iondjp

Ransom Ware and Network Shares

Recommended Posts

Good Day;

I recently read a very interesting and disconcerting blog on your website about ransomware. I was aware of it, but was unaware that it could ‘crawl’ through my network. I was hoping to get some more clarification on Ransomware and how it can conduct its destruction.

 

I am particularly concerned and interested in the behavior of malware like this and how it behaves on a small home network. I consider myself to be as knowledgeable as most home network administrators, which is to say I can make it work, but I’m not aware of certain consequences.

 

Here’s my case for example, maybe this can serve as a basis of the discussion. I run a Windows Home Server with a number of hard drives. I use it to do backups from laptop machines but I also have a number of network accessible shares that contain music, family photos, home videos. Each of those shared folders is set to ‘read only’ and accessible by two standard user accounts on laptops and Android devices in the house. There is another seldom used Administrator account for writing files to those shared folders via my laptop.

 

I also have another shared folder where I store some business files (call it ‘Personal Business’ shared folder ) because I don’t want those files on my laptop. This shared folder has read/write permissions from my Windows account the moment I login to my laptop.

 

Just to elaborate a little further, I have been using the server such that the user accounts on the server have the same user ID and password as the laptop. This offers the convenience of making the remote shares appear almost as if they were on my laptop without having to login to the server shares. One last detail before I get to my questions. I do not have the hard drive letters mapped. But, I do use UNC addresses to access the server shares.

 

Questions:

  1. The article explained clearly that a ransomware program like cryptowall, if it was to infect my laptop, it would be able to spread to any mapped shares. I am not clear whether that means cryptowall would be able to proliferate using the UNC. Does using the UNC provide any additional protection?
  2. Are there other malware infections that will behave the same with network shares over a LAN?
  3. Since my shared folders are read-only, with the exception of the ‘Personal Business’ shared folder, are they safe if my laptop gets infected?
  4. If the ransomware was able to access and encrypt the files in my ‘Personal Business’ shared folder, would it also be able to botch up the backup database files. This would be the scariest scenario.
  5. (If you are not familiar with WHS it is based on Server 2003 and the client machine backups are stored in a separate hidden folder on the server machine with Administrator/System/Creator Owner Permissions ranging from ‘Full’ to ‘Read/Execute’)
  6. Do you have any suggestions on how I might better protect the ‘Personal Business’ shared folder without giving up all convenience?

 

Thx for any clarification.

Share this post


Link to post
Share on other sites

Hello,

Ransomware is one of the most common and most quickly evolving types of malware right now. This means that what was true today, may no longer be true tomorrow when it comes to what is safe and what not. As rule of thumb, the only thing completely safe from ransomware (when it comes to encryption) is a storage device that is physically disconnected from the computer.

Aside from that, I can only state that prevention is better than cure, be sure your security is adequate and does protect you against attacks (so that the ransomware cannot make any changes to begin with) and backup, backup, backup (I really can't stress on this point enough). Depending on how important your files are, I'd always implement some sort of offline backup, so that if things go wrong, you have something to fall back on.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thank you for your Elise;

 

Just to confirm, based on your comments I conclude...

 

  1. UNC or Mapped Drive Letters are both vulnerable
  2. read only files are not necessarily safe
  3. my local network server backup files are not necessarily safe

So, I should install security protection on my WHS V1. Do you know if Emsisoft will install and play nice on a WHS V1? It is based on Windows Server 2003 R2.

Share this post


Link to post
Share on other sites

As far as I know WHS v.1 is already end-of-life for a number of years: http://www.mswhs.com/2013/01/support-for-whs-v1-ends-tomorrow/

I'd advice against running an OS that is no longer supported by its developer (especially for such a long time), because this means that any security vulnerabilities that have been found and disclosed (and thus can be exploited by malware), will not be patched, leaving your server at risk.

 

Emsisoft supports server versions starting with version 2008, see also here: https://www.emsisoft.com/en/software/antimalwareforserver/

Share this post


Link to post
Share on other sites

Hi there, decided to join this topic rather than creating a new thread. After all, my query is about ransomware. The question is, if you have any patches to fix the encryption caused by ransomware Cerber3. I have learnt here       http://myspybot.com/cerber3virus/         that     previous two editions of the virus have been cracked, but the third one is not yet  

  • Upvote 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.