One feature of computer networks we use at the office is access to files that are on a remote server. This might be a shared drive, a networked attached storage or similar. The capability is also used by much medical and imaging software. Software on the client computer accesses files on a remote computer via a share. Underpinning this capability is a brilliant invention – the remote file system.
Although there are a number of these systems including AFS and NFS, almost all such communication is now done through the Microsoft Server Message Block (SMB) file sharing system. The system offers great flexibility including strong authentication of users, authorization of rights to those users and the ability to lock all or part of the file to prevent two users simultaneously accessing the file making incompatible changes.
In a Windows Active Directory, the system is even more powerful with the Domain controller performing authentication of users with a powerful encryption system known as Kerberos.
Unfortunately, the power of SMB file sharing also yields its key vulnerability to ransomware. Malware that runs within the context of a logged on user can use the credentials to traverse the network, finding network shares on all computers on the domain. Worse, for computers running Windows 8 or earlier, the malware can actually extract username and password from memory. If that user has domain administrator privileges, the malware can destroy the whole network. The malware can also run a dictionary attack within the domain to try to crack the “Administrator” account giving it supreme power within the domain – even able to lock out all existing users
Using SMB file sharing as the method between client and imaging server constitutes and unacceptable security risk by design. Software and hardware vendors should be strongly discouraged from using this technology – convenient though it is
The other consideration is that backups created using this technology are also extremely vulnerable to ransomware which will seek them out. It is much safer to send the backups to a remote location by a technology other than SMB file sharing
It is precisely the fact that the ransomware targets and often succeeds in destroying backups before or at the same time as attacking the primary files that makes paying the ransom often the only option