Ransomware recovery with TrueNAS ZFS snapshots

This is really an excuse to install and play around with TrueNAS® CORE 12.0.

I had a few “self assigned homework exercises” I have to do this weekend. I was planning to do a video webcast with an EFSS vendor soon, and the theme should be around ransomware. Then one of the iXsystems™ resellers, unrelated to the first exercise, was talking about this ransomware messaging yesterday after we did a technical training with them. And this weekend is coming on a bit light as well. So I thought I could bring all these things, including checking out the TrueNAS® CORE 12.0, together in a video (using Free Cam), of which I would do for the first time as well. WOW! I can kill 4 birds with one stone! All together in one blog!

It could be Adam Brown 89 or worse

Trust me. You do not want AdamBrown89 as your friend. Or his thousands of ransomware friends.

When (not if) you are infected by ransomware, you get a friendly message like this in the screenshot below. I got this from a local company who asked for my help a few months ago.

AdamBrown89 ransomware message

I have written about this before. NAS (Network Attached Storage) has become a gold mine for ransomware attackers, and many entry level NAS products are heavily inflicted with security flaws and vulnerabilities. Here are a few notable articles in year 2020 alone. [ Note: This has been my journal of the security flaws of NAS devices from 2020 onwards ]

• [ October 2020 ] QNAP® warns of attacks on NAS operating system
• [ July 2020 ] CISA says 62,000 QNAP® NAS Devices have been infected with QSnatch malware.
• [ September 2020 ] AgeLocker ransomware targets QNAP® NAS devices, steals data
• [ June 2020 ] Ongoing eCh0raix ransomware campaign targets QNAP® NAS devices.
• [ October 2020 ] QNAP® warns of Windows Zerologon flaw affecting some NAS devices
• [ August 2020 ] Hackers are backdooring QNAP® NAS devices with 3-year old RCE bug
• [ October 2020 ] QNAP® fixes critical flaws that could lead to device takeover
• [ December 2020 ] QNAP® high security flaws plague NAS systems
• [ December 2020 ] QNAP® fixes even more serious security flaws on its NAS devices
• [ January 2021 ] QNAP® warns users of dangerous new Dovecat malware
• [ March 2021 ] Researchers unearth links between SunCrypt and QNAPCrypt Ransomware
• [ March 2021 ] Crypto-miner campaign targets unpatched QNAP® NAS devices
• [ March 2021 ] QNAP® warns of ongoing brute-force attacks against NAS devices
• [ April 2021 ] Legacy QNAP® NAS Devices vulnerable to Zero-Day attack
• [ April 2021 ] QNAP® caught napping as disclosure delay expires; critical NAS bugs revealed 
• [ April 2021 ] Massive Qlocker ransomware attack uses 7zip to encrypt QNAP® devices
• [ May 2021 ] QNAP® warns of eCh0raix ransomware attacks, Roon Server zero-day
• [ May 2021 ] QNAP® confirms Qlocker ransomware used HBS backdoor account
• [ May 2021 ] Critical vulnerabilities patched in QNAP® Music Station, Malware Remover apps
• [ June 2021 ] Security Update: Attackers could run their own commands on QNAP® NAS.
• [ June 2021 ] Exposing a NAS security issue
• [ July 2021 ] QNAP® fixes critical bug in NAS backup, disaster recovery app 
• [ July 2021 ] Security updates: An attacker could take control of QNAP® NAS
• [ August 2021 ] eCh0raix ransomware variant targets QNAP®, Synology NAS® devices
• [ August 2021 ] NAS devices under attack: How to keep them safe? 240,000 QNAP® NAS devices exposed
• [ August 2021 ] QNAP® works on patches for OpenSSL bugs impacting its NAS devices
• [ September 2021 ] QNAP® closes critical malicious code gaps in NAS models
• [ September 2021 ] QNAP® fixes critical bugs in QVR video surveillance solution
• [ September 2021 ] QNAP® fixes bug that let attackers that runs malicious commands remotely
• [ October 2021 ] CVE-2021-34362 Detail
