This is really an excuse to install and play around with TrueNAS® CORE 12.0.
I had a few “self assigned homework exercises” I have to do this weekend. I was planning to do a video webcast with an EFSS vendor soon, and the theme should be around ransomware. Then one of the iXsystems™ resellers, unrelated to the first exercise, was talking about this ransomware messaging yesterday after we did a technical training with them. And this weekend is coming on a bit light as well. So I thought I could bring all these things, including checking out the TrueNAS® CORE 12.0, together in a video (using Free Cam), of which I would do for the first time as well. WOW! I can kill 4 birds with one stone! All together in one blog!
It could be Adam Brown 89 or worse
Trust me. You do not want AdamBrown89 as your friend. Or his thousands of ransomware friends.
When (not if) you are infected by ransomware, you get a friendly message like this in the screenshot below. I got this from a local company who asked for my help a few months ago.
I have written about this before. NAS (Network Attached Storage) has become a gold mine for ransomware attackers, and many entry level NAS products are heavily inflicted with security flaws and vulnerabilities. Here are a few notable articles in year 2020 alone.
- [ October 2020 ] QNAP® warns of attacks on NAS operating system
- [ July 2020 ] CISA says 62,000 QNAP® NAS Devices have been infected with QSnatch malware.
- [ September 2020 ] AgeLocker ransomware targets QNAP® NAS devices, steals data
- [ June 2020 ] Ongoing eCh0raix ransomware campaign targets QNAP® NAS devices.
- [ October 2020 ] QNAP® warns of Windows Zerologon flaw affecting some NAS devices
- [ August 2020 ] Hackers are backdooring QNAP® NAS devices with 3-year old RCE bug
- [ October 2020 ] QNAP® fixes critical flaws that could lead to device takeover
- [ December 2020 ] QNAP® high security flaws plague NAS systems
- [ December 2020 ] QNAP® fixes even more serious security flaws on its NAS devices
- [ January 2021 ] QNAP® warns users of dangerous new Dovecat malware
- [ March 2021 ] Researchers unearth links between SunCrypt and QNAPCrypt Ransomware
- [ March 2021 ] Crypto-miner campaign targets unpatched QNAP® NAS devices
- [ March 2021 ] QNAP® warns of ongoing brute-force attacks against NAS devices
- [ April 2021 ] Legacy QNAP® NAS Devices vulnerable to Zero-Day attack
- [ April 2021 ] QNAP® caught napping as disclosure delay expires; critical NAS bugs revealed
- [ April 2021 ] Massive Qlocker ransomware attack uses 7zip to encrypt QNAP® devices
- [ May 2021 ] QNAP® warns of eCh0raix ransomware attacks, Roon Server zero-day
- [ May 2021 ] QNAP® confirms Qlocker ransomware used HBS backdoor account
- [ May 2021 ] Critical vulnerabilities patched in QNAP® Music Station, Malware Remover apps
- [ June 2021 ] Security Update: Attackers could run their own commands on QNAP® NAS.
- [ June 2021 ] Exposing a NAS security issue
- [ July 2021 ] QNAP® fixes critical bug in NAS backup, disaster recovery app
- [ July 2021 ] Security updates: An attacker could take control of QNAP® NAS
- [ August 2021 ] eCh0raix ransomware variant targets QNAP®, Synology NAS® devices
- [ August 2021 ] NAS devices under attack: How to keep them safe? 240,000 QNAP® NAS devices exposed
- [ August 2021 ] QNAP® works on patches for OpenSSL bugs impacting its NAS devices
- [ September 2021 ] QNAP® closes critical malicious code gaps in NAS models
Western Digital specific:
- [ June 2021 ] A mysterious cyberattack is completely erasing Western Digital MyBook Live drives
- [ July 2021 ] Western Digital users face another RCE
- [ August 2021 ] Synology® warns NAS owners botnet-creating Stealthworker malware
- [ August 2021 ] eCh0raix ransomware now targets both QNAP® and Synology® NAS devices
- [ August 2021 ] NAS devices under attack: How to keep them safe? 3,500 Synology® NAS devices exposed
- [ August 2021 ] NAS maker Synology® reveals new remote code execution vulnerabilities
How ZFS snapshot recovery is done
The Windows network drive from the TrueNAS® CORE share must have snapshots configured. It can be a periodic snapshot (auto) or a manual one and in my experiment, I had both configured as shown below.
My mapped drive on Windows has encrypted files simulating a ransomware infection. The files with the green lock cannot be opened unless I have the decryption key.
The Windows File Explorer “Previous Versions” is a feature that allows the user to select different restore points of saved copies. This feature is integrated with the TrueNAS® CORE snapshots seamlessly without any configuration.
In the ransomware recovery procedures, right-click on the mapped Z: drive (as shown) from the TrueNAS® CORE Windows share and choose “Restore Previous Versions”.
Choose the version to restore. Click “Restore”
A pop-up appears. “Restore” to continue.
Depending on the size to recover and the network bandwidth, the files in the simulated ransomware infected network drive were reverted back to a clean state before the attack in a jiffy. A pop-up confirms that the files and folders have been restored back to the previous version you have selected.
The 2:17 minute video
For the fun of it, I made a screen capture video. Here is the video.
Small medium businesses are easy targets
NAS is the workhorse of many small medium businesses. Unfortunately, many are uninformed of the cybersecurity risks and often opt for a cheap NAS solution without doing their research and homework. And many felt invincible saying that it won’t happen to me. The lackadaisical attitude of these small medium businesses dilutes the value of strong security and cyber-resiliency of a good NAS solution.
For the many NAS solutions I known over 28+ years, the one with the best technology and value for money is TrueNAS® CORE. I am not saying this because I work for iXsystems™, but because I spend a lot time passionately devouring many storage vendors’ technologies and worked with many enterprise storage vendors in my career.
Just as I have shown in the past about a great Disaster Recovery solution with ZFS Replication, I have shown in this blog that ZFS snapshots are equally resilient against the ransomware scourge. This technology gives small medium businesses an equal standing combatting their cybersecurity risks.