[Samba] Ransomware?
ToddAndMargo
ToddAndMargo at zoho.com
Mon May 16 05:32:28 UTC 2016
>> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote:
>>> Hi All,
>>>
>>> Is there anything in Samba that will help protect
>>> against ransomware?
>>
>> I've not had to look into this properly, but I would suggest that
>> regular and genuinely offline backups and regular Read Only snapshots.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
On 05/15/2016 02:30 PM, peter lawrie wrote:
> I had to deal with ransomware at the end of April. One of the PCs on my
> customer's network was infected by opening a realistic looking email
> apparently from a genuine supplier to the company and personally addressed.
> The infection occurred on Wednesday, but encryption of the server only took
> place late on Friday afternoon, presumably having obtained encryption keys
> from the criminals. The malware did not encrypt documents on the infected
> PC, but documents and spreadsheets in every folder on the samba shares were
> encrypted. Fortunately the backup to rdx disk was working (On my previous
> visit to the customer the backup had NOT been working and nobody had
> noticed!).
> I used linux 'cp -npr' to restore missing files and
>
> find / -name “*.crypt” –type f –delete [deletes all files *.crypt]
>
> find / -name “*de-crypt*” –type f –delete [deletes ransom message from
> every directory which had contained encrypted files]
>
>
> The answer to the question is take extreme care with incoming emails and
> always make sure the backups are working.
>
> Peter
>
>
> On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote:
>
Thank you!
May I surmise that all the encrypted file now have
an extra extension of ".crypt"? So it is easy to
see who got clobbered.
More information about the samba
mailing list