I had to deal with ransomware at the end of April. One of the PCs on my customer's network was infected by opening a realistic looking email apparently from a genuine supplier to the company and personally addressed. The infection occurred on Wednesday, but encryption of the server only took place late on Friday afternoon, presumably having obtained encryption keys from the criminals. The malware did not encrypt documents on the infected PC, but documents and spreadsheets in every folder on the samba shares were encrypted. Fortunately the backup to rdx disk was working (On my previous visit to the customer the backup had NOT been working and nobody had noticed!). I used linux 'cp -npr' to restore missing files and find / -name “*.crypt” –type f –delete [deletes all files *.crypt] find / -name “*de-crypt*” –type f –delete [deletes ransom message from every directory which had contained encrypted files] The answer to the question is take extreme care with incoming emails and always make sure the backups are working. Peter On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote:> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote: > > Hi All, > > > > Is there anything in Samba that will help protect > > against ransomware? > > I've not had to look into this properly, but I would suggest that > regular and genuinely offline backups and regular Read Only snapshots. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Iscsi cant be encrypted. Join my framily E02705708hn 3032 last name BURGHARDT state is co Cheapest sprint service only 25 a month. On Sun, May 15, 2016 at 3:30 PM, peter lawrie < peter.lawrie at glendiscovery.co.uk> wrote:> I had to deal with ransomware at the end of April. One of the PCs on my > customer's network was infected by opening a realistic looking email > apparently from a genuine supplier to the company and personally addressed. > The infection occurred on Wednesday, but encryption of the server only took > place late on Friday afternoon, presumably having obtained encryption keys > from the criminals. The malware did not encrypt documents on the infected > PC, but documents and spreadsheets in every folder on the samba shares were > encrypted. Fortunately the backup to rdx disk was working (On my previous > visit to the customer the backup had NOT been working and nobody had > noticed!). > I used linux 'cp -npr' to restore missing files and > > find / -name “*.crypt” –type f –delete [deletes all files *.crypt] > > find / -name “*de-crypt*” –type f –delete [deletes ransom message from > every directory which had contained encrypted files] > > > The answer to the question is take extreme care with incoming emails and > always make sure the backups are working. > > Peter > > > On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote: > > > On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote: > > > Hi All, > > > > > > Is there anything in Samba that will help protect > > > against ransomware? > > > > I've not had to look into this properly, but I would suggest that > > regular and genuinely offline backups and regular Read Only snapshots. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett http://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > Samba Developer, Catalyst IT > > http://catalyst.net.nz/services/samba > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I like to put my Samba server on ZFS and take hourly snapshots. While the main share can be encrypted, the snapshots will remain in tact. Currently I am using FreeBSD but will be starting a test server on Debian with ZFS. aF> On 16 May 2016, at 9:05 am, jacek burghardt <jaceksburghardt at gmail.com> wrote: > > Iscsi cant be encrypted. > > Join my framily E02705708hn 3032 last name BURGHARDT state is co > Cheapest sprint service only 25 a month. > > On Sun, May 15, 2016 at 3:30 PM, peter lawrie < > peter.lawrie at glendiscovery.co.uk> wrote: > >> I had to deal with ransomware at the end of April. One of the PCs on my >> customer's network was infected by opening a realistic looking email >> apparently from a genuine supplier to the company and personally addressed. >> The infection occurred on Wednesday, but encryption of the server only took >> place late on Friday afternoon, presumably having obtained encryption keys >> from the criminals. The malware did not encrypt documents on the infected >> PC, but documents and spreadsheets in every folder on the samba shares were >> encrypted. Fortunately the backup to rdx disk was working (On my previous >> visit to the customer the backup had NOT been working and nobody had >> noticed!). >> I used linux 'cp -npr' to restore missing files and >> >> find / -name “*.crypt” –type f –delete [deletes all files *.crypt] >> >> find / -name “*de-crypt*” –type f –delete [deletes ransom message from >> every directory which had contained encrypted files] >> >> >> The answer to the question is take extreme care with incoming emails and >> always make sure the backups are working. >> >> Peter >> >> >> On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote: >> >>> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote: >>>> Hi All, >>>> >>>> Is there anything in Samba that will help protect >>>> against ransomware? >>> >>> I've not had to look into this properly, but I would suggest that >>> regular and genuinely offline backups and regular Read Only snapshots. >>> >>> Andrew Bartlett >>> >>> -- >>> Andrew Bartlett http://samba.org/~abartlet/ >>> Authentication Developer, Samba Team http://samba.org >>> Samba Developer, Catalyst IT >>> http://catalyst.net.nz/services/samba >>> >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sun, May 15, 2016 at 6:37 PM jacek burghardt <jaceksburghardt at gmail.com> wrote:> Iscsi cant be encrypted. >iscsi is a block level storage transport so that's not relevant. files on a filesystem on iscsi shared via samba can still be encrypted. the only thing samba can add is easier snapshots and backups that the client PCs don't have access to so it makes recovering easier. prevention is all on the client side.
