X

News, tips, partners, and perspectives for the Oracle Solaris operating system

A Tale of Two Ransomware Attacks

Scott Lynn
Director of Product Management GraalVM

A Tale of Two Ransomware Attacks

Ransomware seems to be getting more wide spread every
day. These attacks are nasty, and at
least one of them deletes your files after you pay the
ransom
.

I’m going to tell you two stories of ransomware attacks,
and then I’m going to tell you how you can prevent ransomware from destroying
your data even when you are using a centralized storage server and Windows
clients via SMB.

So, let’s get to the stories…

In one story we have a small financial/accounting
business. In the other story a university in
Europe. Both were attacked.  But the outcomes were really different.

With the small financial business, they ran their entire
company on Windows. This is not an
unfamiliar story. They had a small
system that acted as their storage server and it also ran their
financials. Last week, some ransomware
infected one of their desktops/laptops. 
This is where the problem began, but that isn’t the worst of it (wish
that it were).

It spread throughout their entire company. Landing and encrypting data on every machine
in the company.  Every machine.

It encrypted data on the storage server via SMB. But it also landed on their storage server
and took over there too. Encrypting
their financials. But no worries.  The CEO has a background in IT, and he’s had
a backup system in place from the start.

Well… his company has
been growing rapidly (we should all what that
problem). He hasn’t had time to pay
attention to the IT infrastructure lately. When they went to back up, the
last good one was from April!  Not good
(and probably not the first time you’ve heard of backups not being usable).

They lost all their data.

Just a few weeks earlier, one of our great customers at a
university in Europe had a ransomware attack too. They, too, had a centralized
storage server, and the ransomware was able to attack the files on the server
via SMB. In this case, however, the
ransomware wasn’t able to land on the storage server because the server was
running Oracle Solaris.  But large numbers of
files had been encrypted.

The university, however, only lost a few files because they
were using servers running Oracle Solaris and using ZFS as the backend storage for serving SMB.

They had been using ZFS automated snapshots for years. Because of the automatic snapshot capability,
they were able to simply roll back the storage pools/volumes to the snapshot that
was taken right before the ransomware attacked. They lost some files.  But very few.

Which would you rather be? 

So, how can you easily recover data lost to a ransomware attack?  Well, it’s really quite
easy.

You install and run Oracle Solaris 11 on your storage
servers and use ZFS as the filesystem.

Some of you are now saying things like, “But it’s too
expensive,” “It’s too complex,” “I don’t know how to administer [Oracle]
Solaris,” or some other such things. This blog isn’t going to get into those, except to say, “No. It really
isn’t.” Oracle Solaris is free to use in
non-commercial or non-production
commercial environments. In a production commercial environment, Oracle Solaris
is $1000/socket (or 8% of your Oracle Hardware cost) per year for support. If you are a student at one of the more than 10,000
universities that is an Oracle Academy member
, Oracle Solaris support is
free. It’s not hard to use. I use it at
home to run my own NAS, DHCP, DNS, and even a VM for video streaming for my
kids, who are really into Harry Potter these days, and I’m so glad I have them
locally rather than having to stream from our favorite service. Oracle Solaris is so simple to use, even your
manager can use it!

So, how simple is it to setup ZFS snapshots?  It takes 3 steps (after you install Oracle
Solaris):

Step 1: Install the time-slider package
(desktop/time-slider)

# pkg install desktop/time-slider

Packages to
install: 1

Services to
change: 2

Create boot
environment: No

Create backup boot environment: No

DOWNLOAD PKGS FILES XFER (MB) SPEED

Completed 1/1 99/99 0.3/0.3 258k/s

PHASE ITEMS

Installing new actions 186/186

Updating package state database Done

Updating package cache 0/0

Updating image state Done

Creating fast lookup database Done

Updating package cache 2/2

Step 2: Identify the file systems to snapshot

# zfs list -r tank

NAME USED AVAIL REFER MOUNTPOINT

tank 1.24M 134G 32K /tank

tank/home 1.10M 134G 33K /tank/home

tank/home/movies 548K 134G 548K /tank/home/movies

tank/home/sdata 548K 134G 548K /tank/home/sdata

Step 3: Start
the services:

# svcadm enable
auto-snapshot:frequent

# svcadm enable
auto-snapshot:hourly

# svcadm enable
auto-snapshot:daily

# svcadm enable
auto-snapshot:weekly

# svcadm enable auto-snapshot:monthly

# svcadm enable
time-slider/plugin
:zfs-send

# svcadm enable
time-slider/plugin
:rsync

# svcadm
enable time-slider

OK. That’s not 3 commands. But close
enough.

# svcs svc:/application/time-slider:default

STATE STIME FMRI

online         22:49:51
svc:/application/time-slider:default

We’ve now protected our filesystem against malicious
software. If you wait a little while, you’ll
see this:

# zfs list
-t all -r tank

NAME USED AVAIL REFER   MOUNTPOINT

tank 1.35M 134G 32K /tank

tank/home 1.10M   134G 33K /tank/home

tank/home/movies 548K 134G 548K   /tank/home/movies

tank/home/movies@zfs-auto-snap_daily-2016-10-12-09h44

0 - 548K
  -

tank/home/sdata 548K    134G 548K
  /tank/home/sdata

tank/home/sdata@zfs-auto-snap_daily-2016-10-12-09h44

0
      -    548K    -

So, there you go. You can protect your data from ransomware attacks easily.  All you need to do is run Oracle Solaris 11. 

Join the discussion

Comments ( 2 )
  • Stanislav Kozina Friday, October 14, 2016

    Hi Scott,

    Thanks for great blog post! When you say "Oracle Solaris is free to use in non-commercial or non-production commercial environments", does this include access to the Solaris "support" repository?


  • Scott Lynn-Oracle Friday, October 14, 2016

    Thanks for the question. Access to the support repo isn't granted for free. However, about 80% of Oracle Solaris is open source and we make our open source packages available in the "release" repo as soon as we have them ready (about 1x per month). They are considered "unsupported." You can get or information in this detailed how-to guide (https://community.oracle.com/docs/DOC-917308), and we push out what is available here in the Oracle Solaris Blog when we publish the software. Here's one: https://blogs.oracle.com/partnertech/entry/more_free_open_source_software.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha