{"id":17155,"date":"2022-03-23T10:15:08","date_gmt":"2022-03-23T09:15:08","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/"},"modified":"2022-03-23T10:15:08","modified_gmt":"2022-03-23T09:15:08","slug":"oracle-dbs-and-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/","title":{"rendered":"Oracle DBs and ransomware attacks"},"content":{"rendered":"

By Clemens Bleile<\/h2>\n

I had a discussion with a customer recently about the risk of running into an issue with ransomware encrypting data of Oracle databases. Just to quickly recap on what ransomware is:<\/p>\n

Wikipedia<\/a>: Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.<\/p>\n

In the last years ransomware has become more perfidious by
\n– searching for backups to encrypt them as well, because restoring non-infected backups were the only resolution in the past to ransomware encrypted data if you do not want to pay the ransom
\n– stealing sensitive data and then blackmail the victim to publish the stolen data if no ransom is paid<\/p>\n

So how can you protect your database proactively to prevent becoming a victim of a ransomware attack?<\/p>\n

The following list is not complete, but should give an idea on what an Oracle DBA may proactively do:<\/p>\n

1. Protecting the data from becoming encrypted<\/h3>\n

It is very unlikely that a ransomware uses Oracle functionality to connect to a database. In almost all cases the ransomware tries to find data on filesystems or on block devices to encrypt it through normal reads and writes.
\nMy customer actually uses Automatic Storage Management (ASM) and I proposed to use the ASM Filter Driver as a first protection against ransomware, because access to ASM-disks is only allowed using Oracle-Database-Calls then. You may e.g. check Blogs which show that even a dd or fdisk as root is not possible on the devices holding the data when the ASM Filter Driver is installed:<\/p>\n

https:\/\/franckpachot.medium.com\/asm-filter-driver-simple-test-on-filtering-2a506f048ee5<\/a>
\nhttps:\/\/www.uxora.com\/unix\/admin\/42-oracle-asm-filter-driver-i-o-filtering-test<\/a><\/p>\n

Here an example trying to delete a partition, which is an ASM-device with fdisk:<\/p>\n

