A while ago, I was called to help by someone who had been a victim of some kind of ransomware. I told him I could not help him because he did not have any backup. I told him he needed a Samba server...
But then I thought, if a Samba share were online on a Windows system either as a link or a network disk at the time of a ransomware attack, it would infect those files too. That is how I would program the cursed thing!
So, I thought I could write some sort of script that would run when the server is turned on and take periodic snapshots of the Samba share (mapped to a ZFS file system), but then I found out that all such ransomware would encrypt a portion of a file in place – it would not simply create new encrypted files from existing ones and then delete them.
So my question is:
If I took a snapshot of a ZFS file system and a few minutes later got my files encrypted by some ransomware, would I still have the unencrypted versions of my files in the snapshot? In other words, can I recover my files from a snapshot no matter what happens to the the ones in the ZFS file system?
But then I thought, if a Samba share were online on a Windows system either as a link or a network disk at the time of a ransomware attack, it would infect those files too. That is how I would program the cursed thing!
So, I thought I could write some sort of script that would run when the server is turned on and take periodic snapshots of the Samba share (mapped to a ZFS file system), but then I found out that all such ransomware would encrypt a portion of a file in place – it would not simply create new encrypted files from existing ones and then delete them.
So my question is:
If I took a snapshot of a ZFS file system and a few minutes later got my files encrypted by some ransomware, would I still have the unencrypted versions of my files in the snapshot? In other words, can I recover my files from a snapshot no matter what happens to the the ones in the ZFS file system?