• [ November 2021 ] QNAP® publishes NAS updates and deactivates an app for security reasons
• [ November 2021 ] An attacker could gain control of QNAP® video surveillance systems
• [ December 2021 ] Cryptojackers target QNAP®’s NAS products once again
• [ December 2021 ] QNAP® NAS devices hit in surge ech0raix ransomware attacks
• [ January 2022 ] QNAP®: Get NAS devices off the Internet now
• [ January 2022 ] QLocker ransomware returns to target QNAP® NAS devices worldwide
• [ January 2022 ]  QNAP® warns of new DeadBolt ransomware encrypting NAS devices 
• [ January 2022 ] The Qnapping of QNAP® devices – Censys found over 130,000 QNAP® NAS devices as potential targets. 4,988 showed signs of DeadBolt infections.
• [ March 2022 ] QNAP® warns severe Linux bug affects most of its NAS devices
• [ March 2022 ] DeadBolt ransomware resurfaces to hit QNAP® again
• [ March 2022 ] QNAP® warns severe OpenSSL bug affects most of its NAS devices
• [ April 2022 ] Legacy QNAP® NAS Devices vulnerable to Zero-Day attack
• [ April 2022 ] QNAP® asks users to mitigate critical Apache HTTP Server bugs
• [ April 2022 ] QNAP® warns of new bugs in its Network Attached Storage devices
• [ April 2022 ] QNAP® warns users to disable AFP until it fixes critical bugs
• [ May 2022 ] QNAP® asks NAS users to apply updates immediately due to Deadbolt Ransomware
• [ June 2022 ] CISA Alert: People’s Republic of China state-sponsored cyber actors exploit network provides and devices. QNAP® listed with the most vulnerabilities.
• [ June 2022 ] QNAP® investigating new Deadbolt ransomware campaign
  • [ Related – June 2022 ] Deadbolt ransomware takes another shot at QNAP® storage – 4th campaign by Deadbolt gang in 2022 (so far) – in January, March, May and June
• [ June 2022 ] QNAP® NAS devices targeted by surge of eCh0raix ransomware attacks
• [ June 2022 ] Critical PHP flaw exposes  QNAP® NAS devices to RCE attacks
• [ July 2022 ] QNAP® warns of new Checkmate ransomware targeting NAS devices
• [ July 2022 ] ‘Raspberry Robin’ Windows worm abuses QNAP® devices
• [ September 2022 ] DeadBolt is hitting QNAP® NAS devices via zero-day bug; what to do?
• [ October 2022 ] Raspberry Robin (aka QNAP® Worm) operators selling cybercriminals access to thousands of endpoints
• [ November 2022 ] Joint advisory on the distribution of ransomware “Deadbolt” targeting QNAP® NAS devices
• [ January 2023 ] Raspberry Robin Worm Hatches a Highly Complex Upgrade – now known as QNAP® Worm
• [ January 2023 ] QNAP® fixes critical bug letting hackers inject malicious code – SQL Injection hack
• [ February 2023 ] Up to 29,000 unpatched QNAP® storage devices are sitting ducks to ransomware
• [ March 2023 ] QNAP® warns customers to patch Linux sudo flaw in NAS devices
• [ April 2023 ] QNAP® Zero-Days leave 80K devices vulnerable to cyberattack.
• [ November 2023 ] QNAP® warns of critical command injection flaws in QTS OS, apps.
• [ January 2024 ] Alert: New vulnerabilities discovered in QNAP® and Kyocera Device Manager.
• [ February 2024 ] QNAP® patches high-severity bugs in QTS, QSync Central
• [ February 2024 ] QNAP® vulnerability disclosure ends up an utter shambles. – “In just this year alone, less than two months in, 15 different security advisories have been released to disclose 12 different command injection vulnerabilities impacting various devices.”
• [ March 2024 ] QNAP® warns of critical auth bypass flaw in its NAS devices.
• [ April 2024 ] Multiple QNAP® vulnerabilities let hackers hijack your NAS.
• [ May 2024 ] QNAP® QTS zero-day in Share feature get public RCE exploit.
• [ May 2024 ] Researchers call out QNAP® for dragging its heels on patch management.
• [ October 2024 ] QNAP®, Synology®, Lexmark devices hacked on Pwn2Own Day 3.
• [ October 2024 ] QNAP® patches second zero-day exploited at Pwn2Own to get root – second zero-day hack at Pwn2Own 2024

