Network and Storage Protocols

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Ransomware/Cryptoware prevention

connoisseur
‎2015-02-24 06:29 AM
11,241 Views

Hi!

 

Recently one of our customers was hit by a ransomware/cryptoware.

The have a NAS server with CIFS which holds home and common folders.

 

A couple of clients in the customer environment got some suspicious emails that they probably opened.

And their client AND all mapped shares on the NAS server was then encrypted (all MS Office files changed the file names)

 

They didn´t wanna do a restore on the whole volume, as they didn´t wanna loose any progress of the files NOT affected.

So what we ended up doing was to do a vol clone on the snapshot created the day before the incident and then run a powershell script to scan/delete and replace the affected files with the clone as source.

 

 

Now we had a "lessons learned" meeting with the customer, and they was wondering how to prevent a simular attack.

 

  • Is there a function to get alert, if a client changes alot of files in a short time period
  • Is there a function to prevent executable files to change files on NAS folders

 

Is there any other options/ideas to implement to prevent these attacks?

 

0 Kudos
View By:
3 REPLIES 3

connoisseur
‎2015-12-15 07:11 AM
10,557 Views

We had a couple of more incidnets with ransomware.

 

I thought of fpolicy.

Can we create an fpolicy to prevent someone to encrypt the files.

All files are left, but they are named file.encrypted instead of file.excel for exampel.

 

Does anyone know how the ransom engine works.

Does it copy the original file and paste an ecrypted version?

Or does it just rename it?

 

if it copys and replace it.. I don´t think a fpolicy is goog, because then it can remove all files and the option to get lists with affected files are then gone.

If it only renames it, it might work

 

thoughts?

0 Kudos

maxuptime
‎2016-02-26 01:25 AM
In response to connoisseur
10,262 Views

Have a look of this blog :

 

http://www.tobbis-blog.de/netapp-ontap-fileserver-gegen-ransomware-abschotten/

 

Regards

Stefan

0 Kudos

maxuptime
‎2016-02-26 01:38 AM
In response to maxuptime
10,260 Views

now i tested the fpolicy and it works fine:

 

nodeb> fpolicy create f_Ransomware screen
File policy f_Ransomware created successfully.
nodeb> fpolicy ext inc set f_Ransomware locky,xxx,zzz
nodeb> fpolicy monitor set f_Ransomware -p cifs,nfs create,rename
nodeb> fpolicy options f_Ransomware required on
nodeb> fpolicy enable f_Ransomware
Warning: User requests may be denied because there are no file screening servers registered with the filer. Are you sure? y
File policy f_Ransomware (file screening) is enabled.

now you can´t rename or create any files with extension lockyxxx,zzz

 

regards

stefan

 

0 Kudos
Announcements
All Community Forums
Public