Am 16.05.2016 um 01:05 schrieb jacek burghardt:> Iscsi cant be encrypted.what has this to do with samba and who has iSCSI (SAN) on the normal network instead a seperated storage network or in case of a small VMware cluster with 2 hosts even not just 2 network cables from each to the SAN-storage with no switch at all?> On Sun, May 15, 2016 at 3:30 PM, peter lawrie < > peter.lawrie at glendiscovery.co.uk> wrote: > >> I had to deal with ransomware at the end of April. One of the PCs on my >> customer's network was infected by opening a realistic looking email >> apparently from a genuine supplier to the company and personally addressed. >> The infection occurred on Wednesday, but encryption of the server only took >> place late on Friday afternoon, presumably having obtained encryption keys >> from the criminals. The malware did not encrypt documents on the infected >> PC, but documents and spreadsheets in every folder on the samba shares were >> encrypted. Fortunately the backup to rdx disk was working (On my previous >> visit to the customer the backup had NOT been working and nobody had >> noticed!). >> I used linux 'cp -npr' to restore missing files and >> >> find / -name “*.crypt” –type f –delete [deletes all files *.crypt] >> >> find / -name “*de-crypt*” –type f –delete [deletes ransom message from >> every directory which had contained encrypted files] >> >> >> The answer to the question is take extreme care with incoming emails and >> always make sure the backups are working.-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160516/4fbca2b3/signature.sig>
>> On Sat, 2016-05-14 at 22:42 -0700, ToddAndMargo wrote:>>> Hi All, >>> >>> Is there anything in Samba that will help protect >>> against ransomware? >> >> I've not had to look into this properly, but I would suggest that >> regular and genuinely offline backups and regular Read Only snapshots. >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> Samba Developer, Catalyst IT >> http://catalyst.net.nz/services/samba >> On 05/15/2016 02:30 PM, peter lawrie wrote:> I had to deal with ransomware at the end of April. One of the PCs on my > customer's network was infected by opening a realistic looking email > apparently from a genuine supplier to the company and personally addressed. > The infection occurred on Wednesday, but encryption of the server only took > place late on Friday afternoon, presumably having obtained encryption keys > from the criminals. The malware did not encrypt documents on the infected > PC, but documents and spreadsheets in every folder on the samba shares were > encrypted. Fortunately the backup to rdx disk was working (On my previous > visit to the customer the backup had NOT been working and nobody had > noticed!). > I used linux 'cp -npr' to restore missing files and > > find / -name “*.crypt” –type f –delete [deletes all files *.crypt] > > find / -name “*de-crypt*” –type f –delete [deletes ransom message from > every directory which had contained encrypted files] > > > The answer to the question is take extreme care with incoming emails and > always make sure the backups are working. > > Peter > > > On 15 May 2016 at 21:00, Andrew Bartlett <abartlet at samba.org> wrote: >Thank you! May I surmise that all the encrypted file now have an extra extension of ".crypt"? So it is easy to see who got clobbered.
Am 16.05.2016 um 07:32 schrieb ToddAndMargo:> May I surmise that all the encrypted file now have > an extra extension of ".crypt"? So it is easy to > see who got clobbered.how do you come to that conclusion and even if some malware acts that way what makes you sure you can rely on that? IMHO it would only be so when the developer of the ransomware is a fool! why should he give you something to make a "locate .crypt" on the fileserver and backups easy? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160516/f100dc48/signature.sig>