Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protecting network shares from Ransomware


  • Please log in to reply
5 replies to this topic

#1 steveg_nh

steveg_nh

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 04 May 2016 - 10:18 AM

I'm wondering how network shares are accessed via ransomware programs.

 

I read that both DMA Locker and Cerber are now sophisticated enough to also encrypt any network share, even if not mapped to a drive letter on the infected PC. So to me, it's as if the programs are just browsing the network and accessing any open network share.

 

I have a NAS, where I keep a copy of my nightly PC backup. That NAS has the ability to hide the share. The only way to access the share is if you browser to the device name or IP and share name directly. But since this info pops up when you type in Windows Explorer, it's obviously stored in the Windows registry. When I browse the network however, and look at the NAS, no shares are shown.

 

Does this simple step help keep the share safe, or is there a much deeper method that ransomware will use to find network shares, even if not visible through browsing the network?

Additionally, if you add credentials to a network share, and those credentials are stored by the backup program, could those credentials be easily hacked by the ransomware for access to the share, or are these darn malware programs that smart?

 

Thanks.



BC AdBot (Login to Remove)

 


#2 MelonBird

MelonBird

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 10 May 2016 - 04:52 PM

I hope you get an answer to this, because I've wondered about it too. It looks like the only way to do backups is manually, keeping an external drive hooked up to the computer for as short a time as possible, and hoping you haven't got the ransomware running at that time. Welcome back to 1996!



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:03 AM

Posted 11 May 2016 - 06:55 AM

For the best defensive strategy to protect yourself from malware and ransomware infection, see my comments (Post #2) in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 steveg_nh

steveg_nh
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 11 May 2016 - 09:44 AM

Not really any silver bullet. I set my NAS backup shares up as hidden as a start. Then added a specific account to the NAS that is the only one that has read/write access to the shares. Those credentials are given to the backup program to log into the NAS share to write the backup. The problem is the backup software must be passing the credentials to windows, because once the backup software authenticates, the NAS can be accessed through windows without needed to enter the credentials. So not perfect, but I know once the backup storage target is taken out of the rotation (cold storage), it will be forgotten to be put back online for the backups. Not good either. Catch 22.



#5 MelonBird

MelonBird

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 11 May 2016 - 09:54 AM

For the best defensive strategy to protect yourself from malware and ransomware infection, see my comments (Post #2) in this topic.

I've read that post many times and implemented every part of it I understood (I'm a reasonably savvy end user, not an IT specialist). But I'm still not clear on whether ransomware can detect networks drives under the conditions the OP describes. It sounds like we just have to assume that if they can't do it now, they'll figure it out eventually?

In which case, relying on a drive that's constantly connected is a bad backup strategy. Hence the need for a backup drive that is disconnected when the backup is done (as you say in your post). I'm currently letting File History back up on one hard drive every day or so, and using other hard drives to do manual backups every few weeks. I now do my email (and a number of frequently updated docs/spreadsheets) in the cloud because I don't even want to lose one day of these by having to revert to a backup. I used to worry about companies snooping through my cloud-stored docs, but now I'm more concerned about losing a day's updates/emails to ransomeware or even just plain old hard drive failure.


Edited by MelonBird, 11 May 2016 - 09:56 AM.


#6 steveg_nh

steveg_nh
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 11 May 2016 - 11:51 AM

My understanding is right now, no, but I'm sure they will figure out a way to search the registry or something, or get a device name, use the UNC path, and see what they can find.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users