A corporate fileshare holds files for multiple departments.
Individual users in each department create reports that are meant to be read by the rest of the company.
Recently, a user ran a malicious executable that encrypted all of the documents on the fileshare.
The software asked for money to be transferred via cryptocurrency in order to decrypt the files; however, the files were not decrypted after the company paid the ransom.
Which of the following would MOST likely minimize the damage to a fileshare in this type of situation?
Click on the arrows to vote for the correct answer
A. B. C. D. E.D.
The best approach to minimize the damage caused by a malware attack that has encrypted all files on a corporate fileshare is to prevent the malware from being executed in the first place. However, assuming the malware has already run and encrypted the files, the following options could be considered:
A. Enable System Restore on the file server and make frequent restore points: System Restore can be used to roll back the system to a previous state, but this approach is not a reliable solution for recovering files that have been encrypted by malware. System Restore only restores system files and does not restore user data files. In addition, the restore points themselves can be deleted by the malware, rendering the System Restore feature useless.
B. Disable full disk encryption on the file server: Disabling full disk encryption on the file server is not recommended, as it weakens security and makes it easier for attackers to gain access to the data. Full disk encryption can prevent unauthorized access to data, but it does not prevent the encryption of data by malicious software.
C. Install a next-generation firewall at the network edge: A next-generation firewall can help prevent malware from reaching the fileshare by inspecting network traffic and identifying and blocking potentially malicious traffic. However, if the malware has already entered the network and infected the fileshare, a firewall would not be effective in recovering the encrypted files.
D. Use a host-based intrusion detection system and continuously monitor filesystem changes: A host-based intrusion detection system can detect and alert on unusual activity on the fileserver. However, it may not be able to detect a new, previously unknown malware variant. Additionally, while it can monitor and log file system changes, it cannot recover files that have already been encrypted.
E. Use granular file permissions on the share and follow the principle of least privilege: Using granular file permissions on the share and following the principle of least privilege can minimize the impact of a malware attack. If a user's account is compromised, the malware will only be able to encrypt files for which that user has access. However, this approach does not prevent the malware from encrypting the files that are accessible to the compromised user.
Based on the above, the most effective option for minimizing the damage caused by a malware attack that has encrypted all files on a corporate fileshare is E - Use granular file permissions on the share and follow the principle of least privilege. While it does not prevent the encryption of all files, it limits the scope of the attack to only those files that are accessible to the compromised user account. Additionally, regular backups should be made of the files, ideally to a separate, isolated storage location that is not connected to the network, to allow for file recovery in the event of a malware attack.