Can snapshots really save your data from ransomware?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

barely a week goes by without a story in the news about an organization which has suffered a ransomware attack whilst there's plenty of steps as this admin can take to try and prevent an attack none are foolproof so it's vital to have a means of recovering data should the worst happen but unless your data resiliency has been designed with ransomware specifically in mind it might be providing a full sense of security that will crumble during a real attack hi there i'm andy and in this video we'll be looking at the right and wrong way of configuring backups and snapshots to give your data the best chance of surviving a ransomware attack [Music] this video was inspired by an unlucky home labber who shared a story on reddit of their windows workstation falling victim to a ransomware attack this malware like most others like it crypto locked the files not just on the workstation itself but also any files accessible by windows file sharing which in this case was everything on the poor victims network attached storage and without a backup the data was gone in the ensuring conversation on the possible steps to prevent a reoccurrence the topic of snapshots came up and whether they really provide much in the way of data protection in this scenario the answer is it depends but before we dig into the specifics let's take a quick recap on what exactly snapshots are the content of a file is stored across one or more blocks on a disk the file system maintains the lookup table which is used to locate the relevant blocks when a file needs to be read or modified a snapshot takes a copy of this lookup table so that if a file is deleted or overwritten in the live file system the snapshot still provides a link to the original blocks so that data can be recovered the precise mechanics vary depending on the file system and technology stack in use one of the simplest is through the linux tool our snapshot which uses a combination of file system hard links and rsync copies the configuration files here will snapshot the contents of the home folder to the snapshots directory it also defines multiple tiers of snapshots hourly snapshots are taken once an hour with the most recent 24 being kept providing the ability to dial back the file system to any point in the past day similarly daily snapshots are taken just after midnight and kept for a week and weekly snapshots kept for a year because snapshots work at the block level not the file level they only consume disk space where there's a change between the live file system and the snapshot this means that it's economical to take so many snapshots and keep them for so long so with all that in mind some of you are probably thinking snapshots are a great way to help protect data against ransomware if data gets crypto locked you can always just revert back to a previous snapshot right others amongst you may have spotted a possible flaw in this otherwise brilliant plan what stops ransomware from also encrypting the snapshots themselves the key here is understanding the relative privileges between the snapshots and the malware the malware itself needs somewhere to be executed and in most cases such as bad of our unfortunate home labor that's a windows client machine this is a different location to where the snapshots are being taken typically a linux server or nas the only link between the two is normally the windows file sharing protocol which can only read and write files so quite simply if the snapshot location is not exposed via a file share it can't be overwritten with encrypted data we can see that an action here where this user's home folder is shared over the network providing access to the contents this powershell script acts as a simple cryptolocker overwriting all the files in this location once run the previously accessible files are now just full of junk however an administrator can copy the contents of the last hourly snapshot back to the home folder recovering the original content of the files making them accessible once again but what if the snapshot destination folder has also been shared after all it's kind of handy to be able to directly access snapshots to recover a file without having to wait for an administrator or switch to an admin interface in this situation there's two factors which contribute whether snapshots are at risk or not firstly the snapshot technology must support writing to an existing snapshot most don't due to either technical limitations or design constraints after all it's usually undesirable to be able to modify a snapshot after it's been taken a simple linux block level file copy like that performed by our snapshot has no such limitation however secondly access permissions must permit write access by the victim user account in the example here the snapshot share is configured on the server to be read only so any attempt by the cryptolocker to modify these files is rejected only if we explicitly allow read write access on the share can the crypto locker perform its evil actions if both permissions allow and the snapshot technology allows snapshots can indeed be overwritten but we've had to really go out the way here to explicitly configure such a vulnerable configuration snapshots should be immutable and most snapshot technologies enforce this and in the few cases where that's not the case it's an easy fix just be sure to set file and share permissions to read only okay so snapshots can help so long as the system is configured in a sensible way but we've made a big assumption so far that the malware is running on a separate workstation and can only interface via the file sharing protocol what happens if the ransomware runs on the nas or server instead lateral movement from a workstation to nas is quite a leap requiring the malware to spread over some sort of remote administration connection to the server and probably using a separate set of credentials and not to mention potentially having to deploy code for different operating systems a far more likely route is direct infection via an insecure administration interface such as ssh with a weak or default password but either way malware executing on a nas or server with administrator privileges will probably be game over for your snapshots so you might now be wondering if all that effort is really worth it after all snapshots won't help if the server itself is compromised nor in the event of a hardware failure or physical disaster such as a fire or flood so you'll always need to implement an offsite backup for these situations why not depend on the offsite backup to work in the event of ransomware well again it all depends on the specific configuration how often is data copied to an offsite location typically this time window the rpo or recovery point objective is minimized so that in the event of an incident the smallest amount of data is lost this can be reduced to almost zero by implementing a real-time transfer every time a file is changed this sounds great to save data in the event of a hardware failure but can be terrible in the event of ransomware after all the backup system has no way of distinguishing between a file being modified by a genuine user versus being modified by malware so in the event of an attack the backup routine can dutifully overwrite its destination data with crypto locked files as quickly as it can so a simple single destination backup or file sync is unlikely to provide much in the way of data protection from a ransomware attack unless it's spotted immediately and a sysadmin intervenes quick enough to deactivate the next backup run the solution is to combine both snapshots and remote backup this provides the best of both worlds data is moved off-site to guard against physical hardware threats whilst retaining the ability to rewind data to a specific point in time but that's not to say there's no value in still taking snapshots locally assuming they're sufficiently protected they can provide a vastly quicker route to date of recovery as it just needs copying between locations on a single physical device rather than having to fetch files over a much slower remote link but that's pretty much it for this video let me know in the comments what combination of backup and snapshotting strategy you find works best for you or if you have any other good data resiliency tips to share or if you just have any questions if you found this video useful please do click that like button and consider subscribing if you want to see more content like this i'll see you next time [Music] you

Info

Channel: Attack Detect Defend

Views: 2,093

Rating: undefined out of 5

Keywords:

Id: ajYkTwZxk5w

Channel Id: undefined

Length: 9min 27sec (567 seconds)

Published: Tue Sep 14 2021