\n[root@ol8-21-rac1 ~]# fdisk \/dev\/sdc\n...\nCommand (m for help): p\nDisk \/dev\/sdc: 2 GiB, 2147483648 bytes, 4194304 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\nDisklabel type: dos\nDisk identifier: 0xb7b98795\n\nDevice     Boot Start     End Sectors Size Id Type\n\/dev\/sdc1        2048 4194303 4192256   2G 83 Linux\n\nCommand (m for help): d\nSelected partition 1\nPartition 1 has been deleted.\n\nCommand (m for help): p\nDisk \/dev\/sdc: 2 GiB, 2147483648 bytes, 4194304 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\nDisklabel type: dos\nDisk identifier: 0xb7b98795\n\nCommand (m for help): w\nThe partition table has been altered.\nFailed to remove partition 1 from system: Device or resource busy\n\nThe kernel still uses the old partitions. The new table will be used at the next reboot. \n\/dev\/sdc: close device failed: Input\/output error\n\n[root@ol8-21-rac1 ~]# \n<\/pre>\n
In \/var\/log\/messages I can see this:<\/p>\n
\nMar 22 22:18:51 ol8-21-rac1 kernel: F 4299627.272\/220322221851 fdisk[98385] oracleafd:18:1012:Write IO to ASM managed device: [8] [32]\nMar 22 22:18:51 ol8-21-rac1 kernel: Buffer I\/O error on dev sdc, logical block 0, lost async page write\n<\/pre>\n
2. Protecting backups from becoming encrypted<\/h3>\n
Besides storing backups on different servers it’s a good idea to use backup-solutions which make the backup immutable (read only) after it has been written. So you should check that your database backups are immutable. A NFS-location is usually not a good backup medium for that (there are measures to help for NFS as well though. Check here<\/a>).<\/p>\n
3. Protecting data so that it cannot be stolen<\/h3>\n
Encrypting your data using e.g. Oracle Transparent Data Encrpytion is a good idea, because stealing that data is useless without the key.<\/p>\n
Depending on your configuration several other methods to protect against ransomware attacks are available. Here a couple of links concerning the subject:<\/p>\n
https:\/\/phoenixnap.com\/kb\/immutable-backups<\/a>
\nhttps:\/\/blogs.oracle.com\/maa\/post\/protect-and-recover-databases-from-ransomware-attacks-with-zero-data-loss-recovery-appliance<\/a>
\nhttps:\/\/ronekins.com\/2021\/06\/14\/protecting-oracle-backups-from-ransomware-and-malicious-intent\/#more-7955<\/a><\/p>\n
Summary: Ransomware may also affect database servers. A DBA should protect the databases he’s responsible for. Despites ASM Filter Drivers (AFD) issues (dependency on the Linux kernel, Bugs) the AFD could be a measure to protect your databases against ransomware attacks. Interestingely I haven’t seen any Blog or information yet about using AFD as a protection against ransomware.<\/h3>\n
REMARK: You may check the following MOS Note concerning the dependency of the AFD to the Kernel:
\nACFS Support On OS Platforms (Certification Matrix). (Doc ID 1369107.1)
\nEven if the MOS-Note-title is about ACFS only, the AFD is covered as well.<\/p>\n","protected":false},"excerpt":{"rendered":"
By Clemens Bleile I had a discussion with a customer recently about the risk of running into an issue with ransomware encrypting data of Oracle databases. Just to quickly recap on what ransomware is: Wikipedia: Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access […]<\/p>\n","protected":false},"author":35,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59],"tags":[2516,37,2517,280,2518,96,2519],"type_dbi":[],"class_list":["post-17155","post","type-post","status-publish","format-standard","hentry","category-oracle","tag-afd","tag-asm","tag-asm-filter-driver","tag-database","tag-immutable-backup","tag-oracle","tag-ransomware"],"acf":[],"yoast_head":"\nOracle DBs and ransomware attacks - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Oracle DBs and ransomware attacks\" \/>\n<meta property=\"og:description\" content=\"By Clemens Bleile I had a discussion with a customer recently about the risk of running into an issue with ransomware encrypting data of Oracle databases. Just to quickly recap on what ransomware is: Wikipedia: Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-23T09:15:08+00:00\" \/>\n<meta name=\"author\" content=\"Clemens Bleile\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ifgtxD2SrQ8r!YuXj\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Clemens Bleile\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/\"},\"author\":{\"name\":\"Clemens Bleile\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/0ac04011f60f2e93c115358d0789c2da\"},\"headline\":\"Oracle DBs and ransomware attacks\",\"datePublished\":\"2022-03-23T09:15:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/\"},\"wordCount\":585,\"commentCount\":0,\"keywords\":[\"afd\",\"ASM\",\"asm filter driver\",\"database\",\"immutable backup\",\"Oracle\",\"ransomware\"],\"articleSection\":[\"Oracle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/\",\"name\":\"Oracle DBs and ransomware attacks - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2022-03-23T09:15:08+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/0ac04011f60f2e93c115358d0789c2da\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Oracle DBs and ransomware attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/0ac04011f60f2e93c115358d0789c2da\",\"name\":\"Clemens Bleile\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/1f596609fc67cb28ed714e7bccc81ed4cd73b8582a8148a490c77daeb2fde21a?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1f596609fc67cb28ed714e7bccc81ed4cd73b8582a8148a490c77daeb2fde21a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1f596609fc67cb28ed714e7bccc81ed4cd73b8582a8148a490c77daeb2fde21a?s=96&d=mm&r=g\",\"caption\":\"Clemens Bleile\"},\"description\":\"Clemens Bleile has more than 30 years of IT experience, thirteen in Oracle Support and fifteen in Oracle Consulting. He is specialized in Oracle Database Performance Tuning (SQL Tuning, DB Tuning) and developing an Oracle DB IT architecture (highly available, low-maintenance, cost efficient storage of data). He is an expert in problem analysis and resolution. Prior to joining dbi services, Clemens Bleile was Manager of the EMEA Database Performance team at the Oracle Global Customer Support Services. Clemens Bleile is Oracle Certified Professional 11g, 12c and Oracle Certified Expert for Performance Management and Tuning and holds a Master Degree, Business Information Systems from the Fachhochschule Furtwangen, Germany.\",\"sameAs\":[\"https:\/\/www.dbi-services.com\",\"https:\/\/x.com\/ifgtxD2SrQ8r!YuXj\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/clemens-bleile\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Oracle DBs and ransomware attacks - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Oracle DBs and ransomware attacks","og_description":"By Clemens Bleile I had a discussion with a customer recently about the risk of running into an issue with ransomware encrypting data of Oracle databases. Just to quickly recap on what ransomware is: Wikipedia: Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access […]","og_url":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/","og_site_name":"dbi Blog","article_published_time":"2022-03-23T09:15:08+00:00","author":"Clemens Bleile","twitter_card":"summary_large_image","twitter_creator":"@ifgtxD2SrQ8r!YuXj","twitter_misc":{"Written by":"Clemens Bleile","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/"},"author":{"name":"Clemens Bleile","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/0ac04011f60f2e93c115358d0789c2da"},"headline":"Oracle DBs and ransomware attacks","datePublished":"2022-03-23T09:15:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/"},"wordCount":585,"commentCount":0,"keywords":["afd","ASM","asm filter driver","database","immutable backup","Oracle","ransomware"],"articleSection":["Oracle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/","url":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/","name":"Oracle DBs and ransomware attacks - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2022-03-23T09:15:08+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/0ac04011f60f2e93c115358d0789c2da"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/oracle-dbs-and-ransomware-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Oracle DBs and ransomware attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/0ac04011f60f2e93c115358d0789c2da","name":"Clemens Bleile","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1f596609fc67cb28ed714e7bccc81ed4cd73b8582a8148a490c77daeb2fde21a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1f596609fc67cb28ed714e7bccc81ed4cd73b8582a8148a490c77daeb2fde21a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1f596609fc67cb28ed714e7bccc81ed4cd73b8582a8148a490c77daeb2fde21a?s=96&d=mm&r=g","caption":"Clemens Bleile"},"description":"Clemens Bleile has more than 30 years of IT experience, thirteen in Oracle Support and fifteen in Oracle Consulting. He is specialized in Oracle Database Performance Tuning (SQL Tuning, DB Tuning) and developing an Oracle DB IT architecture (highly available, low-maintenance, cost efficient storage of data). He is an expert in problem analysis and resolution. Prior to joining dbi services, Clemens Bleile was Manager of the EMEA Database Performance team at the Oracle Global Customer Support Services. Clemens Bleile is Oracle Certified Professional 11g, 12c and Oracle Certified Expert for Performance Management and Tuning and holds a Master Degree, Business Information Systems from the Fachhochschule Furtwangen, Germany.","sameAs":["https:\/\/www.dbi-services.com","https:\/\/x.com\/ifgtxD2SrQ8r!YuXj"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/clemens-bleile\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=17155"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17155\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=17155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=17155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=17155"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=17155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}