Re: NFS/SMB and ransomware

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Butash via PLUG-discuss
Date:  
To: Main PLUG discussion list
CC: Michael Butash
Subject: Re: NFS/SMB and ransomware
inline:

On Sun, Jun 13, 2021 at 5:40 PM Steve B via PLUG-discuss <
> wrote:

> Looking for some information regarding networked file systems and
> ransomware. If my understanding is correct, should a PC get infected with
> ransomware it can search out and encrypt NFS and SMB shares.
>


Anything mounted current at point of infection is an obvious target,
anything else it can find and attached to a plus. Scanning for
tcp/111/2049 for nfs and tcp/139/445 for smb/cifs finds the honeypots once
on-lan.


> Would it be correct to assume that in order to encrypt an NFS or SMB share
> they would have to be online? If the device on which the network file
> system was located were powered off, could it be woken via a WOL command
> and then encrypted?
>


Online and have credentials to connect to it, yes. They could WOL in
theory, but probably no one bothers with this. Enterprises tend to segment
and defeat most WOL features requiring directed broadcasts by default
(usually specific configs, particularly cisco), but SOHO lans perhaps with
other crap like apple and dlna multicast. Who actually ever powers off a
server, unless a responsible cloud-first company?


> I currently have a TrueNAS machine that houses all my media and is also my
> Plex server. It also has an NFS share to which I backup as needed. In
> addition I have a Synology NAS to which I have a backup copy of the TrueNAS
> server.
>


If they can 1) connect to the nfs/smb port, 2) authenticate, and 3) get
write permissions, they'll first download what they can, then encrypt it
Simple as that. Network segmentation and proper firewall rules in theory
prevent #1 there; strong creds, random rotation, 2fa prevents #2, file
perms, fsacls, apparmor/selinux prevent #3. Sadly there still isn't much
decent av/edr software out there for linux, but 98% of crims target windoze
and apple luckily as the low-hanging fruit.

Don't expose any storage appliance or otherwise IOT-thingy to the internet
via port-forwards from your internet router, upnp, or other. Just. Do.
Not.

---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss