[Samba] Ransomware?

Klaus Hartnegg hartnegg at uni-freiburg.de
Thu May 19 17:33:14 UTC 2016

On 17.05.2016 at 15:38 Elias Pereira wrote:
> I'm not aware of the last, but in previous versions, ransomware encrypt all
> files and after this he delete original files. If you have a trash/recycle
> configured, you can recover these files.

We should better not rely on that. I read that ransomware overwrites 
only the first kilobyte in the files. This probably does not trigger 
samba to create a copy of the original in the recycle bin.

But more and more Linux distributions come with ZFS filesystem. That can 
create snapshots, which are readonly, as long as the malware has no root 
access to Linux. If it sees the file server only via Samba, it cannot 
modify the files in the snapshots.

More information about the samba mailing list