Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How does Synology BTRFS file format prevent ransomware again?
511 views
Skip to first unread message
RayLopez99
Jun 16, 2022, 6:54:19 PM6/16/22
to
I have a Synology NAS and am learning it. Somewhere I briefly read that it is used to combat ransomware, since it has a file format "BTRFS" that's somehow immune (that was the implication).
But I can't figure it out.
From what I can tell, if you want to backup your Windows PC: 1) you set up a shared drive on the NAS in your local area network and then backup to it, using BTRFS file format on the NAS 2) you don't map the shared drive (i.e., it cannot be seen from your PC, this is a security safeguard) but instead you log into the shared drive using your browser 3) you use the Synology backup tools like Hyper Backup to backup 4) you keep the files (on the NAS) in the format "btrfs" 5) you use incremental backups and "snapshots" to take snapshots of your PC hard drive, with the snapshots rotating (data retention policy) of X times before overwrite.
Now your PC is infected with ransomware or a virus. However, somehow (it's not clear) the NAS has pristine copies of your PC (the snapshot) that you can use, after of course wiping clean your infected machine of malware/viruses, to log into the NAS shared drive, and restore.
Why is this foolproof? I guess it's because the ransomware cannot "see" the shared drive? Or is the BTRFS file format somehow immune to encryption?
But I can't figure it out.
From what I can tell, if you want to backup your Windows PC: 1) you set up a shared drive on the NAS in your local area network and then backup to it, using BTRFS file format on the NAS 2) you don't map the shared drive (i.e., it cannot be seen from your PC, this is a security safeguard) but instead you log into the shared drive using your browser 3) you use the Synology backup tools like Hyper Backup to backup 4) you keep the files (on the NAS) in the format "btrfs" 5) you use incremental backups and "snapshots" to take snapshots of your PC hard drive, with the snapshots rotating (data retention policy) of X times before overwrite.
Now your PC is infected with ransomware or a virus. However, somehow (it's not clear) the NAS has pristine copies of your PC (the snapshot) that you can use, after of course wiping clean your infected machine of malware/viruses, to log into the NAS shared drive, and restore.
Why is this foolproof? I guess it's because the ransomware cannot "see" the shared drive? Or is the BTRFS file format somehow immune to encryption?
Paul
Jun 16, 2022, 7:30:16 PM6/16/22
to
snapshots very quickly, In the same way that Windows has VSS.
With Windows, there is a ten second quiescence period before
the snapshot is made.
I don't really know if that's much of a feature. In the sense
that if the NAS has any exploits the malware knows, it can just
climb on board the NAS OS and do whatever it wants.
The notion of a snapshot only makes sense if the device is
a "fortress" and is "impenetrable". And the typical home computer
room has none of that. Just about everything you own, has exploits.
That's why, unless you have offline backups and the offline backups
do not contain a "sleeping ransomware", you really don't have much
of anything to rely on.
One person in another group, fell for a phishing email, double-clicked
an attachment that claimed to be an invoice, the entire computer
room was wiped out by ransomware. It took months to reinstall stuff,
because his backup situation wasn't very good. Just like me,
he didn't know which license key belonged to which machine :-)
I don't know how everything in the computing world works, but
my assumption is, the things we use are going to fail, rather than
succeed. If you hire people to make backups every day, you might
get a little closer to building a survivable computer room.
Just because you set a schedule in Macrium and let it run,
does not mean on a given day when the room is attacked,
that you actually have a good backup in hand. Back when I had
RAM trouble on a machine here, testing several backups on
that machine indicated the backup was corrupt. The proper handling
of backups can be a full time job for someone.
Paul
RayLopez99
Jun 19, 2022, 4:23:09 AM6/19/22
to
I just will say the entire Synology NAS thing is a bit overrated, in that I think, since I bought it for home use, some simple air-gapped USB external drives would be sufficient for me. That said, it's fun to go back to the Linux days (I played around with Linux around 25 years ago) and set permissions and some such.
I agree with everything you say, that Murphy's Law applies with restores. I do like the Synology concept of 'VM' virtual restores (so you can pick and choose from the various "snapshots' and backups what versions of files you want, and I am getting the hang of data retention rules) but you need powerful hardware which I don't have. Otherwise it takes forever. For example, with the ten year old Intel machines I have around the house, I found the wireless access speeds to transfer data to and from the Synology NAS to your PC are about 10 Mbps, which is I think a little slower than the USB 3.0 speeds I have in practice (which are I think about 30 Mbps or so). So Synology backups are actually slower than Macrium USB external HDD backups, with the only advantage is that you don't have to physically connect an external USB drive to a bunch of PCs and tablets to back them up, once the Synology NAS is set up (which is not trivial, since the Synology OS is seemingly Linux based, and accessed through your web browser and not IMO as easy as Windows). So a Synology NAS is for lazy people in most homes, unless you have a huge number of people.
The only other advantage of Synology from what I can tell is you can set up RAID (I have RAID 1 = mirroring) for your archived data. And the 220+ unit I have is very quiet and the processor in it, a Intel Celeron J4025 2-core 2.0 GHz, is energy efficient and doesn't overheat and run the fan much. But the Celeron setup is underpowered for Virtual Machine restores from what some people online say.
