Ransomware protection for files with NetApp and CryptoSpike

By | 24. January 2020

Hello together,

Again and again, there are reports in the press that companies or authorities are infested with ransomware or are being blackmailed by encryption Trojans. In many cases, however, ransomware attacks remain under lock and key to avoid the company’s image loss.

Companies or authorities that rely on a “normal” backup strategy (once in the evening an incremental backup, full at the weekend) face the dilemma of losing data a whole day in case of an infestation by an encryption Trojan. In some cases, even in addition to the normal files, the backups were encrypted. That’s really cocky.

Who then backs up from a tape backup the previous week loses an enormous amount of data and can not be sure if the ransomware has not already hidden in this backup.

The economic damage to the companies concerned is usually enormous.

“Anyone who uses NetApp as a file server can count themselves lucky!”

Okay, okay the statement is a bit provocative and doesn’t agree 100%. Viruses and encryption Trojans can also rage on NetApp file servers.

What makes NetApp File Services different?

The file service on a NetApp is always clustered.

While no protection against ransomware, a NetApp build in add-on is that your file service is always highly available on NetApp, because the NetApp systems come with at least two controllers. So you have a File Server Cluster out of the Box.

The File Service on a NetApp is not a Windows Server.

In NetApp, there is no active Windows operating system on which ransomware can spread undisturbed. If something is encrypted, it is only through active clients that have access to the SMB
Share. If no clients are logged on, nothing is encrypted.

SnapShots in NetApp are read-only.

If you use NetApp’s built-in SnapShot technology and, for example, create a SnapShot of your file system every hour or every 30 minutes, you’ve already taken a real step. Because the NetApp SnapShots are read-only and therefore cannot be encrypted by a Trojan. In the worst case, you only lose 30 minutes of your work.

PIC1: Single File Restore in Windows Explorer with NetApp SnapShots

As shown in the image above (PIC1), you can browse the previous versions of a file share and back up individual “affected” files within seconds. There’s only one catch…

Do you know exactly which files were encrypted?

At the moment when you have been informed by your users about a Trojan infestation, the Trojan is certainly already raging for some time. It is virtually impossible to identify all files already encrypted. Unfortunately, the latest generations of encryption Trojans no longer do us any favours. locky ending to write to the encrypted files.

The perfidious thing is that today’s encryption Trojans open a file, encrypt it, and close it again. From the outside, it is no longer clear which file is encrypted. So what do you back from your SnapShot?

CryptoSpike for NetApp helps:

The company Prolion has realized that it is very difficult to identify the already encrypted files and goes on the offensive against encryption Trojans with its product CryptoSpike.

CrypoSpike switches to the native NetApp Fpolicy and detects by the “behavior” whether an encryption Trojan is about to get started. For example, if unusually fast and bulky Open, Write, Close requests to files are detected by a user, CryptoSpike automatically blocks access for that user, raises the alarm, and reports which files have been potentially encrypted.

If CryptoSpike has identified the affected file, you have the option to directly restore it from your NetApp SnapShots.

But what else does CryptoSpike do to detect Trojans?

White-List contains all file extensions allowed in your company, these are automatically read from the storage when CryptoSpike is installed.

Black List currently contains around 1800 known ransomware file names or file names that are updated daily.

The learner is the key part of the second layer of security. Because ransomware rarely changes file names and endings, so that the encryption is not recognizable from the outside. The Learner, therefore, analyzes patterns of user behavior in your company, e.g. read/write/open/close file operations. For this purpose, e.g. the last 50,000 transactions on the network and stored in the White Patterns List. Likewise, there is the Black Patterns List with behavior patterns from recent ransomware attacks.

Conclusion:

If you own a NetApp and use the File Services with SnapShots, you’ve already taken an important step. Consider whether your SnapShot plan is tight enough to survive a ransomware attack without much data loss.

If you own a NetApp and run a Windows server as a file server, I wonder: “WHY?” There are few cases where a “real” Windows File Server is essential.

If you own a NetApp, your SnapShot plans are very tight-knit and you want the ultimate protection against encryption Trojans, then check out CryptoSpike.

Epilogue

I did not post this post to advertise certain products! Rather, I’m worried about how bitterly it has hit companies that have been infected with ransomware in my day-to-day business. And yes, there were also companies with NetApp systems, which had to reset the entire file stock to the last snapshot, because they did not know what is infected. There were also companies that use a NetApp but operate the File Services via a Windows server. There, both the Windows file server and the backup were encrypted.

In a nutshell: “Make your thoughts, ACT NOW!”

Thank you for reading

Best regards
Derschmitz

DISCLAIMER: This post represents my personal observations and is not official from NetApp or other authorized ones. misinterpretations or misunderstandings.

One thought on “Ransomware protection for files with NetApp and CryptoSpike

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.