FILEMAKER AND RANSOMWARE

With the recent highly publicized attacks on Colonial Pipeline and JBS, we’ve had questions from some of our clients about protecting FileMaker data from ransomware attacks. While we are always careful to make it clear that we are not security professionals, we also try to do our best to answer our client’s questions, and so we have done some self-education recently as well as group discussions during our weekly developer meetings. 

This blog post is a summary of this research and discussion. It is not intended as a ‘white paper’ on the topic. We would greatly appreciate hearing from other FileMaker users about their experience or opinions on the ransomware threat. You can contact us through the form at the end of this post. 

The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.

Bloomberg

 

PREVENTION

For starters, I’ll talk about prevention, and then go into recovery from a ransomware attack.

I think ransomware attacks can broadly be divided into two types of ‘blackmails’:

1. Pay us, or you’ll never see your data again.

2. Pay us, or we’re going to show your data to the world.

The second of these is the easier of the two from the FileMaker perspective. If you have enabled Encryption At Rest (EAR) with your database files and have chosen a reasonably secure password, then hackers that have obtained physical access to your FileMaker data files will not be able to access your data. Not necessarily related to a ransomware attack, FileMaker also includes two other important security features you should be aware of: Authorized file access and Plugin access (which is new in version 19.2.1). 

The first of these two ransomware threats is more difficult to deal with and requires a multi-faceted approach to prevention. This is really where you may want to do some of your own research and perhaps hire a professional if you consider the risks too great.

 

Some of the primary issues and potential mitigation strategies include the following:

 

➤ Remote desktop

I imagine we almost all use remote desktop to manage servers and this can be a vector for ransomware hackers. You should only be able to use remote desktop via a VPN or IP restricted firewall. Complex passwords should be mandatory.

 

➤ Out of date server patching

Servers should have current security patches installed in a timely manner. The WannaCry exploit from a couple of years ago affected many servers, even though Microsoft had already released a security patch.

 

➤ Phishing / malware websites

This area is probably the most difficult attack vector to deal with and also the one where firms are likely the most vulnerable. Spear phishing emails can be tailored to a particular individual and be difficult to detect. Mass distribution phishing emails have gotten much more sophisticated. Your FileMaker server may not be as vulnerable as a general end-user computer, since you’re not likely to have personal email configured on a server, and servers are generally managed by more technically sophisticated users.

So educating yourself and your users about phishing is the primary line of defense against such attacks. In our discussions on the phishing threat, several of our team advocated for simply never clicking on a URL in an email and instead always going to your browser and navigating directly to the desired web page. If you don’t take that step as a matter of habit, you should certainly always be checking the domain shown in your address bar and making sure you see the  SSL ‘lock’ icon in the address bar.

Generally speaking, anti-malware, anti-spam, and email filtering should also be considered to help limit phishing attacks, depending on your environment.

 

➤ Other options

Another potential strategy for minimizing the ransomware threat would be to utilize FileMaker Server for Linux or Mac OS. The attack exposure for these platforms is likely less than for Windows servers. While ‘security by obscurity’ is no guarantee, it doesn’t hurt.

As yet another option, you can always outsource some of the responsibilities of ransomware prevention to a hosting company. FileMaker Cloud is an excellent hosting platform and has the weight of Claris behind the ransomware prevention strategy. Portage Bay Solutions also provides FileMaker hosting and server management services.

 

RECOVERY

In the final analysis, in the unlucky (and hopefully unlikely) event that you are the subject of a ransomware attack, it is critical that your disaster recovery plan be up to date and take into account ransomware as a potential disaster.

At this stage of the game, it’s impossible to ask any company to be bulletproof against cyberattacks—that’s a standard nobody can meet right now. Really, a more accurate measure of somebody’s cybersecurity capacity is how well they can contain an attack and limit the damage that happens.

thecounter.org

If your server is the subject of a successful ransomware attack, it would be safe to assume that all your FileMaker files, including all normal FileMaker backups, are now encrypted and useless unless you pay the ransom.

This means that you are depending on your offsite backup. We just recently updated our offsite backup strategy to go back a little further in time, since some ransomware attacks intentionally delay themselves to give time for your backups to get infected.

The key is that your offsite backup needs to be inaccessible to the ransomware software and that you are able to go back to a point in time before the ransomware infection. We use Acronis and are relying on the ransomware not being somehow tailored to reach through the Acronis client to reach the Acronis backup servers. Such a level of sophistication is something that I’m sure Acronis views as impossible and, to the best of my knowledge, is at least incredibly unlikely. A poor choice for offsite backup would be a NAS that is mapped as a drive in the operating system, even if it’s several hundred miles away geographically. The ransomware would just navigate the file system and encrypt your offsite backup along with everything else.

Another option to consider for protecting your FileMaker data would be to implement a hot or warm standby server. Utilizing a commercial product like MirrorSynch, or implementing your own synchronization module, you can push data to a standby FileMaker server that you would then switch to in the event of a ransomware attack or other disaster. The data push could happen in real time, near real time, or at night depending on your requirements. 

TO SUMMARIZE

To summarize our strategy for trying to deal with the ransomware threat:

• Enable EAR on your FileMaker files

• Keep your server patching current

• Educate and warn users about phishing, on a recurring basis

• Make sure your backup strategy and disaster recovery plan are up to date and account for the ransomware threat

• Consider a standby server

• Stay educated

Ransomware attacks are a serious and very real threat which I’ve over simplified in this blog post.  As I said above, depending on your risk tolerance, you may want to consider hiring a security professional to provide advice and protection for your scenario. Self-education is always a good idea, as well, and I’ve included a few ransomware related blog posts I’ve found helpful.

Ransomware defense strategies
Carnegie Mellon University, Software Engineering Institute

Three Places to Start in Defending Against Ransomware
Carnegie Mellon University, Software Engineering Institute

30 Ransomware Prevention Tips
Tripwire.com

WHAT DO YOU THINK?

Tell us your thoughts and discoveries about ransomware attacks in the comments below. We would love to hear about any research or thoughts others in the Claris community might have.

Do you have FileMaker issues or needs? We offer a complimentary 15-minute consultation to discuss how we may be of help with your current or future FileMaker solutions.