Ransomware recovery with TrueNAS ZFS snapshots

This is really an excuse to install and play around with TrueNAS® CORE 12.0.

I had a few “self assigned homework exercises” I have to do this weekend. I was planning to do a video webcast with an EFSS vendor soon, and the theme should be around ransomware. Then one of the iXsystems™ resellers, unrelated to the first exercise, was talking about this ransomware messaging yesterday after we did a technical training with them. And this weekend is coming on a bit light as well. So I thought I could bring all these things, including checking out the TrueNAS® CORE 12.0, together in a video (using Free Cam), of which I would do for the first time as well. WOW! I can kill 4 birds with one stone! All together in one blog!

It could be Adam Brown 89 or worse

Trust me. You do not want AdamBrown89 as your friend. Or his thousands of ransomware friends.

When (not if) you are infected by ransomware, you get a friendly message like this in the screenshot below. I got this from a local company who asked for my help a few months ago.

AdamBrown89 ransomware message

AdamBrown89 ransomware message

I have written about this before. NAS (Network Attached Storage) has become a gold mine for ransomware attackers, and many entry level NAS products are heavily inflicted with security flaws and vulnerabilities. Here are a few notable articles in year 2020 alone. [ Note: This has been my journal of the security flaws of NAS devices from 2020 onwards ]

Western Digital specific:

Synology® specific:

ASUStor specific:

How ZFS snapshot recovery is done

The Windows network drive from the TrueNAS® CORE share must have snapshots configured. It can be a periodic snapshot (auto) or a manual one and in my experiment, I had both configured as shown below.

TrueNAS CORE snapshot table

TrueNAS CORE snapshot table showing both auto and manual snapshots

My mapped drive on Windows has encrypted files simulating a ransomware infection. The files with the green lock cannot be opened unless I have the decryption key.

Z: Drive with encrypted files simulating a ransomware infection

Z: Drive with encrypted files simulating a ransomware infection

The Windows File Explorer “Previous Versions” is a feature that allows the user to select different restore points of saved copies. This feature is integrated with the TrueNAS® CORE snapshots seamlessly without any configuration.

In the ransomware recovery procedures, right-click on the mapped Z: drive (as shown) from the TrueNAS® CORE Windows share and choose “Restore Previous Versions”.

Right-click Network Drive to Restore Previous Versions

Right-click Network Drive to Restore Previous Versions

Choose the version to restore. Click “Restore”

Restore Previous Versions

Restore Previous Versions

A pop-up appears. “Restore” to continue.

Restore pop-up

Restore pop-up

Depending on the size to recover and the network bandwidth, the files in the simulated ransomware infected network drive were reverted back to a clean state before the attack in a jiffy. A pop-up confirms that the files and folders have been restored back to the previous version you have selected.

Restore previous version successful

Restore previous version successful

The 2:17 minute video

For the fun of it, I made a screen capture video. Here is the video.

Small medium businesses are easy targets

NAS is the workhorse of many small medium businesses. Unfortunately, many are uninformed of the cybersecurity risks and often opt for a cheap NAS solution without doing their research and homework. And many felt invincible saying that it won’t happen to me. The lackadaisical attitude of these small medium businesses dilutes the value of strong security and cyber-resiliency of a good NAS solution.

For the many NAS solutions I known over 28+ years, the one with the best technology and value for money is TrueNAS® CORE. I am not saying this because I work for iXsystems™, but because I spend a lot time passionately devouring many storage vendors’ technologies and worked with many enterprise storage vendors in my career.

Just as I have shown in the past about a great Disaster Recovery solution with ZFS Replication, I have shown in this blog that ZFS snapshots are equally resilient against the ransomware scourge.  This technology gives small medium businesses an equal standing combatting their cybersecurity risks.


Tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

About cfheoh

I am a technology blogger with 30 years of IT experience. I write heavily on technologies related to storage networking and data management because those are my areas of interest and expertise. I introduce technologies with the objectives to get readers to know the facts and use that knowledge to cut through the marketing hypes, FUD (fear, uncertainty and doubt) and other fancy stuff. Only then, there will be progress. I am involved in SNIA (Storage Networking Industry Association) and between 2013-2015, I was SNIA South Asia & SNIA Malaysia non-voting representation to SNIA Technical Council. I currently employed at iXsystems as their General Manager for Asia Pacific Japan.

3 Responses to Ransomware recovery with TrueNAS ZFS snapshots

  1. Hey exceptional website! Does running a blog similar to this take a great deal of work?
    I’ve very little expertise in programming however I had been hoping to
    start my own blog soon. Anyhow, should you have any ideas or techniques
    for new blog owners please share. I know this
    is off subject nevertheless I simply wanted to ask. Thanks a lot!

  2. Mark Early says:

    Thank you for writing many instructive articles on ZFS technology. Like you I have a fondness for SUN Microsystems, their: “pizza boxes” and many software innovations, all designed by a company with a very talented staff ahead of their era. I used SUN computers in the early 1980’s working in the systems engineering dept of defense contractor RDA-Logicon, now too many years ago.

    Need to learn more about ZFS for my own modest data backup uses … and perhaps for my brother the doctor’s primary healthcare Boston, MA startup venture that hopes to partner with many PCP practices with the goal of improving primary care for patients and reduce healthcare total spend significantly. Assuming his new firm’s good initial start continues, I might like to recommend his medical IT advisors consult with you regarding safe (HIPA complient) distributed databases implemented with ZFS technology.

    Again, thank you for helping advance ZFS and other enterprise data storage solutions and giving those of us new to ZFS a better understanding of it’s real world capabilities.

    “… the network is the computer !”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.