Restricting creatin of files

[outsider]

Is there any way to have unRaid restrict the creation of certain files base on filename?

 

The reason I ask is because I just got hit with the TeslaCrypt virus and a bunch of my files on the UnRaid server got encrypted to .vvv files. (this is what TeslaCrypt does; it encrypts your files using RSA2048 encryption and then they ask for money to decrypt your files)

Luckily I have offline backups of my files, but it's still a pain to have to go and find all the corrupted files, get rid of them and replace them with good copies from archives. I wasn't really planning on spending my weekend finding and replacing files... arhhh.

 

If there was an easy way to tell UnRaid to not allow the creation of .vvv files, that would certainly help if this happens again.

 

Any thoughts?

 

 

[RobJ]

Dealing with ransomware is much tougher than simply blocking one possible extension.  They can easily use a different one, or nothing at all.  They can encrypt then delete the original, at which point it really doesn't matter what happens to the files they create, you've already lost the originals.

 

The most important thing is to have offline backups, and you've got them, good for you!  The next best protection for networked files is to have them read-only.  Read-only protection for files on a Windows machine is useless, but works correctly on a network share.  It's important to make sure that edit privileges are available only when absolutely necessary.

 

As for .vvv files, we have a number of Linux command line users who can give you a find command that will remove all of them in one shot.  Then just restore folders from your backups.  (Then find whoever clicked something they shouldn't have, and punish them!)

[outsider]

Thanks for the reply Rob,

You make a good point about the restricting a certain file extension not being an effective way to fix the problem.

 

The read only is good for some things (like multimedia) but I can't make the network folder into which I work read only. It needs read-write permissions unfortunately.

 

It should be straightforward enough to pipe the output of find command into the rm command and remove only the infected files. Then recover those files from backups.