[Samba] Ransomware?

peter lawrie peter.lawrie at glendiscovery.co.uk
Sun May 15 21:30:07 UTC 2016

I had to deal with ransomware at the end of April. One of the PCs on my
customer's network was infected by opening a realistic looking email
apparently from a genuine supplier to the company and personally addressed.
The infection occurred on Wednesday, but encryption of the server only took
place late on Friday afternoon, presumably having obtained encryption keys
from the criminals. The malware did not encrypt documents on the infected
PC, but documents and spreadsheets in every folder on the samba shares were
encrypted. Fortunately the backup to rdx disk was working (On my previous
visit to the customer the backup had NOT been working and nobody had
 I used linux 'cp -npr' to restore missing files and

find / -name “*.crypt” –type f –delete [deletes all files *.crypt]

find / -name “*de-crypt*” –type f –delete [deletes ransom message from
every directory which had contained encrypted files]

The answer to the question is take extreme care with incoming emails and
always make sure the backups are working.


On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote:
> > Hi All,
> >
> > Is there anything in Samba that will help protect
> > against ransomware?
> I've not had to look into this properly, but I would suggest that
> regular and genuinely offline backups and regular Read Only snapshots.
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list