Feasibility of RPi as fileserver to avoid ransomware?

7up · ‎01-08-2007

This ransomware thing isn't going to go away thanks to the USA creating the exploits and what with me being a bit slow at regular backups, I'm finding myself thinking it's only a matter of time until I finally take "the hit". I'm normally pretty good with PC security and haven't been hit with anything major for around a decade but with that said, it's just a matter of time before one of these CIA / NSA exploits gets the better of me.

So I'm looking at getting my external USB drive(s) off windows and was wondering if any of you have any experience of using a RPi for the job? - Ideally left running 24/7?

My thinking is this.. the ransomware keeps targetting windows systems (at the moment anyway) and encrypting files on drives en-masse would either require copying / encrypting every file as a stream off and back onto the disk or encrypting the file tables / boot records. If the nasty is going to do the latter then it won't be able to target them on a networked drive that it only has access to as a share... or am I missing something? - I mean i've never been able to defrag a networked drive so i'm assuming that similar low level disk access wouldn't be available to *ware too.

I'm also mulling over converting my big rig to *nix and then running windows in VMs on it instead.. that would at least allow instant backups if they get hit while the underlying OS remains usable.. not that i can tolerate the noise from it lol.

I need a new signature... i'm bored of the old one!

Anonymous · ‎28-06-2017

Doing what you are suggesting can be done easily in a few hours, and leaving it on 24/7 isn't an issue but I would recommend a heatsink for the ARM.

Just remember to use an account that has read only permissions for the mounted share on Windows otherwise it too could fall victim as it will appear as another drive as far as any malware is concerned.

VileReynard · ‎01-09-2007

Unfortunately the RPi shares ethernet and USB connections over a USB2 "bus".

This means that it is very slow.

Unfortunately, the only way to get a reasonable speed would be to put Linux on an unwanted laptop (removing the screen).

"In The Beginning Was The Word, And The Word Was Aardvark."

Anonymous · ‎28-06-2017

@7up - @VileReynard's right, network I/O is not the best so repurposing an old PC or Laptop would be a better option, but you could always try it and see.

7up · ‎01-08-2007

@Anonymous wrote:

Doing what you are suggesting can be done easily in a few hours, and leaving it on 24/7 isn't an issue but I would recommend a heatsink for the ARM.

Just remember to use an account that has read only permissions for the mounted share on Windows otherwise it too could fall victim as it will appear as another drive as far as any malware is concerned.

Hmm the read only thing concerns me here..

I obviously need to be able to write files to the network share too. As I said previously obviously if a process is going to read the filestream and encrypt it on the fly and write it back i'm stuffered - but thats the case with any network share.

What I am explicitly asking is.. will a process on a windows machine be able to encrypt the file table or boot record of a drive on a linux machine?

As for USB speed my big rig is usb 2 iirc and i think the smaller single core might be too - so i'm not overly concerned in that respect. I just need something low power that can be left running...

I need a new signature... i'm bored of the old one!

Anonymous · ‎28-06-2017

Unless that particular exploit (process) can escalate to root on your Pi to trash it then No. The risk would be miniscule to say the least, but that's not to say it couldn't at some point in the future. Malware is always mutating.

VileReynard · ‎01-09-2007

But Windows could still corrupt (or encrypt) user data files to which you have write access to.

The best protection against ransomware is frequent backups.

"In The Beginning Was The Word, And The Word Was Aardvark."

7up · ‎01-08-2007

@VileReynard wrote:

But Windows could still corrupt (or encrypt) user data files to which you have write access to.

The best protection against ransomware is frequent backups.

Yes I've made it more than clear that I am aware of that first point!

As for the second.. whats to say that while you are performing a backup, both drives don't get hit and have their file tables encrypted at the same time? - then the backup is also fubar! There is always going to be risk somewhere foxy..

The only other way of doing it would be via web disk on teh RPi (webdav I seem to remember the official name being?) or using the even slower FTP.. but again even those files could be pulled down, encrypted and uploaded to replace the originals although it would slow the process down a lot!

I need a new signature... i'm bored of the old one!

Anonymous · ‎29-06-2017

The only way that would happen is if the exploit could ‘talk’ FTP or the extended HTTP protocol of WebDav. These are protocols remember so in order to get a file from FTP they’d either need to know the name or do a LISTing parse it and request the files or MGET all the files only to MPUT them back after encryption, and the assumes they can get your login credentials. So I suspect you’d be save with either. But of course the same caveat as noted before still applies.

VileReynard · ‎01-09-2007

These people aren't necessarily interested in encryption - overwriting networked files with binary zeroes is sufficient, provided that local files are recoverable when payment is received.

"In The Beginning Was The Word, And The Word Was Aardvark."

Browni · ‎02-03-2016

Interesting take on the latest ransomware in Computing today

NotPetya ransomware intended to destroy, not extort money
'Little hope for victims to recover their data,' warns Kaspersky

Full story

Live router stats

Anonymous · ‎29-06-2017

An interesting read @Browni.

Alex · ‎05-04-2007

Scary now to think they are still at it, and I assume not bothering with a decryption method to make it easier and to take less time.

But they assume people think they can and still pay.

Browni · ‎02-03-2016

Perhaps they are lithium programmers and have deprecated the decryption module

Live router stats

VileReynard · ‎01-09-2007

https://www.theinquirer.net/inquirer/news/3010779/samba-flaw-puts-100-000-machines-at-risk-of-wannac...

This indicates to me that Microsoft-like protocols are a bad idea...

I use NFS (Network File System) to communicate from Linux with my NAS (although Samba is also supplied).