TNCS-0037 – HoneyPotChecker Script
Created: March 3, 2017
Ransomware is a particularly nasty form of malware that takes your data “hostage” by encrypting it, thereby making it totally useless to you. When it strikes, you are asked to pay a fee in order to get the encryption key to unlock your data. While still relatively rare on the macOS platform, it is becoming more prominent and thus more of a concern for Mac users. It is just a matter of time before ransomware occurrences on the Mac are as widespread as they are on other platforms.
Many security professionals will proclaim that the only sure-fire protection against ransomware is to have a good offline backup. ChronoSync is the perfect tool for automating your backups and ensuring that they occur even when you aren’t thinking about backing up your data. The problem is, what if you are struck by ransomware but don’t realize it until AFTER your backups have run? If that happens, then your backed up data may contain all the files that were encrypted by the ransomware!
If you find yourself in such a situation, then hopefully you were using a multi-tiered, redundant backup scheme that takes advantage of ChronoSync’s archiving feature. But even then, it would be quite a hassle to weed through your backups and determine what has been encrypted and what hasn’t, and which archives you have to resort to for recovery. It would be best to prevent such a situation from occurring in the first place!
HoneyPotChecker is a script that might just keep you out of such a predicament. The theory is simple — create a “HoneyPot” document that resides with your regular data. Such a document would presumably be encrypted should you get struck by ransomware. Thus all you have to do is check the integrity of this one document before allowing your synchronizations to occur.
INSTALLATION & SETUP
Note that this script will only work with ChronoSync v4.7.0 and later.
Download the HoneyPotChecker script file from here. You should store it some place out of the way. We recommend placing it in your ‘~/Library/Application Support/ChronoSync’ folder.
Once downloaded, open a synchronizer document that backs up a local folder or volume. Switch to the Options panel and scroll down to the section labeled “Scripts” and expand it. Turn “Pre-synchronization script:” and “Abort on script errors” ON. Afterwards, “Choose..” the HoneyPotChecker.sh script file that you placed in the ‘~/Library/Application Support/ChronoSync’ folder (or wherever you placed it). Then click “Run”. After a brief pause, control will return to ChronoSync.
HOW DOES IT WORK?
On the very first run, the script creates a file named zzImportantData.doc at the root level of your left target. This file contains random data but is meant to look like a Microsoft Word document. The script calculates an MD5 checksum of the data and attaches the checksum to the file as an extended attribute. This becomes the “honeypot” file. On subsequent runs, the script sees that this file exists and re-calculates the checksum. If the contents of the file have been altered, the checksum will not match what was previously recorded. If this happens, the file is considered corrupt and the script returns an error.
ChronoSync will execute this script file before any synchronization takes place. If the script returns an error, the synchronization is aborted. If there is no error, the synchronization is allowed to take place. This can help ensure that the data you are about to backup has not been modified by malicious software.
SHORTCOMINGS
The HoneyPotChecker is mainly a proof of concept and is not meant to be a foolproof safeguard against accidentally backing up encrypted data. There are a few shortcomings you may want to pay attention to.
- The script assumes a left-to-right backup operation. If you are backing up right-to-left, you can change the SYNC_LEFT_TO_RIGHT value to 0. If your are synchronizing bidirectionally, you will need to modify the script on your own to perform the test on both targets.
- The script requires direct access to the target being tested i.e. it must be on a locally mounted volume. Furthermore, the user executing the sync document must have at least read access to the source target, and write access is necessary for the script to create the honeypot file in the first place. This is true even if you have selected “Mounted Volumes (Admin Access)” as your connection profile since pre- and post- sync scripts never run with admin privileges.
- If use of the HoneyPotChecker script becomes widespread, and known to any ransomware creator, they can program their malware to skip the honeypot file. You can mitigate this by renaming the file and the extended attribute used to store the checksum. Just modify the HONEYPOT_FILE_NAME and XATTR_NAME variables to whatever you’d like. Just remember to use a common file extension for HONEYPOT_FILE_NAME because ransomware typically looks for common document types to encrypt. They stay away from unknown file types for fear of rendering your system unusable and thus unable to pay the ransom!
- HoneyPotChecker only tests the root level of your sync target. Ransomware will typically start deep in the folder hierarchy and work its way up in an effort to increase the amount of time taken to discover the encryption. It is possible for a backup operation to pass the honeypot check while the ransomware is presently encrypting deeper levels of your folder hierarchy. You can modify the HoneyPotChecker to test several deep folders in your sync hierarchy to prevent this from occurring.
- Last, but not least, if your backup system relies on mounting the destination volumes, those volumes themselves will be subject to encryption while they are mounted! It is best to keep such destinations offline as much as possible. Your ChronoSync document can take care of mounting and dismounting target volumes for you. Thus such volumes will only be mounted if the honeypot test passes. You can also use “opaque” targets such as ChronoAgent-connected volumes to eliminate exposure of your backup data. See our Protecting Your Mac Against Ransomware strategy guide for more information.
CONCLUSION
If all goes well, the MD5 checksum will always match when the synchronization runs. Don’t get too comfortable with this, though. As we suggested, it’s good to keep an eye on things and update the HoneyPot script name from time to time. Doing this minor maintenance should give you peace of mind when keeping your data safe from ransomware.
REVISION HISTORY
Mar-3-2017 – Created.