How an engineering data management system saves files from being destroyed by cryptoviruses

    Can Pilot-ICE save data from ransomware viruses? To answer this question, we conducted an experimental infection with the sensational Wana Decrypt0r 2.0 virus of an isolated test system running Pilot-Server and the Pilot-ICE client. Other cryptoviruses act on a similar principle, only the method of infection differs. We consider the most extreme case when there is no backup.



    Says Dmitry Poskrebyshev - Head of Engineering Data Management Systems Development Department.

    Pilot-ICE is a corporate system, but the ease of independent deployment (takes no more than 10 minutes to the server, administration module and client) plus the presence of a free mode allows you to use it, including for organizing a personal network storage of any files. We install the Pilot-Server and connect the database containing documents that are a potential target for most crypto ransomware: DWG, DOCX, PDF, etc. We connect the Pilot-ICE client to the database from a user account. In Pilot-ICE, file management is performed on a special Pilot-Storage virtual disk, which controls all operations with the file system. For each file that appears on disk, there is an object in the database. It stores file information, attributes, communications, access rights. Disk data is cached in the user profile. The presence of a cache reduces the load on the server and ensures autonomous operation when there is no connection.



    File bodies are stored using the NTFS Sparse Files technology (sparse files). As the contents of the file are read, it is streamed from the server, and Sparse Files zeros are gradually replaced by data from the server. This allows you to instantly open huge project structures on Pilot-Storage, with large files, without having to fully upload them to client systems. This saves users disk space and reduces the load on the network infrastructure. The technology is similar to Smart Files OneDrive and DropBox Smart Sync .

    There may be thousands of projects in the database, but the user mounts on Pilot-Storage only those that are necessary for his current work. Windows Explorer displays the structure of the mounted projects, and here the project files become available to cryptoviruses.



    We infect the Wana Decrypt0r server and client systems with the virus. We are waiting for the virus message that the encryption is complete.



    As a result, files of mounted projects were encrypted, to which the current user account has edit access, the original files were deleted. The cryptovirus writes its exe files to each folder of documents encrypted by it, Pilot-Storage synchronizes these files with the server, and thus the virus body enters the Pilot database.



    The Pilot system is designed so that no data is physically deleted, but only gets the “Deleted” state, thus entering the Pilot system basket, and the virus cannot get around this. On the server for storing file bodies, each Pilot database has a file archive, but the file archive does not contain information about file types, so cryptoviruses do not encrypt them, assuming that these files can be part of the OS. And the failure of systems is not what crypto ransomware needs.

    We cure the server and client systems from the virus, if necessary, transfer the Pilot database from the infected to a clean system. We connect the Pilot-ICE client to the database from the administrator account. We go into the Pilot-Storage basket, the administrator sees the deleted files of all users of the system. Restore them with the "Restore to original location" command.



    Data recovered.



    It remains to remove the virus bodies from the database. We call the search box for all the database files and execute queries of the form WanaDecryptor, @ Please_Read_Me @ .txt and WNCRY. We delete the found files, now they are in the Pilot system bin.



    We go to the basket. We are connected from the administrator account, so we have the right to permanently delete traces of the virus. Now the Pilot-ICE base is initialized.
    For those who want to use Pilot for teamwork with files, I also recommend paying attention to the easy-to-edit client - 3D-Storage (can be found in the Pilot download center). The server part can also be installed on Linux, immediately after installation up to 5 simultaneous connections will be available.

    Dmitry Poskrebyshev, Head of PDM Systems Development Department.

    Also popular now: