[Major Feature] Anti Ramsonwar system

rockstor / rockstor-core

Linux/BTRFS based Network Attached Storage(NAS)

http://rockstor.com/docs/contribute_section.html

GNU General Public License v3.0

548 stars 138 forks source link

[Major Feature] Anti Ramsonwar system #1518

Open MFlyer opened 7 years ago

MFlyer commented 7 years ago

Rockstor users already have a good protection against ransomware via Btrfs snapshots, but I firmly believe we can improve it. How? Adding some ad hoc ransomware hooks!

How does a ransomware code work?? Basically listing folders looking for well know doc files (document files, images, etc) and crypting them. Having a direct experience ( :scream: ) with a ransomware found out that folders listing usually is ls (nix) / dir (windows) like, so alphabetically ordered having numbers before a before b before c etc etc and all . elements (dot = hidden) before alphanumerics : having some fake hidden folders/files in a share should prevent ransomware.

Do you agree on implementing this in Rockstor?

Mirko

phillxnet commented 7 years ago

@MFlyer Sorry I don't seem to understand this. How would having some .files in a share trip up ransomware. You state they are to be fake but surely they can only be legitimate if they are not to also break regular fs functions, and how can they appear in an fs listing if not legitimate.

I'm probably missing the point entirely here.

MFlyer commented 7 years ago

Hi @phillxnet, let's have an example: you've your share /mnt2/myshare and you enable our ransomware hooks feature, so what happens?

we create some random folders / files (maybe by adding a postfix to let user easily identify them)
every fake file/folder get a monitor via incrontab
on event we raise an "isolation mode" (systemctl stop to samba, nfs, afp and every service serving Rockstor machine content)
we send an alert to system admin (mail)

So the main part of this is the incrontab system

phillxnet commented 7 years ago

@MFlyer OK, nice explanation. I get it now thanks.

You are proposing we setup and monitor 'canary in coal mine' sacrificial files as triggers. Kind of like an auto honey pot by virtue of list order. Curious.

Fragile but I think there's something to this.

Not sure of the inotify and consequent incrontab load here though, presumably you are proposing some kind of checksum trigger or the like?

MFlyer commented 7 years ago

@phillxnet Had some googling -> on a 64bit every watch = 1kB RAM :)

Hack to reduce ram usage : add watches on a files/folders group and add to shares symlinks :D

tomtom13 commented 7 years ago

I would sat that: if somebody making ransom ware will find out about that, they will code arround, still if we can get a feature that enriches experience, not limits it, there will be more people that can benefit from that - so it's worth the hassle. In this small group and without money for development we usually concentrate on features that serve us ... so any extra input is always good.

Go for it!

tastyratz commented 7 years ago

This is a good idea, similar to FSRM functionality on windows. Considering we don't even have an official AV rock on or similar I don't know if I see it top of list quite right now.

Honeypots are very common for servers these days. I wouldn't say it's something they would code around per say unless you do something like label the share honeypot. Ransomware just starts encrypting and dumping to any open share it can populate.

If this existed, I would use it.