hartnegg at uni-freiburg.de
Thu May 19 17:33:14 UTC 2016
On 17.05.2016 at 15:38 Elias Pereira wrote:
> I'm not aware of the last, but in previous versions, ransomware encrypt all
> files and after this he delete original files. If you have a trash/recycle
> configured, you can recover these files.
We should better not rely on that. I read that ransomware overwrites
only the first kilobyte in the files. This probably does not trigger
samba to create a copy of the original in the recycle bin.
But more and more Linux distributions come with ZFS filesystem. That can
create snapshots, which are readonly, as long as the malware has no root
access to Linux. If it sees the file server only via Samba, it cannot
modify the files in the snapshots.
More information about the samba