios, though, including the case of losing more disks than your RAID has redundancy (at whatever level).

    Does that help?

    --
    The two most common elements in the universe are hydrogen and stupidity.
    • (Score: 2) by Hyperturtle on Friday October 30 2015, @05:19PM

      by Hyperturtle (2824) on Friday October 30 2015, @05:19PM (#256552)

      Yes indeedy!

      My goal really was to provide for posterity a description from someone like you (and me) that having a network share to store backups on doesn't mean it's a backup -- it means its another copy.

      People mistake raid for backups, and copies for backups, and indeed a raid can host copies of backups, and you can backup copies onto a raid, and if you have a raid 10, you have a parity copy hardware backup of those drives in raid 0 and... I didn't think you made the mistake.

      I had a day of dealing with stupid, so please pardon if I stooped to an uninformative level. I would mod your reply informative, but I wanted to let you know that I see you answered my question and it is informative.

      Lots of people out there, despite all the drum beating, do not get it, and other people still beat the drum at the whiff of others not getting it.

      (my replying again doesn't win us points, though, but at least I am happy, right? well if that's not so good--think of all the posterity you helped!)