-1

First to say: I know I need a backup and I have one of course but my question isn't about the safety of the data but about how to reduce the possible time that is needed to restore data.

I'm already limiting the write access of all users as far as I can to prevent a situation where one infected host will be able to encrypt all data in the worst case. Also it is relatively unlikely that the fileserver itself gets infected because the only service accessible from the workstations are the SMB shares.

What I would like to have is a way to detect malicious behavior and prevent further if possible. For example when a client opens and changes files rapidly in a systematic way wouldn't this be a clear sign of ransomeware and isn't there a way to prevent this?

techraf
  • 9,141
  • 11
  • 44
  • 62
davidb
  • 4,285
  • 3
  • 19
  • 31
  • `For example when a client opens and changes files rapidly in a systematic way wouldn't this be a clear sign of ransomeware` Well, for one thing, define "rapidly", as encrypting large files in serial is not particularly rapid, and for another, no, it's just an indication that there's probably programmatic file operations going on, of which ransomware is only one example. `and isnt there a way to prevent this?` Sure. Define batch file operations, then rate-limit or block them, which will cause bigger problems for you. – HopelessN00b Jun 14 '16 at 20:27
  • Detecting suspicious file access patterns and rolling back changes is a feature of [some antivirus programs](https://www.youtube.com/watch?v=iX9Ajl8j1Ls). However, I'm not aware of a free standalone solution. – tlng05 Jun 14 '16 at 20:48

2 Answers2

2

Many file-encrypting ransomware viruses add some "unique" file extension to the name of the affected file and leave a "manual" of how to decrypt the files in the affected directories. This is one of the easiest ways to detect them.

On windows file servers you can set up the file server ressource manager to look for those files and block the creation or send email alerts. For unix servers there are probably already some scripts. Here's a reddit thread talking about this: https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/

You won't catch all of the ransomware viruses of course but you have a high chance of catching the common ones.

If you detect a encrypted file you can take actions like blocking the user that created/edited the file and/or send some alerts etc.

Knorke
  • 464
  • 2
  • 5
-1

The best way that I would recommend would be to use a storage solution that offers block level storage vs file-system level storage. Many SAN solutions, and shinier cluster-based storage solutions like gluster and ceph, offer periodic snapshots of the storage blocks. Got ransomware? Roll back to your most current snapshot. Poof, no harm done. (After you purge the infected host of course.)

As far as stopping ransomware, solid user education goes a long way towards preventing such things from entering your network. You can also ban the transit of executable file types via E-mail, since most ransomware is virus-like, requiring user action. I heard of one ransomware worm, zcrypt, though it seems its impact has been pretty minimal and is detected by several anti-virus solutions.

Desthro
  • 1,007
  • 5
  • 5