Today I came across this great article by Robert Penz in which he describes measures how companies can reduce the risk of Ransomware encrypting their files on network shares and other devices in the local network. Also, he describes how a company can prepare itself in case it still happens to reduce their downtime as much as possible. I found one of his suggestions of particular interest: Snapshots of network shares.
Apart from infecting single PCs the biggest problem in a company resulting from an encryption Trojan is that network drives are infected as well thus impacting the work of many other people in the company as a result. Once the PCs causing the damage have been found and removed from the network the question then is how to restore the data on network drives as quickly as possible. Backups are essential of course but with terabytes of data on network shares, restoration will take some time which is often problematic. A solution for this are periodic file system snapshots.
In file systems like Btrfs, its possible to create a snapshot of the file system state at any time. If a file changes after making a snapshot, a copy is made and the original is kept in the shadow, invisible to the application changing the file. If, for some reason, changes need to be reverted to the state of the file system at the time the snapshot was made, a few commands will do the trick to mount the snapshot in the place of the current network volume. In other words even if a Ransomware Trojan manages to encrypt half of the files on that 10 TB storage server one can be up and running again in a few minutes. Changes made by others since the snapshot was taken can still be restored manually if they haven’t been encrypted. For details of how this works have a look here.