Ransomware Protection

Introduction

Ransomware is an ever-present threat, both for large enterprises as well as for individuals. Once infected, a whole hard disk (or just parts of it) can become encrypted, leading to unrecoverable data loss.

Once this happens, attackers usually ask victims to pay a ransom, often via cryptocurrencies such as Bitcoin, in exchange for the decryption key required to decrypt their data.

While paying the ransom works in some cases, it is not recommended, as there is no guarantee that the attackers will supply the key after payment is made. To help mitigate such threats and ensure ongoing access to user data, ownCloud provides the Ransomware Protection app.

It is essential to be aware that user data needs to be synchronized with you ownCloud Server using the ownCloud Desktop synchronization client. Data that is not synchronized and stored in ownCloud cannot be protected.

About Ransomware Protection

The app is tasked with detecting, preventing, and reverting anomalies. Anomalies are file operations (including create, update, delete, and move) not intentionally conducted by the user. It aims to do so in two ways: prevention, and protection.

Prevention: Blocking Common Ransomware File Extensions

Like other forms of cyberattack, ransomware has a range of diverse characteristics. On the one hand it makes them hard to detect and on the other it makes them even harder to prevent. Recent ransomware attacks either encrypt a user’s files and add a specific file extension to them (e.g., .crypt), or they replace the original files with an encrypted copy and add a particular file extension.

File Extension Blacklist

The first line of defense against such threats is a blacklist that blocks write access to file extensions known to originate from ransomware.

Ransomware Protection ships with a static extension list of more than 3,000 file extensions. As new extensions are regularly created, this list also needs to be regularly reviewed and updated. Future releases of Ransomware Protection will include an updated list and the ability to update the list via syncing with FSRM’s API by using an occ command

Please check the provided ransomware blacklist! It is strongly recommended to check the provided ransomware blacklist to ensure that it fits your needs. In some cases, the patterns might be too generic and result in false positives.

File Blocking

The second line of defense is file blocking. As files are uploaded, they are compared against the file extension blacklist. If a match is found, the upload is denied.

File blocking is always enabled.

Account Locking

The third line of defense is account locking. If a client uploads a file matching a pattern in the ransomware blacklist, the account is locked (set as read-only) for client access (create, change, move, and delete operations). Doing this prevents further, malicious, changes.

Following this, clients receive an error (403 Access Forbidden) which notifies the user that the account is locked by Ransomware Protection.

Write access (e.g., moving and deleting files) is still possible for users when they log in with their web browser.

When an account is locked, administrators can unlock the account using the occ ransomguard:unlock command. Administrators can also manually lock user accounts, using the occ ransomguard:lock command.

When an account is locked, it will still be fully usable from the ownCloud web UI. However, ownCloud clients (as well as other WebDAV clients) will see the account as set to read-only mode.

Users will see a yellow notification banner in the ownCloud web UI directing them to Settings  Personal  Security (Ransomware detected: Your account is locked (read-only) for client access to protect your data. Click here to unlock.), where additional information is displayed and users can unlock their account when ransomware issues are resolved locally.

Locking is enabled by default. If this is not desired, an administrator can disable it in the Settings  Admin  Security panel.

Protection: Data Retention and Rollback

While Ransomware Prevention mitigates risks of a range of ransomware attacks, it is not a future-proof solution, because ransomware is becoming ever-more sophisticated. There are known attacks that change file extensions randomly or keep them unchanged which makes them harder to detect.

Ultimately there is a consensus that only one solution can provide future-proof protection from ransomware attacks: retaining data and providing the means to roll back to a particular point in time.

ownCloud Ransomware Protection will, therefore, record all changes on an ownCloud Server and allow administrators to rollback user data to a particular point in time, making use of ownCloud’s integrated Versioning and Trash bin features.

Doing so allows all user data that is synchronized with the server to be rolled back to its state before the attack occurred. A combination of Ransomware prevention and protection reduces risks to a minimum acceptable level.

Other Elements of Ransomware Protection

Name Command (if applicable) Description

Ransomware Prevention (Blocker)

First line of defense against ransomware attacks. Ransomware Protection uses a file name pattern blacklist to prevent uploading files that have file extensions associated with ransomware (e.g. .crypt) thereby preserving the original files on the ownCloud Server.

Ransomguard Scanner

occ ransomguard:scan <timestamp> <user>

A command to scan the ownCloud database for changes in order to discover anomalies in a user’s account and their origin. It enables an administrator to determine the point in time when undesired actions happened as a prerequisite for restoration.

Ransomguard Restorer

occ ransomguard:restore <timestamp> <user>

A command for administrators to revert all operations in a user account that occurred after a certain point in time.

Ransomguard Lock

occ ransomguard:lock <user>

Set a user account as read-only for ownCloud and other WebDAV clients. This prevents any further changes to the account.

Ransomguard Unlock

occ ransomguard:unlock <user>

Unlock a user account which was set to read-only.

Ransomguard Blacklist Set-File

occ ransomguard:blacklist:set-file <filePath>

Define the location of the required blacklist file.

Ransomguard Blacklist From-File

occ ransomguard:blacklist:update:from-file <filePath>

Update the blacklist file with content from another file.

Ransomguard Blacklist From-Site

occ ransomguard:blacklist:update:from-site <siteUrl>

Update the blacklist file with content from a URL.

<timestamp> must be in the Linux timestamp format.

Requirements

Mandatory

  1. File Firewall rule (previous approach for ransomware protection). If you have configured the File Firewall rule which was provided as a preliminary protection mechanism, please remove it. The functionality (Blocking) is covered by Ransomware Protection in an improved way.

  2. Ransomware Protection. Ransomware protection needs to be in operation before an attack occurs, as it needs to record file operations to be able to revert them, in case of an attack.

  3. ownCloud Versions App. Required to restore older file versions. The capabilities of Ransomware Protection depend on its configuration regarding version retention.

  4. ownCloud Trash Bin App. Required to restore deleted files. The capabilities of Ransomware Protection depend on its configuration regarding trash bin retention.

Optional

  1. Activity app. For viewing activity logs.

Limitations

  • Ransomware Protection works with master-key based storage encryption. With credential-based storage encryption, only Ransomware Prevention (Blocking) works.

  • Rollback is not based on snapshots:

    • The trash bin retention policy may delete files, making them unrecoverable. To avoid this, set trashbin\_retention\_obligation to disabled, or choose a conservative policy for trash bin retention. However, please be aware that this may increase storage requirements.

    • Trash bin items may be deleted by the user making them unrecoverable by Ransomware Protection ⇒ Users need to know this.

    • Versions have a built-in thin-out policy which makes it possible that required file versions are unrecoverable by Ransomware Protection. To help avoid this, set versions\_retention\_obligation to disabled or choose a conservative policy for version retention. Please be aware that this might increase your storage needs.

  • A specific version of a file that is needed for rollback might have been manually restored, making this version potentially unrecoverable by Ransomware Protection. Currently, after restoration the restored version is not a version anymore, e.g., the version is not present in versioning.

  • Recovery capabilities in received shared folders are currently limited. Changed file contents and deletions can be restored but MOVE operations can’t. The case when a ransomware attack renames files in a received shared folder is therefore not yet covered.

  • Contents in secondary storages, such as Windows network drives, Dropbox, and Google Drive, are unrecoverable by Ransomware Protection, because they do not have versioning or trash bin enabled in ownCloud.

  • Rolling files forward is not currently supported or tested. Therefore it is vital to:

    • Carefully decide the point in time to rollback to.

    • To have proper backups to be able to conduct the rollback again, if necessary.