ONTAP Discussions

Honeypot for crypto viruses

uibnetapp
2,950 Views

Hello,

 

We are a University with around 20'000 users with all their files on NetApp filers running ONTAP 9.0/CDOT, and from time to time, we have users who get infected with a crypto-virus and starts encrypting files on all shares they have access to.  Cryptoviruses are often not detected by antivirus software, and we were thinking about making an automated lock-down system with a honeypot to detect and stop the outbreak before it becomes a problem/lots of cleanup work.

 

Before I start, I would just like to check if anyone else already had done this?

 

My idea is to make a share with enough files so the cryptovirus is busy for a while on this share, and mount it as an early letter in windows on all clients.  Then make a script that detects changes on this share and who is doing the changes - then lock down this users account so the user doesn't have access to encrypt anything on later network shares mapped - like home directories and common file areas.

 

Any ideas or input on this before I start making a solution is welcome.

 

-- 
Morten-Christian Bernson,
Section for infrastructure, Systems Architect Storage and Backup
IT-department, University of Bergen

2 REPLIES 2

thomasb82
2,853 Views

Hi,

 

I can relate to the idea, however I'm curious if those viruses always go through drives alphabetically instead of random.

Maybe somebody can share some insights.

 

Thanks!

GidonMarcus
2,829 Views

Hi

 

Just put some nice starting point fot you.

NetApp created a mechanism that called Fpolicy in ontap. there is an external server-client implementation for it that is completely documented and part of the Manageability SDK and it allows you to get notify via the toolkit about an IO and to tell the filer what to do with this IO in live.

 

Also when googling that fpolicy with the crypto keyword i found this nice post. it's using the on-board set of rules of fpolicy (not the server-client method i described above that can be used for your idea - but still worth implementing )  https://www.tobbis-blog.de/netapp-ontap-fileserver-gegen-ransomware-abschotten.   i'm now considering to use that also in my ORG

 

Anyway. Good luck with your nice idea. Maybe need finalizing but I appricate machine learning and smart filtering more than a “stupid” old school Antiviruses or rule based tools.

 

Gidi.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Public