[Samba] Ransomware?

[barış tombul]

Ransomware Overview:
https://docs.google.com/spreadsheets/d/1q_VSJoSwTv2L29HXouXm-muVfYtzX-VeAuzJUgICIUs/pubhtml

.mp3 even got inside.  ( I used fail2ban.)

best regards



2016-05-17 12:01 GMT+03:00 Reindl Harald <h.reindl at thelounge.net>:

>
>
> Am 17.05.2016 um 09:47 schrieb Fabian Cenedese:
>
>>
>> Am 16.05.2016 um 07:32 schrieb ToddAndMargo:
>>>
>>>> May I surmise that all the encrypted file now have
>>>> an extra extension of ".crypt"?  So it is easy to
>>>> see who got clobbered.
>>>>
>>>
>>> how do you come to that conclusion and even if some malware acts that
>>> way what makes you sure you can rely on that? IMHO it would only be so when
>>> the developer of the ransomware is a fool!
>>>
>>> why should he give you something to make a "locate .crypt" on the
>>> fileserver and backups easy?
>>>
>>
>> So far most of the ransomware rename the encrypted files and place files
>> with
>> instructions with constant names. They don't want to hide the fact that
>> the files
>> are encrypted. No, they want you to know that they are and that you have
>> to
>> pay to get them back. That's why it's called ransomware. Of course for
>> people
>> with backups this makes life a little easier. But for the others...
>>
>>
>> https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/
>>
>
> "so far most" != you can rely on
>
> "They don't want to hide the fact that the files are encrypted. No, they
> want you to know that they are" *yes but* when they are finished an dnot
> right after starting to encrypt where not much files are affected and
> backups still in place
>
> what they *really* want is act in the background and get caught as late as
> possible when all your backups contain encrypted versions of important
> documents
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>