For a real alternative to defend against Ransomware

I get back to talking about Ransomware, a classic menu that is really bonesome. Why is it that I do not know Ransomware yet and should not be able to block it properly?

I think there are too many unrealistic alternatives. There are too many to buy vaccines, Ransomware-only solutions, backup solutions, and equipment.

It is very difficult to find data that details the fundamental problems and solutions to Ransomware. Why? It is because each vendor says that it is an alternative. And I do not know the other party's solution. Furthermore, Ransomware itself does not know what logic it has. Just encrypting and making money makes it known as malware.

I am doing backup solution consulting and sales on the IT side. When writing, I try to talk about the products I sell and try to talk about themes and alternatives that can help everyone. Today, I want to talk about an effective and realistic alternative to the above Ransomware.


Why is Ransomware more dangerous than viruses?

Malicious code is a term used to describe Ransomware, viruses, and spyware.

Let's think. Were you able to save the file if the virus was infected? Not like that. When the virus became infected, there was no answer unless the vaccine vendor had created a pattern of algorithms that rid the infected file and distributed it to the vaccine. If you still have to wait a long time, you can recover and restore the recoverable pattern.

But why is Ransomware a bigger problem? Ransomware will have to "restore key" the specific parts of the algorithm that are required for recovery, while simultaneously corrupting the original file with viruses.

It is almost impossible to create an algorithm to generate a recovery key. When the malicious code is generated, the encryption key is transmitted to the hacker, and a corresponding recovery key is generated.

Is not it possible to recover a physical disk after Ransomware infection? There are those who ask. But that part is almost impossible. Due to the nature of the disc, the file is written to the disk sector. Removing a file from the OS means removing the sector address value and not finding the location. So if you use the recovery tool to back up the contents of the sector, you can recover it.

However, Ransomware edited the original file. Opening an Excel file called A, and then re-storing the encrypted contents in it, the original was modified, unlike deletion. As a result, it is almost impossible to make use of the recovery tool.


The best solution for Ransomware is backup?

In addition to Ransomware, it emphasizes that backup should be done to prevent loss of data in any situation.

However, the backup should be very good. If you use a Windows-based backup solution and store backups on NTFS, you can not free yourself from malware (Ransomware virus). So we usually recommend a second tape backup after the first disk backup. Tape is a very important backup tool that will not be lost in the future.

The disk allocated to the OS is a file system (NTFS, etc.), so it can be accessed and written. Tape is not a file system. It is only a storage medium, so access is possible only through S / W which writes OS file to Tape. So Tape can be recovered in the worst case. However, if you use Tape, you have to pay Tape replacement, backup S / W introduction cost, and continuous management cost.


What is a snapshot?

Backups and snapshots are closely related technologies.

A snapshot is a feature that allows you to copy a file system (Point-In-Time Copy) at a specific time and restore it later if there is a problem with the original.

The main advantage of snapshots is that snapshot creation time and recovery time are very fast (within minutes). It is not comparable to backup and recovery using backup software.

This is because the conventional backup copies and keeps the files of the backup target, whereas when the snapshot is created, the position values ​​of the block containing the data at the current point are stored in the list only.

The subject that creates and manages these snapshots is the snapshot manager within the OS or storage.

Are you curious about how the data that changes after the snapshot is saved is processed?

Then you have to spend a lot of space on the floor. (There is a lot of detail in https://m.blog.naver.com/cheory79/220694992055, which is a snapshot of the snapshot concept created by Nimble storage, now acquired by HP.)


The difference between backups and Snapshots.

Backups and snapshots get a lot of confusion. The bottom line is that the same is true for data recovery. However, the concept of backup is to copy from the original location (disk) to another medium. It requires a lot of time and money to save the copy.

Snapshots, on the other hand, use some space on the original location (disk) as a repository for recovery. That is, snapshots are useless if the original repository has a hardware problem.

And, snapshots are very fast to create and recover. In addition, data can be recovered even if the data in the original repository is artificially altered or deleted.


An alternative to realistic Ransomware is Snapshot + Backup.

Let's think about a company. Our company is a small company with 10 people. There is one server for job file sharing, and there are about 7 other servers. (IT company)

The same goes for other companies. There are very few file servers, and the company's critical files are centralized. Is everyone backing up? Or are you doing a backup with the wrong backup method?

