This is really an excuse to install and play around with TrueNAS® CORE 12.0.
I had a few “self assigned homework exercises” I have to do this weekend. I was planning to do a video webcast with an EFSS vendor soon, and the theme should be around ransomware. Then one of the iXsystems™ resellers, unrelated to the first exercise, was talking about this ransomware messaging yesterday after we did a technical training with them. And this weekend is coming on a bit light as well. So I thought I could bring all these things, including checking out the TrueNAS® CORE 12.0, together in a video (using Free Cam), of which I would do for the first time as well. WOW! I can kill 4 birds with one stone! All together in one blog!
It could be Adam Brown 89 or worse
Trust me. You do not want AdamBrown89 as your friend. Or his thousands of ransomware friends.
When (not if) you are infected by ransomware, you get a friendly message like this in the screenshot below. I got this from a local company who asked for my help a few months ago.
I have written about this before. NAS (Network Attached Storage) has become a gold mine for ransomware attackers, and many entry level NAS products are heavily inflicted with security flaws and vulnerabilities. Here are a few notable articles in year 2020 alone.
- [ October 2020 ] QNAP® warns of attacks on NAS operating system
- [ July 2020 ] CISA says 62,000 QNAP® NAS Devices have been infected with QSnatch malware.
- [ September 2020 ] AgeLocker ransomware targets QNAP® NAS devices, steals data
- [ June 2020 ] Ongoing eCh0raix ransomware campaign targets QNAP® NAS devices.
- [ October 2020 ] QNAP® warns of Windows Zerologon flaw affecting some NAS devices
- [ August 2020 ] Hackers are backdooring QNAP® NAS devices with 3-year old RCE bug
- [ October 2020 ] QNAP® fixes critical flaws that could lead to device takeover
- [ December 2020 ] QNAP® high security flaws plague NAS systems
- [ December 2020 ] QNAP® fixes even more serious security flaws on its NAS devices
- [ January 2021 ] QNAP® warns users of dangerous new Dovecat malware
- [ March 2021 ] Researchers unearth links between SunCrypt and QNAPCrypt Ransomware
How ZFS snapshot recovery is done
The Windows network drive from the TrueNAS® CORE share must have snapshots configured. It can be a periodic snapshot (auto) or a manual one and in my experiment, I had both configured as shown below.
My mapped drive on Windows has encrypted files simulating a ransomware infection. The files with the green lock cannot be opened unless I have the decryption key.
The Windows File Explorer “Previous Versions” is a feature that allows the user to select different restore points of saved copies. This feature is integrated with the TrueNAS® CORE snapshots seamlessly without any configuration.
In the ransomware recovery procedures, right-click on the mapped Z: drive (as shown) from the TrueNAS® CORE Windows share and choose “Restore Previous Versions”.
Choose the version to restore. Click “Restore”
A pop-up appears. “Restore” to continue.
Depending on the size to recover and the network bandwidth, the files in the simulated ransomware infected network drive were reverted back to a clean state before the attack in a jiffy. A pop-up confirms that the files and folders have been restored back to the previous version you have selected.
The 2:17 minute video
For the fun of it, I made a screen capture video. Here is the video.
Small medium businesses are easy targets
NAS is the workhorse of many small medium businesses. Unfortunately, many are uninformed of the cybersecurity risks and often opt for a cheap NAS solution without doing their research and homework. And many felt invincible saying that it won’t happen to me. The lackadaisical attitude of these small medium businesses dilutes the value of strong security and cyber-resiliency of a good NAS solution.
For the many NAS solutions I known over 28+ years, the one with the best technology and value for money is TrueNAS® CORE. I am not saying this because I work for iXsystems™, but because I spend a lot time passionately devouring many storage vendors’ technologies and worked with many enterprise storage vendors in my career.
Just as I have shown in the past about a great Disaster Recovery solution with ZFS Replication, I have shown in this blog that ZFS snapshots are equally resilient against the ransomware scourge. This technology gives small medium businesses an equal standing combatting their cybersecurity risks.