[clug] Ransomware: Cheap Solutions for SME's?

steve jenkin sjenkin at canb.auug.org.au
Sun Mar 6 04:17:26 UTC 2022 

Reading about the size and prevalence of ransomware attacks just in the USA ($400M ransoms paid in 2021, $20B costs incurred)
it occurred to me that Linux as a VM Host might be both simple for rollouts to existing PC’s in SME’s and be easily automated enough for Microsoft Admins to adopt.

There’s a “powershell” port for Linux supported by Microsoft - making scripting and remote admin tasks more easily accessible to Microsoft-only trained Admins.

The commercial VM tools would already provide, at a cost, solutions to most or all of these questions.

Links to commercial solutions will be useful to some, not all, on this list.

The biggest hurdle in commercial VM tools for Admins working to support networks of Microsoft PC’s and laptops in SME's, is getting trained and “Certified” in Commercial VM tools, as they rarely have any free time or another admin to support the business if they are away for any reason.

regards
steve jenkin

===================
background
===================

Backblaze sent an email with a link to their e-book "The Complete Guide to Ransomware”.
There’s a link at the end of the following article for anyone who wants to give up some data in return for the e-book.

	Guide to How to Recover and Prevent a Ransomware Attack
 		<https://www.backblaze.com/blog/complete-guide-ransomware/>
		[ www.backblaze.com / blog / complete-guide-ransomware / ] [for link manglers]

The blog post includes a number of links, however some other related & useful blog posts

	Testing Your Ransomware Readiness
		<https://www.backblaze.com/blog/testing-your-ransomware-readiness/>
		[  www.backblaze.com / blog / testing-your-ransomware-readiness / ] [for link manglers]

	Ransomware Takeaways From Q4 2021
		<https://www.backblaze.com/blog/ransomware-takeaways-from-q4-2021/>
		[ www.backblaze.com / blog / ransomware-takeaways-from-q4-2021 / ] [for link manglers]

Surveys suggest 75% of ransomware attacks are against SME’s - what you’d expect as proportion of workforce & Enterprise Security stances -
with the two largest groups being attacked “Healthcare” and “Professional Services”.

The average time-impact of a ransomware attack was “23 days” - even if calendar days, it’s over 3 weeks without any IT systems.

We know from Fire Insurance data that 70%-80% of businesses that suffer a major fire never reopen or fail within 3 years.
Having a (tested) Business Continuity Plan considerably improves the odds of survival.

	[Source: www.continuitycentral.com ]

It’s unclear if “Schools”, not broken out in the following graphic, are classed as “Public Sector” or not. They are a major target for ransomware.

	<https://www.backblaze.com/blog/wp-content/uploads/2020/10/image2-1.png>
	[ www.backblaze.com / blog / wp-content / uploads / 2020 / 10 / image2-1.png ] [for link manglers]

In 2020, the figure reported for “ransom paid but files NOT restored” was 42%.
It’s a gamble you’ll get your data back, even if you pay the ransom.

I’m amazed "failure to restore" is so low:

	Criminals, by their actions, prove they don’t respect cultural norms,
	have no reputation to protect or need to ‘build trust’ with ‘clients’,
	and seemingly have no incentive to ever keep their word.


===================
Questions
===================


1. Has anyone seen or created a small, read-only “root” filesystem for desktop/ laptop PC's similar to the loopback mount technique of Embedded Devices?

	- this approach has an update & distribution problem:
		the root filesystem cannot, by design, be updated, requiring a special boot / install / update mode, transparent to Ordinary Users

	- “Live” distros need “Persistence” for User Data, if pure Linux.

	- to be generally useful, the read-only filesystem must contain “All” Applications users at a site need.
		requiring something like the Live Distros created for the Education & Academic sectors.

	- there are already many Cloud Provider with (VM Guest) Linux images supported & provided on the Internet to leverage, though not, presumably, for “GUI / Desktop” use.

	- are there any VM Host images provided, under which the VM Guest images can be run?


———————————


2. An obvious extension for the Small & Medium Enterprise market of this read-only root filesystem approach,
	is running a “corporate” desktop (MS-Windows) in one or more Virtual Machine Guests / instances.

	- Microsoft have “cloud images” for Azure, so perhaps have, or could provide, robust base images that could be run under Linux as Guest VM’s.
		Microsoft have license key requirements and license enforcement that need to be supported to allow their software to run.
		I presume with Azure “Cloud” instances, there’s well known mechanisms to support MSFT licensing.

	- VM’s already provide different levels of data persistence, snapshots and rollback:
		all the tools & features required in the ransomware report.

	- VM’s can be suspended for Host power-down or sleep, creating very fast apparent boot-time for users.
		With simple administration tools to ‘refresh’ or ‘push’ updated guest O/S images to each VM Host system.
		Unsure how, or if, ‘running’ applications & their state can be preserved if a new base image is ‘pushed’.
		Nor if persistent data can be saved for a Guest instance before it is forced to restart using a new base image.

	- A single “Base Image” can be distributed to all machines on a network, with good checksums and stored on a read-only mount filesystem,
		allowing frequent self-verification by VM Host systems.

	- Extra layers of security can be provided by leveraging non-VM technologies, like LXC containers,
		to run, with isolated filesystems, applications more likely to be malware vectors, e.g. Web browsers and Email.

		Many Free or Open Source browser & email clients for Linux exist that “work the same” satisfying most workplaces.

		Should downloaded files & email be isolated from all other VM instances, limiting the possible extent of damage?
			If so, what mechanisms / tools allow file transfer between ‘protected’ environments?
			The same problem seen inside Agencies who deal with Classified Data, who’ve implemented trusted “Read-Down, Write-Up” for decades.


———————————


3. Any attempts to write to read-only mounted filesystems should trigger a security alert and an immediate “freeze” of the suspect VM instance,
		preventing damage & keeping a point-in-time snapshot for later forensic analysis.

	How is this done already?
		It must be well known & supported function of VM administration, but I’m unsure of the search terms, let alone finding good tools. 


———————————


4. I’ve no idea how to create, run and check “network” filesystems needed for Users to save & share files, with needed versioning, snapshots & rollback.

	SAMBA & NFS v4 are obvious candidates to share files between VM instances on just within one VM Host, but don’t support required “deltas”.

		Are there well developed & tested tools / solutions for the necessary filesystem checks & protections? I don’t know search terms or where to look.
		Like security event “triggers” for attempts writes to read-only filesystems, there needs to be automatic detection & immediate response to identified “events”.


———————————


5. Remote Network access for VM Guests.

	Laptops used for remote access to workplace files must support both isolated / firewalled Work & Personal environments,
		and also only connect VPN’s to select VM Guest instances, preferably during restricted hours.

	This should be a well-solved problem by now, without resorting to commercial VM software.
	Any hints on links & search terms appreciated.


===================
--
Steve Jenkin, IT Systems and Design 
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list