I'm trying to get Synology Photo working, without much success (they have a new version and documentation from Synology is non-existent) but honestly I don't see myself using Synology to share photos, since Google Photos is so much easier albeit more expensive. But you get what you pay for, and, as you say, if you don't pay for a full-time backup IT guy, you'll likely find your home "cloud" is inferior to what Google does professionally.
RL
RayLopez99
Jun 19, 2022, 4:30:18 AM6/19/22
to
On Thursday, June 16, 2022 at 7:30:16 PM UTC-4, Paul wrote:
> On 6/16/2022 6:54 PM, RayLopez99 wrote:
> > I have a Synology NAS and am learning it. Somewhere I briefly read that it is used to combat ransomware, since it has a file format "BTRFS" that's somehow immune
> >
> > I have a Synology NAS and am learning it. Somewhere I briefly read that it is used to combat ransomware, since it has a file format "BTRFS" that's somehow immune
> >
> > Why is this foolproof? I guess it's because the ransomware cannot "see" the shared drive? Or is the BTRFS file format somehow immune to encryption?
> >
> Overhearing the conversation in a Linux group, BTRFS can make
> snapshots very quickly, In the same way that Windows has VSS.
> With Windows, there is a ten second quiescence period before
> the snapshot is made.
>
> I don't really know if that's much of a feature. In the sense
> that if the NAS has any exploits the malware knows, it can just
> climb on board the NAS OS and do whatever it wants.
>
> The notion of a snapshot only makes sense if the device is
> a "fortress" and is "impenetrable". And the typical home computer
> room has none of that. Just about everything you own, has exploits.
>
> That's why, unless you have offline backups and the offline backups
> do not contain a "sleeping ransomware", you really don't have much
> of anything to rely on.
> Paul
> >
> Overhearing the conversation in a Linux group, BTRFS can make
> snapshots very quickly, In the same way that Windows has VSS.
> With Windows, there is a ten second quiescence period before
> the snapshot is made.
>
> I don't really know if that's much of a feature. In the sense
> that if the NAS has any exploits the malware knows, it can just
> climb on board the NAS OS and do whatever it wants.
>
> The notion of a snapshot only makes sense if the device is
> a "fortress" and is "impenetrable". And the typical home computer
> room has none of that. Just about everything you own, has exploits.
>
> That's why, unless you have offline backups and the offline backups
> do not contain a "sleeping ransomware", you really don't have much
> of anything to rely on.
As you imply, I have read two different things about ransomware: one says ransomware works very quickly, encrypting files within ten seconds. The other says the opposite, that ransomware might take several weeks to infect your entire drive. Hence the need for frequent snapshots (in Synology). It makes sense that both things could be true, that ransomware can be both fast and slow. The slow kind is probably the worse, since it forces you to maintain lots of versions of your files.
RL
Paul
Jun 19, 2022, 5:22:24 AM6/19/22
to
On 6/19/2022 4:30 AM, RayLopez99 wrote:
> As you imply, I have read two different things about ransomware: one says ransomware works very quickly, encrypting files within ten seconds. The other says the opposite, that ransomware might take several weeks to infect your entire drive. Hence the need for frequent snapshots (in Synology). It makes sense that both things could be true, that ransomware can be both fast and slow. The slow kind is probably the worse, since it forces you to maintain lots of versions of your files.
>
> RL
Hard drives support encryption of contents.
> As you imply, I have read two different things about ransomware: one says ransomware works very quickly, encrypting files within ten seconds. The other says the opposite, that ransomware might take several weeks to infect your entire drive. Hence the need for frequent snapshots (in Synology). It makes sense that both things could be true, that ransomware can be both fast and slow. The slow kind is probably the worse, since it forces you to maintain lots of versions of your files.
>
> RL
If you carry out the operation to "change the key"
inside the drive, the data is instantly erased.
That's an example of a fast mechanism for a ransomware,
using the drive to make the data inaccessible instantly.
*******
You may look at your hard drive, and say to me "but my
drive does not encrypt". It does, but it uses the default
key. It's never apparent to you, that the data-bits on
the platter, do not match what you see outside the drive.
I have no documentation, but this is part of the reason,
that if a hard drive controller board fails today,
you transfer the ROM from the old controller board to
the new controller board. If the ROM is burned by
excessive voltage, you're screwed.
On older hard drives, you could change between
controller boards, with no soldering required. On
newer hard drives, you have to move the ROM from
the defective board, onto the new/working board.
I don't know if any of this is addressed in the
latest ATA/ATAPI spec or not (gives hints you would
need to back up assertions like this).
Also, something else I've seen in a news article, is
that the drive internal encryption method is buggy. Microsoft,
when doing BitLocker, offers an option to use the
drive crypto instead of the BitLocker algo. You should
not accept that kind offer, as the integrity of the
drive methods (hardware accelerated) are unknown.
These are some of the "vast unknowns" hiding in our
tech products. Features you might never suspect are
in there.
Paul
RayLopez99
Jun 20, 2022, 4:35:09 AM6/20/22
to
Fascinating stuff Paul, thanks.
RL
0 new messages