DEV Community

Discussion on: A cron job that could save you from a ransomware attack

Collapse
 
aethelflaed profile image
@_Geoffroy

Or simply use any filesystem with automatic history?

Collapse
 
cschliesser profile image
Charlie Schliesser

How does this protect you in any fashion if the entire filesystem is encrypted?

Collapse
 
aethelflaed profile image
@_Geoffroy

For this I'm not entirely sure, but could a ransomware totally encrypt a ZFS volume? That would mean elevating privileges up to the filesystem driver, which may not be in user-space

Thread Thread
 
cschliesser profile image
Charlie Schliesser

ZFS with snapshots on the targeted machine is a great mitigation but not a silver bullet. Snapshots can expire or be overwritten by new encrypted data until good data is lost (depending on the configuration). Or the ransomware attack could be block level, which is hitting a lot of people lately. Or the machine could explode :) I think snapshots should be considered as a way to restore point-in-time data locally, not as a backup per se.

Collapse
 
victoria profile image
Victoria Drake

If your backup versions are stored locally, they’re also susceptible to a ransomware lockdown. They’d need to be backed up in a similar fashion.

Collapse
 
aethelflaed profile image
@_Geoffroy

True, although even locally you can mitigate most of the effect by giving access to each program only to a pseudo-filesystem; your system will be as secure as your administrator access in that case.

Mixing both solution would probably work well, as you can transfer incremental backups from a filesystem history to a remote, then you only have to protect your remotes.