Ransomware recovery with TrueNAS ZFS snapshots

This is really an excuse to install and play around with TrueNAS® CORE 12.0.

I had a few “self assigned homework exercises” I have to do this weekend. I was planning to do a video webcast with an EFSS vendor soon, and the theme should be around ransomware. Then one of the iXsystems™ resellers, unrelated to the first exercise, was talking about this ransomware messaging yesterday after we did a technical training with them. And this weekend is coming on a bit light as well. So I thought I could bring all these things, including checking out the TrueNAS® CORE 12.0, together in a video (using Free Cam), of which I would do for the first time as well. WOW! I can kill 4 birds with one stone! All together in one blog!

It could be Adam Brown 89 or worse

Trust me. You do not want AdamBrown89 as your friend. Or his thousands of ransomware friends.

When (not if) you are infected by ransomware, you get a friendly message like this in the screenshot below. I got this from a local company who asked for my help a few months ago.

AdamBrown89 ransomware message

AdamBrown89 ransomware message

I have written about this before. NAS (Network Attached Storage) has become a gold mine for ransomware attackers, and many entry level NAS products are heavily inflicted with security flaws and vulnerabilities. Here are a few notable articles in year 2020 alone.

How ZFS snapshot recovery is done

The Windows network drive from the TrueNAS® CORE share must have snapshots configured. It can be a periodic snapshot (auto) or a manual one and in my experiment, I had both configured as shown below.

TrueNAS CORE snapshot table

TrueNAS CORE snapshot table showing both auto and manual snapshots

My mapped drive on Windows has encrypted files simulating a ransomware infection. The files with the green lock cannot be opened unless I have the decryption key.

Z: Drive with encrypted files simulating a ransomware infection

Z: Drive with encrypted files simulating a ransomware infection

The Windows File Explorer “Previous Versions” is a feature that allows the user to select different restore points of saved copies. This feature is integrated with the TrueNAS® CORE snapshots seamlessly without any configuration.

In the ransomware recovery procedures, right-click on the mapped Z: drive (as shown) from the TrueNAS® CORE Windows share and choose “Restore Previous Versions”.

Right-click Network Drive to Restore Previous Versions

Right-click Network Drive to Restore Previous Versions

Choose the version to restore. Click “Restore”

Restore Previous Versions

Restore Previous Versions

A pop-up appears. “Restore” to continue.

Restore pop-up

Restore pop-up

Depending on the size to recover and the network bandwidth, the files in the simulated ransomware infected network drive were reverted back to a clean state before the attack in a jiffy. A pop-up confirms that the files and folders have been restored back to the previous version you have selected.

Restore previous version successful

Restore previous version successful

The 2:17 minute video

For the fun of it, I made a screen capture video. Here is the video.

Small medium businesses are easy targets

NAS is the workhorse of many small medium businesses. Unfortunately, many are uninformed of the cybersecurity risks and often opt for a cheap NAS solution without doing their research and homework. And many felt invincible saying that it won’t happen to me. The lackadaisical attitude of these small medium businesses dilutes the value of strong security and cyber-resiliency of a good NAS solution.

For the many NAS solutions I known over 28+ years, the one with the best technology and value for money is TrueNAS® CORE. I am not saying this because I work for iXsystems™, but because I spend a lot time passionately devouring many storage vendors’ technologies and worked with many enterprise storage vendors in my career.

Just as I have shown in the past about a great Disaster Recovery solution with ZFS Replication, I have shown in this blog that ZFS snapshots are equally resilient against the ransomware scourge.  This technology gives small medium businesses an equal standing combatting their cybersecurity risks.

 

Tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

About cfheoh

I am a technology blogger with 25+ years of IT experience. I write heavily on technologies related to storage networking and data management because that is my area of interest and expertise. I introduce technologies with the objectives to get readers to *know the facts*, and use that knowledge to cut through the marketing hypes, FUD (fear, uncertainty and doubt) and other fancy stuff. Only then, there will be progress. I am involved in SNIA (Storage Networking Industry Association) and as of October 2013, I have been appointed as SNIA South Asia & SNIA Malaysia non-voting representation to SNIA Technical Council. I currently run a small system integration and consulting company focusing on storage and cloud solutions, with occasional consulting work on high performance computing (HPC).

3 Responses to Ransomware recovery with TrueNAS ZFS snapshots

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.