The practice of mapping network drives has been around for a long time, and is essentially an “easy button” for getting users to files stored on a network server. However with the rise of crypto ransomware, which encrypts files, this practice has become a quick access path for attackers to ruin a lot – if not all – of the data on your network. I’ll make a post later sharing my thoughts on a total ransomware strategy, but today I’ll focus on mapped drives.
Simply put: stop mapping them. I know this can be a difficult proposition since so many users these days are solely focused on working with a specific program such as a clinical application, Excel, or Outlook. They frequently don’t know how to navigate through programs (My Programs, All Programs, or All Apps depending on the version of Windows), let alone the network file shares (NFS in Windows, IFS in IBM i). Therefore mapping a drive is a simple way to get them where they need to go. Even application developers relied on this practice in the past, requiring certain drive letters to be mapped to perform tasks over the network rather than using the network path. The reason to stop mapping them and find a different method to access network files:
Simpler and more prevalent versions of crypto ransomware go after the drive letters available on the workstation, and not files available to the user over the network.
Most users in my environment look for everything on the desktop and yours probably do as well, so consider short-cutting drives to the desktop instead; this can be accomplished through Group Policy Preferences just as easily as mapped drives. Even if a workstation becomes infected the worst these variations of crypto ransomware will do is encrypt the shortcut, keeping your precious network data safe. You can then re-image or recompose the affected workstation, and you can quickly recover the user’s data if you have a sound backup/data protection strategy.
Unfortunately the last year has seen crypto ransomware become more sophisticated. Some variations will now inspect the network to find any folders and files the user has write access to and encrypt them as well. You may ask at this point “if they can directly attack the file shares, why bother un-mapping the drives?” The answer to that is simple as well: thanks to novice attackers who download crypto builders from the internet you’re more likely to be hit by a simple attack than a complex one. It’s easy to not treat simpler and older attacks such as fake antiviruses and screen lockers (like the old FBI virus) with the same level of concern as this quite frankly terrifying new wave of crypto ransomware, but as a best practice you should make sure to close every access route possible to attackers. Older and simpler attacks can still be devastating if you stop watching for them.
For a more in-depth look at the evolution of ransomware, check out this whitepaper from Symantec.