Recently one of our customers was hit by a ransomware/cryptoware.
The have a NAS server with CIFS which holds home and common folders.
A couple of clients in the customer environment got some suspicious emails that they probably opened.
And their client AND all mapped shares on the NAS server was then encrypted (all MS Office files changed the file names)
They didn´t wanna do a restore on the whole volume, as they didn´t wanna loose any progress of the files NOT affected.
So what we ended up doing was to do a vol clone on the snapshot created the day before the incident and then run a powershell script to scan/delete and replace the affected files with the clone as source.
Now we had a "lessons learned" meeting with the customer, and they was wondering how to prevent a simular attack.
Is there a function to get alert, if a client changes alot of files in a short time period
Is there a function to prevent executable files to change files on NAS folders
Is there any other options/ideas to implement to prevent these attacks?
nodeb> fpolicy create f_Ransomware screen
File policy f_Ransomware created successfully.
nodeb> fpolicy ext inc set f_Ransomware locky,xxx,zzz
nodeb> fpolicy monitor set f_Ransomware -p cifs,nfs create,rename
nodeb> fpolicy options f_Ransomware required on
nodeb> fpolicy enable f_Ransomware
Warning: User requests may be denied because there are no file screening servers registered with the filer. Are you sure? y
File policy f_Ransomware (file screening) is enabled.
now you can´t rename or create any files with extension lockyxxx,zzz