Wednesday, May 17, 2017

I WannaCry - Don't get ransomware

Backup process to avoid Ransomware.

This process will off course not protect me from getting my disk encrypted, but at least it will prevent my backups from also getting encrypted. I fear many people at home or at work don't have a good process to verify their data status and backup as well. 

How do I know If I got a ransomware on my NAS?
How do I prevent my backup from running if I got a ransomware?

For me I found myself a handy solution, my NAS rarely change a lot of files, most of them are static so a script that will check the number of changed files during the last 24h is sufficient.

The script will update Domoticz via json and set a Dummy Switch to 'Off' if there are too many files and also set a Dummy Alert with log. The Dummy Switch has a notification that will send me an email about the situation. The script will then bail out and no rsync between primary and secondary disk will occur.

The next day when the script starts again, by crontab, it will first check the status from Domoticz for the Dummy Switch, if that still is set to 'Off' no backup will occur and a new Log entry will be set for the utility Dummy Alert.

I then need to manually verify why I got more changed files than I expected on my NAS and then set my Dummy switch 'NAS_Backup_Script' to 'On' again.

Additional security to this script is to have a honeypot folder with documents of type that most ransomware will attack, and monitor any change in there, this method is a very good indication that you have some kind of intrusion in your network.

Other solutions could be if you got version based incremental backups to monitor the growth of the backup and have limits with alerts.

Find my process, and scripts at my GitHub