Subscribe

Ransomware/Cryptoware prevention

[ Edited ]

Hi!

 

Recently one of our customers was hit by a ransomware/cryptoware.

The have a NAS server with CIFS which holds home and common folders.

 

A couple of clients in the customer environment got some suspicious emails that they probably opened.

And their client AND all mapped shares on the NAS server was then encrypted (all MS Office files changed the file names)

 

They didn´t wanna do a restore on the whole volume, as they didn´t wanna loose any progress of the files NOT affected.

So what we ended up doing was to do a vol clone on the snapshot created the day before the incident and then run a powershell script to scan/delete and replace the affected files with the clone as source.

 

 

Now we had a "lessons learned" meeting with the customer, and they was wondering how to prevent a simular attack.

 

  • Is there a function to get alert, if a client changes alot of files in a short time period
  • Is there a function to prevent executable files to change files on NAS folders

 

Is there any other options/ideas to implement to prevent these attacks?

 

Re: Ransomware/Cryptoware prevention

We had a couple of more incidnets with ransomware.

 

I thought of fpolicy.

Can we create an fpolicy to prevent someone to encrypt the files.

All files are left, but they are named file.encrypted instead of file.excel for exampel.

 

Does anyone know how the ransom engine works.

Does it copy the original file and paste an ecrypted version?

Or does it just rename it?

 

if it copys and replace it.. I don´t think a fpolicy is goog, because then it can remove all files and the option to get lists with affected files are then gone.

If it only renames it, it might work

 

thoughts?

Re: Ransomware/Cryptoware prevention

Re: Ransomware/Cryptoware prevention

now i tested the fpolicy and it works fine:

 

nodeb> fpolicy create f_Ransomware screen
File policy f_Ransomware created successfully.
nodeb> fpolicy ext inc set f_Ransomware locky,xxx,zzz
nodeb> fpolicy monitor set f_Ransomware -p cifs,nfs create,rename
nodeb> fpolicy options f_Ransomware required on
nodeb> fpolicy enable f_Ransomware
Warning: User requests may be denied because there are no file screening servers registered with the filer. Are you sure? y
File policy f_Ransomware (file screening) is enabled.

now you can´t rename or create any files with extension lockyxxx,zzz

 

regards

stefan