[Samba] Ransomware?

ToddAndMargo ToddAndMargo at zoho.com
Mon May 16 05:32:28 UTC 2016


 >> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote:
 >>> Hi All,
 >>>
 >>> Is there anything in Samba that will help protect
 >>> against ransomware?
 >>
 >> I've not had to look into this properly, but I would suggest that
 >> regular and genuinely offline backups and regular Read Only snapshots.
 >>
 >> Andrew Bartlett
 >>
 >> --
 >> Andrew Bartlett                       http://samba.org/~abartlet/
 >> Authentication Developer, Samba Team  http://samba.org
 >> Samba Developer, Catalyst IT
 >> http://catalyst.net.nz/services/samba
 >>

On 05/15/2016 02:30 PM, peter lawrie wrote:
> I had to deal with ransomware at the end of April. One of the PCs on my
> customer's network was infected by opening a realistic looking email
> apparently from a genuine supplier to the company and personally addressed.
> The infection occurred on Wednesday, but encryption of the server only took
> place late on Friday afternoon, presumably having obtained encryption keys
> from the criminals. The malware did not encrypt documents on the infected
> PC, but documents and spreadsheets in every folder on the samba shares were
> encrypted. Fortunately the backup to rdx disk was working (On my previous
> visit to the customer the backup had NOT been working and nobody had
> noticed!).
>   I used linux 'cp -npr' to restore missing files and
>
> find / -name “*.crypt” –type f –delete [deletes all files *.crypt]
>
> find / -name “*de-crypt*” –type f –delete [deletes ransom message from
> every directory which had contained encrypted files]
>
>
> The answer to the question is take extreme care with incoming emails and
> always make sure the backups are working.
>
> Peter
>
>
> On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote:
>

Thank you!

May I surmise that all the encrypted file now have
an extra extension of ".crypt"?  So it is easy to
see who got clobbered.








More information about the samba mailing list