Looking for some information regarding networked file systems and ransomware. If my understanding is correct, should a PC get infected with ransomware it can search out and encrypt NFS and SMB shares.
Anything mounted current at point of infection is an obvious target, anything else it can find and attached to a plus. Scanning for tcp/111/2049 for nfs and tcp/139/445 for smb/cifs finds the honeypots once on-lan.
Would it be correct to assume that in order to encrypt an NFS or SMB share they would have to be online? If the device on which the network file system was located were powered off, could it be woken via a WOL command and then encrypted?
Online and have credentials to connect to it, yes. They could WOL in theory, but probably no one bothers with this. Enterprises tend to segment and defeat most WOL features requiring directed broadcasts by default (usually specific configs, particularly cisco), but SOHO lans perhaps with other crap like apple and dlna multicast. Who actually ever powers off a server, unless a responsible cloud-first company?
I currently have a TrueNAS machine that houses all my media and is also my Plex server. It also has an NFS share to which I backup as needed. In addition I have a Synology NAS to which I have a backup copy of the TrueNAS server.
If they can 1) connect to the nfs/smb port, 2) authenticate, and 3) get write permissions, they'll first download what they can, then encrypt it Simple as that. Network segmentation and proper firewall rules in theory prevent #1 there; strong creds, random rotation, 2fa prevents #2, file perms, fsacls, apparmor/selinux prevent #3. Sadly there still isn't much decent av/edr software out there for linux, but 98% of crims target windoze and apple luckily as the low-hanging fruit.
Don't expose any storage appliance or otherwise IOT-thingy to the internet via port-forwards from your internet router, upnp, or other. Just. Do. Not.
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss