Snapshots and ransomware: are they necessary?

[DarkCorner]

I often read that with a snapshot I can recover data encrypted by ransomware.
However, the virus could still be present on the network and perhaps even on the TreeNAS itself.
Which may also encrypt the data thus restored.

At this point, isn't it better to restore the clean system and then restore the latest backup?

 

[MrGuvernment]

Sure, but how do you know your latest backup isn't infected somehow either?

You can get infected and not always immediately see the damage done, all depends what you get compromised with..

These days I would be more worried about saving credentials in your browsers and other info and stop doing that, since even AV wont save you from those types of compromises that steal all of that.

In the end, yes, you want to nuke everything from orbit (computers, routers, you name it) and start clean, validate your backups are clean, and then restore.

 

[DarkCorner]

@MrGuvernment
You're right, but I can't tell customers how to behave. I can only suggest good behavior.
Then, as always, in companies, especially the smaller ones, there is always some user who violates company policies and goes to a porn site during their lunch break and the company owner probably doesn't even know it.

I have to worry about securing the data because I can't "sell" a solution that doesn't work when needed.
At the moment my TrueNAS have snapshoot enabled, but as I said before, if ransomware were to arrive I wouldn't know what the correct steps are to restore the entire ICT system.

I can restore PCs and servers using an image of them and restore data from a backup that I have kept safe, but I don't know what is best to do with TrueNAS.
Maybe I restore the snapshot and the virus, hidden around the corner, goes to encrypt them again and at this point there isn't even a clean snapshot anymore.

 

[MrGuvernment]

Curious, what do you use for perimeter firewalls? Something as simple as a rasberry Pi with PiHole on it behind and ISP router..., or an OpenDNS subscription can let you block most malicious sites these days.

 

[Etorix]

Maybe I restore the snapshot and the virus, hidden around the corner, goes to encrypt them again and at this point there isn't even a clean snapshot anymore.

Maybe you just need to re-read the documentation about snapshots?
Snapshots are strictly read-only, and immutable. You can clone a snapshot into a live dataset, which can then be modified (including being crypto-locked…) but cloning still retains the original snapshot—this is Copy-On-Write in action for you! The ZFS administrator can delete snapshots; no-one and nothing can modify in any way the content of a snapshot. If there is a clean snapshot, the clean snapshot, and its clean data to be restored, will remain clean indefinitely unless:
* the snapshot is manually deleted through an act of human stupidity (which is always possible);
* the snapshot is automatically destroyed because its retention policy is too short (see the above bullet about human stupidity); or
* the ransomware is sophisticated enough to go for ZFS administrator credentials and use these for its nefarious purpose (this is wholly different from going for user credentials and mounted shares, as ransomwares do).

 

[Davvo]

It's common sense not to allow executable permissions inside SMB shares, which means that the only way to get the system infected is by the administrator user being compromised (and nothing can save you at that point).

If you fear the threat is still present in your network you simply have to stop the SMB service and bam, your system is isolated and you can rollback that snapshot.

 

[DarkCorner]

Curious, what do you use for perimeter firewalls? Something as simple as a rasberry Pi with PiHole on it behind and ISP router..., or an OpenDNS subscription can let you block most malicious sites these days.

pfSense behind two ISP Router

 

[DarkCorner]

@Etorix
Maybe I'm wrong, but when I restore a snapshot, is that snapshot removed from the list?
If it is not removed, then I agree that if the files are compromised again immediately after the restore, I can still restore them a second time from the same snapshot.

@Davvo
You assume that the ransomware is on your PC and is accessing to TRueNAS through shared folders.
And what if it had arrived inside the TrueNAS Debian instead?

 

[Patrick M. Hausen]

Maybe I'm wrong, but when I restore a snapshot, is that snapshot removed from the list?

If you restore the youngest snapshot existing, no. If you restore an older one all snapshots younger than that one are removed.

And what if it had arrived inside the TrueNAS Debian instead?

Via which attack vector? You do not expose your NAS to the Internet, do you?

 

[Davvo]

@Etorix
Maybe I'm wrong, but when I restore a snapshot, is that snapshot removed from the list?
If it is not removed, then I agree that if the files are compromised again immediately after the restore, I can still restore them a second time from the same snapshot.

If you use Windows' Shadow Copies snapshots are not removed from the list iirc.

@Davvo
You assume that the ransomware is on your PC and is accessing to TRueNAS through shared folders.
And what if it had arrived inside the TrueNAS Debian instead?

Aside from the vector @Patrick M. Hausen spoke about, if the threat managed to gain any sort of ADMIN priviledges inside your NAS that's totally on you.
Root is disabled by default in SCALE iirc, and if they got your ADMIN password you have a serious, extensive security issue.
SCALE being an appliance and not a linux distro should also add to the security of the system.

There is nothing that's gonna save you if the key to ultimate power gets stolen. This sounds a tad too epic.

Actually, backups are your only anchor of hope in that situation but then again, if your ADMIN account is compromised you have a lot of work to do before reaching those backups.

 

[sfatula]

I often read that with a snapshot I can recover data encrypted by ransomware.
However, the virus could still be present on the network and perhaps even on the TreeNAS itself.
Which may also encrypt the data thus restored.

At this point, isn't it better to restore the clean system and then restore the latest backup

Using your example, if the virus is already on the network, then, restoring your clean system doesn't help does it? That part has to be dealt with separately. But snapshot restores are typically easier and faster.

 

[MrGuvernment]

pfSense behind two ISP Router

If you have not already:

1. Block all outbound DNS (53 / 853) and only allow access to DNS to your PfSense box for users on the Lan side...
2. Use PfBlocker, if not already and use the DNSBL lists to block most malicious categories
3. GeoIP country block most countries, in and out (not sure if you have any NAT rules in...) I do both, just so it is there...
4. VLANs - any reason to have them? User devices separate from servers, separate from Guest Wifi....

As said above, depending on the compromise, you first need to discovery HOW they got in and what control they have. And to be frank, you likely do not have the expertise to do that? Which is fine, very few people do, while we could do a lot, when it comes down to it, these threat actors are taking down and getting access to Microsoft services and systems.. they are that advance, not all, but a few... If they want in your network, they will find a way...

This can go so many levels deep on how to secure your environment and your backups, but as we know, few have millions to spend on systems and tools and in house security experts so we have to make do with what we can.

 

[Popolou]

You may also want to bolster that with CloudFlare's malware-blocking DNS servers 1.1.1.2/1.0.0.2 for external lookups.