samba - May 2016 - Ransomware?

I'm not aware of the last, but in previous versions, ransomware encrypt all
files and after this he delete original files. If you have a trash/recycle
configured, you can recover these files.





Em 17/05/2016 8:26 AM, "barış tombul" <bbtombul at gmail.com>
escreveu:
> Ransomware Overview:
>
>
https://docs.google.com/spreadsheets/d/1q_VSJoSwTv2L29HXouXm-muVfYtzX-VeAuzJUgICIUs/pubhtml
>
> .mp3 even got inside.  ( I used fail2ban.)
>
> best regards
>
>
>
> 2016-05-17 12:01 GMT+03:00 Reindl Harald <h.reindl at thelounge.net>:
>
> >
> >
> > Am 17.05.2016 um 09:47 schrieb Fabian Cenedese:
> >
> >>
> >> Am 16.05.2016 um 07:32 schrieb ToddAndMargo:
> >>>
> >>>> May I surmise that all the encrypted file now have
> >>>> an extra extension of ".crypt"?  So it is easy
to
> >>>> see who got clobbered.
> >>>>
> >>>
> >>> how do you come to that conclusion and even if some malware
acts that
> >>> way what makes you sure you can rely on that? IMHO it would
only be so
> when
> >>> the developer of the ransomware is a fool!
> >>>
> >>> why should he give you something to make a "locate
.crypt" on the
> >>> fileserver and backups easy?
> >>>
> >>
> >> So far most of the ransomware rename the encrypted files and place
files
> >> with
> >> instructions with constant names. They don't want to hide the
fact that
> >> the files
> >> are encrypted. No, they want you to know that they are and that
you have
> >> to
> >> pay to get them back. That's why it's called ransomware.
Of course for
> >> people
> >> with backups this makes life a little easier. But for the
others...
> >>
> >>
> >>
>
https://www.reddit.com/r/sysadmin/comments/46361k/list_of_ransomware_extensions_and_known_ransom/
> >>
> >
> > "so far most" != you can rely on
> >
> > "They don't want to hide the fact that the files are
encrypted. No, they
> > want you to know that they are" *yes but* when they are finished
an dnot
> > right after starting to encrypt where not much files are affected and
> > backups still in place
> >
> > what they *really* want is act in the background and get caught as
late
> as
> > possible when all your backups contain encrypted versions of important
> > documents
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 17.05.2016 at 15:38 Elias Pereira wrote:
> I'm not aware of the last, but in previous versions, ransomware encrypt
all
> files and after this he delete original files. If you have a trash/recycle
> configured, you can recover these files.
We should better not rely on that. I read that ransomware overwrites 
only the first kilobyte in the files. This probably does not trigger 
samba to create a copy of the original in the recycle bin.

But more and more Linux distributions come with ZFS filesystem. That can 
create snapshots, which are readonly, as long as the malware has no root 
access to Linux. If it sees the file server only via Samba, it cannot 
modify the files in the snapshots.

Am 19.05.2016 um 19:33 schrieb Klaus Hartnegg:
> On 17.05.2016 at 15:38 Elias Pereira wrote:
>> I'm not aware of the last, but in previous versions, ransomware
>> encrypt all
>> files and after this he delete original files. If you have a
>> trash/recycle
>> configured, you can recover these files.
>
> We should better not rely on that. I read that ransomware overwrites
> only the first kilobyte in the files. This probably does not trigger
> samba to create a copy of the original in the recycle bin
nobody should rely on *anything* in that context

you have backups with enough retention time or not to recover after you 
realize that it happened - anything else is luck and wehn you rely on 
luck you can delete your data anyways

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160519/271307d4/signature.sig>