 Robin Hood Ransomware takes down Baltimore City government networks. Well, this actually happens to a lot of small businesses, a lot of big businesses, and it's noteworthy and very impactful when it happens to a city. This happened on 5-8 when the story was. And here on 5-18, 2019, we're still seeing that their network is down, and the city's actually come to a really big problem of they can't even close on a house right now because they can't file paperwork with the city to do closing paperwork for purchasing a home and many other city services including all the inspections. Everything's been impacted by this. It's a seriously big problem. So let's talk about and bring this up and it's been brought up before and we've done implementations with even cities with this particular methodology for helping mitigate the risk and problems created by ransomware. Combating WannaCry and other ransomware with OpenZFZ Snapshots is a May 18th of 2017, two years ago today, oddly enough, blog post by Ag Systems. And this is a great way to help mitigate the risk created from ransomware. The problem with ransomware is if a user, the general way it works right now, a user will have access to a lot of files that user somehow gets their system with the ransomware on her and it runs around encrypting everything that user had access to. And as many companies don't follow lease privilege rules when they're setting up security, that person usually has too many permissions for too many things or they are a C-suite, C-level executive person who has access to everything so everything gets encrypted that they get their hands on. Even worse so, many times sometimes the same person is administrative and it then ties into their Active Directory and gives them access to the backups that get corrupted as well. These are some of the worst case scenarios and the other big challenge that's faced here is when you're dealing with these type of problems, restoring the backups even if they're not corrupted when you talk about massive amounts of data can be a problem into itself due to the time it can take to restore the backups. And this is where OpenZFZ Snapshots the rescue. Now, one of the things about this and like I said you can use Cloud Backup, you can use Offsite Backup but it comes back to how fast can you get restored and ZFS Snapshots are a great way to do this. And this is the important line that's really, really important to why this works because OpenZFZ Snapshots takes place at the block level of the file system. It is immune to any file level encryption by ransomware that occurs over it. Carefully plan Snapshot, replication, retention and restoration strategy can provide low level isolation you need for your storage infrastructure to quickly recover from a ransomware attack. Now I've got a video I can link to that I go more in depth and I'm probably going to make a new version soon to cover the new version of FreeNAS but it works the same way. You can set up Snapshots and the Snapshots can even be set up to run every hour. They can be set up to run every half hour. You can set these up to be very fine grained and depending on your use case and this goes into the storage planning and what these do is they're only taking Snapshots of the file system as it was at that time but not duplicating it which would be huge especially when you talk about 570 gigs worth of data which is my video folder. So you can see my video folder growing over time and I only do one Snapshot a day of my video folder to keep it really simple but if I deleted everything out of my video folder I could just roll back to that Snapshot very, very quickly because I can reference it. Now the Snapshots don't take up space because they're only as I said a differential between when you Snapshot it and changes that were made and on a general basis a city may have a lot of files but they don't change that much from hour to hour so as long as you have property planned storage you can keep these Snapshots and then the moment you get ransomware you can roll back and then only losing as much data from the time of that Snapshot to the other one. Obviously there's more time involved because you want to make sure you've removed a threat so it doesn't go back and do this anymore but this is how ZFS can help protect against that. To top that off, what about having two Franeas servers? Well I do and it makes that one more layer. So I have the Snapshots set up to do once a day and then I have it replicating once a day via replication tasks and I've covered a video on this too, I'll leave links to these below but that way it takes all the data and mirrors it over. Now one of the important things about when you integrate this and some of the planning that needs to go involved in here is some people like to start using the same password everywhere. They're like oh it'd be convenient to manage my Franeas system with the same password that I manage my Active Directory with. Well that's where some of the problems come in and if the attackers get in there and they realize they have access to this this is where I've seen people so to speak blame this but it really comes down to how you do your security. You need to make sure that they do not have the same password. I know it's convenient to federate everything and have one global login so you can just log in everywhere with the same credentials because it's convenient but do make sure because even if you present Franeas via an SMB share to a Windows machine as long as the root password, the admin password for Franeas is different than there it would be an entirely another isolated layer that would have to be correct and there's no known vulnerabilities as of right now in Franeas so for them to attack it if you have a good strong password for the admin and management of this you are safe as long as there's not any vulnerabilities that are found in it and like I said as of right now there are no known vulnerabilities there's no brute force method other than the fact that actual brute force where they guess passwords and that's not the most effective method anyways matter of fact it's really slow and hopefully you have some type of logging that will alert you that something on your network is attacking and brute forcing hopefully you have it on a separate network as well as far as the admin interface goes but as long as you keep this separate the want to cry attack if you're using an SMB share for example the ransomware can go through and modify all the files on the SMB share but does not modify this system inside of here it's immune to it because this is controlling things at the block level same thing as you present this to Windows as an iSCSI server you're going to have the same effect it's not going to have access to your Franeas machine it's going to have access to the data on it but Franeas snapshots work one layer below at the block level therefore are able to restore to those previous states provided you have snapshots so hopefully this was helpful and hopefully someone thinks about deploying this this is one of the reasons we like these as storage servers and not being the same as your Windows file server it offers that extra layer of protection because it's a separate system by which you're storing files and the ZFS file system is very robust and just in the case of people losing files having hourly snapshot backups we have had a lot of clients not because of ransomware but we've rolled back a snapshot because they lost something and you know you're talking about hourly backups versus a nightly backup system or something that goes off site it's going to be very quick just to roll back a snapshot and like I said I'll leave videos below where I go in depth to both snapshots and replications so you can kind of follow through on more of that they're done in the previous version of Franeas but they still all that carries forward into the new version of Franeas as well alright thanks and once again thanks again for watching this video and see you next time