2015-02-24 06:29 AM - last edited on 2015-02-24 09:46 AM by alissa
Recently one of our customers was hit by a ransomware/cryptoware.
The have a NAS server with CIFS which holds home and common folders.
A couple of clients in the customer environment got some suspicious emails that they probably opened.
And their client AND all mapped shares on the NAS server was then encrypted (all MS Office files changed the file names)
They didn´t wanna do a restore on the whole volume, as they didn´t wanna loose any progress of the files NOT affected.
So what we ended up doing was to do a vol clone on the snapshot created the day before the incident and then run a powershell script to scan/delete and replace the affected files with the clone as source.
Now we had a "lessons learned" meeting with the customer, and they was wondering how to prevent a simular attack.
Is there any other options/ideas to implement to prevent these attacks?
2015-12-15 07:11 AM
We had a couple of more incidnets with ransomware.
I thought of fpolicy.
Can we create an fpolicy to prevent someone to encrypt the files.
All files are left, but they are named file.encrypted instead of file.excel for exampel.
Does anyone know how the ransom engine works.
Does it copy the original file and paste an ecrypted version?
Or does it just rename it?
if it copys and replace it.. I don´t think a fpolicy is goog, because then it can remove all files and the option to get lists with affected files are then gone.
If it only renames it, it might work
2016-02-26 01:38 AM
now i tested the fpolicy and it works fine:
nodeb> fpolicy create f_Ransomware screen File policy f_Ransomware created successfully. nodeb> fpolicy ext inc set f_Ransomware locky,xxx,zzz nodeb> fpolicy monitor set f_Ransomware -p cifs,nfs create,rename nodeb> fpolicy options f_Ransomware required on nodeb> fpolicy enable f_Ransomware Warning: User requests may be denied because there are no file screening servers registered with the filer. Are you sure? y File policy f_Ransomware (file screening) is enabled.
now you can´t rename or create any files with extension lockyxxx,zzz