Western Digital specific:

• [ June 2021 ] A mysterious cyberattack is completely erasing Western Digital MyBook Live drives
• [ July 2021 ] Western Digital users face another RCE
• [ November 2021 ] Western Digital to end support for prior generations of My Cloud OS
• [ December 2021 ] Western Digital warns customers to update their My Cloud devices
• [ March 2023 ] Western Digital Cloud Network has been down for 5 days

Synology® specific:

• [ August 2021 ] Synology® warns NAS owners botnet-creating Stealthworker malware
• [ August 2021 ] eCh0raix ransomware now targets both QNAP® and Synology® NAS devices
• [ August 2021 ] NAS devices under attack: How to keep them safe? 3,500 Synology® NAS devices exposed
• [ August 2021 ] NAS maker Synology® reveals new remote code execution vulnerabilities
• [ February 2022 ] Vulnerability in Synology® DSM allows execution of arbitrary commands
• [ April 2022 ] Synology® warns of critical Netatalk bugs in multiple products
• [ April 2022 ] Synology® warns NAS users over multiple critical vulnerabilities
• [ September 2022 ] Noberus ransomware: Darkside and BlackMatter successor continues to evolve its tactics
• [ December 2022 ] PWN2OWN Toronto 2022 – Day One results: Synology® NAS Diskstation DS920+ exploit
• [ July 2023 ] btrfs deprecating its integrity checker tool
• [ September 2023 ] DSM 7.2.1 with 1.0.0-0017 completely ditched S.M.A.R.T.
• [ October 2023 ] – New admin takeover vulnerability exposed in Synology’s Diskstation Manager
• [ April 2024 ] Synology® NAS attacked. (DiskStation security ransomware)
• [ November 2024 ] Millions of Synology® NAS devices vulnerable to zero-click attacks (CVE-2024-10443).

ASUStor specific:

• [ February 2022 ] Deadbolt ransomware target ASUStor NAS

How ZFS snapshot recovery is done

The Windows network drive from the TrueNAS® CORE share must have snapshots configured. It can be a periodic snapshot (auto) or a manual one and in my experiment, I had both configured as shown below.

TrueNAS CORE snapshot table showing both auto and manual snapshots

My mapped drive on Windows has encrypted files simulating a ransomware infection. The files with the green lock cannot be opened unless I have the decryption key.

Z: Drive with encrypted files simulating a ransomware infection

The Windows File Explorer “Previous Versions” is a feature that allows the user to select different restore points of saved copies. This feature is integrated with the TrueNAS® CORE snapshots seamlessly without any configuration.

In the ransomware recovery procedures, right-click on the mapped Z: drive (as shown) from the TrueNAS® CORE Windows share and choose “Restore Previous Versions”.

Right-click Network Drive to Restore Previous Versions

Choose the version to restore. Click “Restore”

Restore Previous Versions

A pop-up appears. “Restore” to continue.

Restore pop-up

Depending on the size to recover and the network bandwidth, the files in the simulated ransomware infected network drive were reverted back to a clean state before the attack in a jiffy. A pop-up confirms that the files and folders have been restored back to the previous version you have selected.

Restore previous version successful

The 2:17 minute video

For the fun of it, I made a screen capture video. Here is the video.

Small medium businesses are easy targets

NAS is the workhorse of many small medium businesses. Unfortunately, many are uninformed of the cybersecurity risks and often opt for a cheap NAS solution without doing their research and homework. And many felt invincible saying that it won’t happen to me. The lackadaisical attitude of these small medium businesses dilutes the value of strong security and cyber-resiliency of a good NAS solution.

For the many NAS solutions I known over 28+ years, the one with the best technology and value for money is TrueNAS® CORE. I am not saying this because I work for iXsystems™, but because I spend a lot time passionately devouring many storage vendors’ technologies and worked with many enterprise storage vendors in my career.

Just as I have shown in the past about a great Disaster Recovery solution with ZFS Replication, I have shown in this blog that ZFS snapshots are equally resilient against the ransomware scourge.  This technology gives small medium businesses an equal standing combatting their cybersecurity risks.