The best answer I thought was to use snapshot technology and a backup solution together. The two technologies are similar, but different, and they are the optimal combination that can complement each other.

We will look at some forms of sharing work for collaboration within the company and compare the types of backups that most companies currently have, and explain why these alternatives are good.


Sharing of malicious code (Ransomware) vulnerable to work

  1. A Windows-based OS connects and uses network share folders on each PC.
  2. I make a backup, but I put another copy in the form of automatic copying to other Windows OS of the same company.
  3. The backup solution is expensive and manually dumps the DB to a file and then copies it to USB.
  4. With snapshot technology in Windows, the volume is snapshotted once a day. (Not many cases)
  5. The backup solution is expensive and manually dumps the DB to a file and then copies it to USB.


Usually, if you go to backup consulting company of 100 or fewer, you will be backed up as above.

One problem is that shared folder files are also encrypted when infected with malicious code on a PC mounted as a shared folder.

In addition, when copying original data and storing it on another PC, it is difficult to completely respond to malicious code transmission and infection using malicious code using Windows security vulnerability. If the USB disk is also connected, it will become infected.

Finally, you can create and restore snapshots in Windows. However, when Ransomware is infected, it first stops all services in Windows and deletes the created snapshot point entirely, making recovery difficult and encrypting files.


In order to prevent the above problems, we recommend the following work sharing type with a little more effort.

Sharing of work that can defend malicious code (Ransomware)

  1. NAS that uses NAS-only OS is used as a file server.
  2. Use the volume snapshot feature on the NAS to create snapshots more than once a day.
  3. IMPORTANT The server's DATA will be automatically stored on the NAS using the NAS's File Synchronization Tool.
  4. NAS replicates with cloud storage, such as BOX or One Drive.
  5. Using the backup solution, backups to the critical servers are backed up to the primary disk and backed up to the secondary tape.

One of the most effective forms of sharing is to use dedicated NAS devices.

Use PC or server hardware for file sharing. It would be convenient if NAS would replace the cost. The proprietary OS embedded in the NAS can be a little safer because it is less vulnerable than Windows and has a very limited environment for malicious code execution. And it has the snapshot function mentioned above. (It's good to be able to buy a product that has a strong synergy in the SMB market and a snapshot feature among QNAP products.)

NAS can be connected to another PC in the form of a shared folder like a file server. In this case, the subject of the infection is PC, and the shared NAS folder is also subject to encryption attack. Infection is of course also possible.

Malware (Ransomware) is the second alternative to infection. The snapshot function on the NAS OS enables snapshot storage and recovery of shared folders and volumes. Because storage at HP IBM storage vendors is usually expensive, a small company can take NAS snapshots to restore it, which is a big Merit. In this case, even if the shared folder is infected, the original data can be used immediately after snapshot recovery of the volume in the NAS OS.

The third is that important servers must also keep a copy of the original somewhere else. Solutions for backing up to NAS are also bundled with NAS vendors such as Synology and CUNAK. Once the data is easily created, you can use a Sync-type solution that is a real-time copy. The stored data is protected together via snapshots.

The fourth reason for suggesting the fourth alternative is that the disk of the NAS can not be recovered due to a physical failure. Synchronization to these cloud services is also possible with software in the NAS. Let's prepare for the worst.

The fifth is a slightly more luxurious alternative. There are several servers in a company that live a little better. Mail servers, ERP servers, Oracle servers, MSSQL servers, etc. These servers are very expensive and hard to rebuild again. There is a limit to copying file by file because DB is mainly used. In this case, it is recommended that you use a backup solution. Make a quick recovery with primary disk backup, and consider tape dissipation for last resort.


Finally

Every time I write this article I hope that the knowledge I know will be helpful to IT related workers. But I have to eat and live, so it is hard to write time like this. I still spend almost two and a half hours now. Four pages !!. I hope my time invested in this will help others.


IT knowledge is too wide. I am grateful for criticizing and pointing out the wrong knowledge that the writer knows. However, the logic and fact of the person who presents the intellectuals and the objections should be accurate. Nowadays, most of the arguments on the internet are a little worried because there are many contents to assert themselves without a few letters of human attack and fact.


Later, the rewrite will be back up again. System backup & data backup & DR, and so on. I will discuss what is the best alternative.

Thank you for reading all of them.
I'm Raphael Yoon by IB Infotec Co.,LTD.