Protection against ransomware attacks

[flixman]

I have a server with all the whistles enabled (secure boot enabled, measured boot, signed UKI, ...) and I am using ZFS. Currently I am taking hourly snapshots and sending them to a remote server whose only purpose is to receive those (using znapzend for this). I have a script that monitors the length of the last received snapshot (which rarely exceeds few MB) and sets an alarm if it exceeds 1 GB.

This, looks to me, like a very cheap -yet effective- way to mitigate ransomware attacks (even without sending the snapshot, the control can be done locally). I am wondering why such approach is not used more widely, considering that some statistics set at 65% the amount of companies being victimised by ransomware attacks? Or can you guys see some flaw in this idea?

Update: by mistake I said originally prevent instead of mitigate. Apologies for the misunderstanding.

[necouchman]

This, looks to me, like a very cheap -yet effective- way to prevent ransomware attacks...

The only feedback I'd offer to this is that this looks, to me, like an effective way to detect ransomware attacks - and other potentially malicious behavior - but I would not agree that this does anything to prevent them. If an actual ransomware attack happens you're just alerting that you've detected the event, you're not actually doing anything to prevent (stop) it.

If you wanted actual prevention, or even mid-attack mitigation, you'd have to have that alert do something else - change shares or filesystem access to read-only mode, for example (depending on how you're using it), or even halt the system entirely - and, even then, it wouldn't so much be prevention as mitigation and stopping the spread.

Beyond that, I think you could also do some other interesting things with such an alert or system - for example, if that alarm triggers, take another snapshot immediately so that you have a point in time where most of your data may still be safe and unharmed, and where you'd have some forensic evidence of where things are before your entire system is encrypted.

[flixman]

You are right: I meant mitigate and.. My head was in some other place, I guess!. I agree with you! Thank you!