-1

I want to protect a Windows Fileserver from Locky or other ransomware. Therefore I already created a rule in the server to stop the fileserver whenever someone tries to create a .locky etc.pp. file.

But the guys who create those trojans are not dumb and just use new fileendings, so the idea is to stop the fileserver when there are massively file writes and removals, because a ransomware takes a file, encrypt it, save it as a new file and remove the old file. This behaviour is typical for ransomware and should be able to get spotted.

Therefore I have a Linux machine, which has the Windows Fileserver mounted to /mnt/foo

But now theres the problem: how can I permanently scan this folder for massive file writes/removals?

hope you can help ;)

lemon
  • 11
  • 1
  • 6

1 Answers1

2

That sounds like the type of thing you'd need to write your own software to do, iterating through files and taking notes when things change (files appearing or disappearing). If the number of changes over time exceeds average use by some threshold, then take action.

However, this is susceptible to some serious problems. For example, Say I'm a user on your system and I copy over a folder with a large amount of files for the newest version of some program. I then delete the old version I had previously copied to the server, and I'm locked out because I just did massive file writes and removals. There isn't a good way to differentiate between that usage.

So we come to the real underlying question, "What is the best way to protect a Windows File Server from ransomware?" and the answer is really simple. Good backups. Since you already have the data you want to protect mounted on that linux machine, I'd do backups there. Limit access to the backup server, and don't surf the web on it. If and when things go wrong, just go back to a backup where things weren't wrong.

Andrew Hendrix
  • 196
  • 8
  • +1 Outside of backups, storage-level snapshots (not on volume VSS) can really help with randsomware recovery. – jscott Sep 08 '16 at 00:24
  • I know it's not the best way, but i've got the task to do it that way so i don't really have a chance. Daily Backups are done anyway. – lemon Sep 08 '16 at 06:07
  • If daily backups are being done, you should be in a good position already so then if you or anyone on this project is a capable programmer, I'd take this to stack overflow as a programming question. The hardest part of it all is distinguishing between legitimate user actions and illegitimate ransomware. I'd consider making honeypots of a sort. Folders full of files you know nobody should change, and if a user changes anything in those folders, you log it and disconnect their access to the server. But it's still something you'd have to program yourself. – Andrew Hendrix Sep 08 '16 at 16:35
  • ok thanks for that hint. the idea behind this is to keep as many files as possible alive to make the backup process faster ;) – lemon Sep 09 '16 at 06:37