Automatically Backup Module against Ransomware Attack

Automatically Backup Module against Ransomware Attack (Kazuki Omo) - Ransomware attack is on-going nowadays, and lots of user is having trouble in Critical infrastructure. Not only Windows, but also Linux is facing from Ransomware threat. In Enterprise system, Linux is used as File Sharing server and facing Ransomware threat through NFS / Windows CIFS, and so on. In this presentation, Kazuki Omo will suggest several way to protect important file from Ransomware with developed Linux Security Module, and demonstrate it.
展开查看详情

1.Automatically Backup Module against Ransomware Attack 2018/06/26 Vice President/OSS/Security Evangelist Kazuki Omo(面 和毅) © SIOS Technology, Inc. All rights Reserved. 1

2. Agenda 1. Ransomware? 2. Prepare for Ransomware infection. 3. Server Side Solution 4. Implementation 5. (+Demo) © SIOS Technology, Inc. All rights Reserved. 2

3. Who am I? ● Security Researcher/Engineer (18 years) ● SELinux/MAC Evangelist (14 years) ● Antivirus Engineer (3 years) ● SIEM Engineer (3 years) ● CISSP (#366942) ● 120kg Bench Press Max ● Member of Secure OSS-Sig © SIOS Technology, Inc. All rights Reserved. 3

4. 1. Ransomware © SIOS Technology, Inc. All rights Reserved. 4

5. What is Ransomware? Ransomware [TrendMicro definition] Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. (Ref: https://www.trendmicro.com/vinfo/us/security/definition/ransomware) © SIOS Technology, Inc. All rights Reserved. 5

6. So, what Ransomware do? p p © SIOS Technology, Inc. All rights Reserved.

7. Workaround? “Ransomware is a type of malware” Let’s think about - Detect/Reject Ransomware. → Antivirus - Prepare for Ransomware infection. → ??? © SIOS Technology, Inc. All rights Reserved.

8.Workaround 1. Antivirus File Server © SIOS Technology, Inc. All rights Reserved.

9.Workaround 1. Antivirus File Server 0-day? No Antivirus HW? © SIOS Technology, Inc. All rights Reserved.

10. Workaround Prepare for Ransomware infection. File Server 0-day? No Antivirus HW? © SIOS Technology, Inc. All rights Reserved.

11.2. Prepare for Ransomware infection. © SIOS Technology, Inc. All rights Reserved. 11

12. File Server Side: “Prepare for Ransomware” (From Server point of view) - Fight with Ransomware (AntiVirus, etc.) © SIOS Technology, Inc. All rights Reserved.

13. File Server Side: “Prepare for Ransomware” (From Server point of view) - Fight with Ransomware (AntiVirus, etc.) → Difficult © SIOS Technology, Inc. All rights Reserved.

14. Client Side: How Ransomware work (from Client Side). Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file © SIOS Technology, Inc. All rights Reserved.

15. File Server: How Ransomware work (from File Server). Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file • sys_open/sys_read • Write some file • Delete file on shared File through smbd etc. on shared volume Volume through smbd. Server through smbd. • sys_close to target file(?) © SIOS Technology, Inc. All rights Reserved.

16. File Server: How Ransomware work (from File Server). Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file • sys_open/sys_read • Write some file • Delete file on shared File through smbd etc. on shared volume Volume through smbd. Server through smbd. • sys_close to target file(?) Usual behavior as File Server. © SIOS Technology, Inc. All rights Reserved.

17. File Server Side: “Prepare for Ransomware” (From Server point of view) - Fight with Ransomware (AntiVirus, etc.) → Difficult - Prepare a way to restore the file. → Take Backup. © SIOS Technology, Inc. All rights Reserved.

18. File Server: So, How we can do? Encrypt Write Delete File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. Client - Encrypt file • sys_open/sys_read • Write unknown file • Delete file on shared File through smbd etc. on shared volume Volume through smbd. Server through smbd. • sys_close to target file(?) Let’s think about here. © SIOS Technology, Inc. All rights Reserved.

19. Linux+Samba Config Recycle bin on Samba 3/4. “vfs objects = recycle” to enable Recycle bin. [Share] comment = Public Stuf path = /Share/ browseable = yes writable = yes printable = no vfs objects = recycle guest ok = yes read only = no recycle:repository = .recycle recycle:keeptree = yes © SIOS Technology, Inc. All rights Reserved.

20. Linux+Samba Config Recycle bin on Samba 3/4. “vfs objects = recycle” to enable Recycle bin. [Share] comment = Public Stuf path = /Share/ browseable = yes writable = yes printable = no vfs objects = recycle guest ok = yes read only = no .recycle/ recycle:repository = .recycle recycle:keeptree = yes © SIOS Technology, Inc. All rights Reserved.

21. How about Modify? What about “Modify”, not “Delete”? Encrypt Write Delete Client Modify File Encrypted File Original file - Choose target file - Write Encrypted file • Request to Delete file. - Encrypt file • sys_open/sys_read • Write unknown file • Delete Client Modify file on File through smbd etc. on shared volume shared Volume through smbd. through smbd. Server • sys_close to target file(?) What about this situation? © SIOS Technology, Inc. All rights Reserved.

22. 3. Server side Solution. © SIOS Technology, Inc. All rights Reserved. 22

23. From File Server: PC/User Kernel User System Call fopen() sys_open() fread() sys_read() fwrite() sys_write() Server: Can’t find User or Ransomware!! © SIOS Technology, Inc. All rights Reserved. 23

24. From File Server: (Auto Backup) PC/User User Kernel System Call fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 24

25. From File Server: (fanotify solution) PC/User Create backup “before writing” by using Fanotify/inotify Kernel User SystemCall FAN_MODIFY FAN_CLOSE_WRITE fopen() FAN_CLOSE_NOWRITE sys_open() fread() sys_read() fwrite() sys_write() Fanotify is hooking“after writing”. - > Can’t take backup “before writing”. © SIOS Technology, Inc. All rights Reserved. 25

26. From File Server: (LSM solution) PC/User Create backup “before writing” by using LSM. User Kernel System Call file_backup(LSM) fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 26

27. From File Server: (LSM solution) PC/User Performance….. User Kernel System Call file_backup(LSM) fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 27

28. From File Server: (LSM solution) PC/User Limit to backup “Labeled” file. User Kernel System Call file_backup(LSM) fopen() sys_open() fread() sys_read() fwrite() sys_write() Backup © SIOS Technology, Inc. All rights Reserved. 28

29. File Label user@local:~/testdir$ ls -lh total 4.0K -rw-r--r-- 1 user user 148 Jun 1 10:43 h123 user@local:~/testdir$ getfattr h123 # file: h123 user.backup_label user@local:~/testdir$ © SIOS Technology, Inc. All rights Reserved. 29