https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/100997#M7587 <P>Hi!</P> <P>&nbsp;</P> <P>Recently one of our customers was hit by a ransomware/cryptoware.</P> <P>The have a NAS server with CIFS which holds home and common folders.</P> <P>&nbsp;</P> <P>A couple of clients in the customer environment got some&nbsp;suspicious emails that they probably opened.</P> <P>And their client AND all mapped shares on the NAS server was then encrypted (all MS Office files changed the file names)</P> <P>&nbsp;</P> <P>They didn´t wanna do a restore on the whole volume, as they didn´t wanna loose any progress of the files NOT affected.</P> <P>So what we ended up doing was to do a vol clone on the snapshot created the day before the incident and then run a powershell script to scan/delete and replace the affected files with the clone as source.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now we had a "lessons learned" meeting with the customer, and they was wondering how to prevent a simular attack.</P> <P>&nbsp;</P> <UL> <LI>Is there a function to get alert, if a client changes alot of files in a short time period</LI> <LI>Is there a function to prevent executable files to change files on NAS folders</LI> </UL> <P>&nbsp;</P> <P>Is there any other options/ideas to implement to prevent these attacks?</P> <P>&nbsp;</P> Tue, 24 Feb 2015 17:46:16 GMT connoisseur 2015-02-24T17:46:16Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/100997#M7587 <P>Hi!</P> <P>&nbsp;</P> <P>Recently one of our customers was hit by a ransomware/cryptoware.</P> <P>The have a NAS server with CIFS which holds home and common folders.</P> <P>&nbsp;</P> <P>A couple of clients in the customer environment got some&nbsp;suspicious emails that they probably opened.</P> <P>And their client AND all mapped shares on the NAS server was then encrypted (all MS Office files changed the file names)</P> <P>&nbsp;</P> <P>They didn´t wanna do a restore on the whole volume, as they didn´t wanna loose any progress of the files NOT affected.</P> <P>So what we ended up doing was to do a vol clone on the snapshot created the day before the incident and then run a powershell script to scan/delete and replace the affected files with the clone as source.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now we had a "lessons learned" meeting with the customer, and they was wondering how to prevent a simular attack.</P> <P>&nbsp;</P> <UL> <LI>Is there a function to get alert, if a client changes alot of files in a short time period</LI> <LI>Is there a function to prevent executable files to change files on NAS folders</LI> </UL> <P>&nbsp;</P> <P>Is there any other options/ideas to implement to prevent these attacks?</P> <P>&nbsp;</P> Tue, 24 Feb 2015 17:46:16 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/100997#M7587 connoisseur 2015-02-24T17:46:16Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/113741#M8129 <P>We had a couple of more incidnets with ransomware.</P><P>&nbsp;</P><P>I thought of fpolicy.</P><P>Can we create an fpolicy to prevent someone to encrypt the files.</P><P>All files are left, but they are named file.encrypted instead of file.excel for exampel.</P><P>&nbsp;</P><P>Does anyone know how the ransom engine works.</P><P>Does it copy the original file and paste an ecrypted version?</P><P>Or does it just rename it?</P><P>&nbsp;</P><P>if it copys and replace it.. I don´t think a fpolicy is goog, because then it can remove all files and the option to get lists with affected files are then gone.</P><P>If it only renames it, it might work</P><P>&nbsp;</P><P>thoughts?</P> Tue, 15 Dec 2015 15:11:31 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/113741#M8129 connoisseur 2015-12-15T15:11:31Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/116351#M8243 <P>Have a look of this blog :</P><P>&nbsp;</P><P><A href="http://www.tobbis-blog.de/netapp-ontap-fileserver-gegen-ransomware-abschotten/" target="_blank">http://www.tobbis-blog.de/netapp-ontap-fileserver-gegen-ransomware-abschotten/</A></P><P>&nbsp;</P><P>Regards</P><P>Stefan</P> Fri, 26 Feb 2016 09:25:37 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/116351#M8243 maxuptime 2016-02-26T09:25:37Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/116352#M8244 <P>now i tested the fpolicy and it works fine:</P><P>&nbsp;</P><PRE>nodeb&gt; fpolicy create f_Ransomware screen File policy f_Ransomware created successfully. nodeb&gt; fpolicy ext inc set f_Ransomware locky,xxx,zzz nodeb&gt; fpolicy monitor set f_Ransomware -p cifs,nfs create,rename nodeb&gt; fpolicy options f_Ransomware required on nodeb&gt; fpolicy enable f_Ransomware Warning: User requests may be denied because there are no file screening servers registered with the filer. Are you sure? y File policy f_Ransomware (file screening) is enabled.</PRE><P>now you can´t rename or create any files with extension lockyxxx,zzz</P><P>&nbsp;</P><P>regards</P><P>stefan</P><P>&nbsp;</P> Fri, 26 Feb 2016 09:38:14 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Ransomware-Cryptoware-prevention/m-p/116352#M8244 maxuptime 2016-02-26T09:38:14Z