I have a question regarding these ransomware malware going around. Let me tell you briefly about the setup
We have two identical file servers running Windows 2012 Storage Server. First one, let's call it FS1 is the primary file server which the users connect to via AD scripts. On the second one, FS2, I run two software programs, both of them for backup purposes, BackupExec 14 and Dell's SecureCopy. How it works
1. BackupExec agent is installed on FS1 and all files (around 4 milions) are backup to disk on FS2
2. Two main folders called USERS and GROUPS are sync from FS1 to FS2 at night using SecureCopy. All files flags (permissions, last date access, etc) are preserved
In case of complete failure of FS1, we simply edit the AD scripts to point to FS2 USERS and GROUPS shares. Although there will be some work lost since the last SecureCopy sync , that will give us time to restore or reinstall or fix FS1.
Now what's going to happen if a ranswomware gets on FS1 USERS and GROUPS shares despite the fact that we think we beefed up both servers with the latest and greatest anti-malware tools ? Most likely they will get encrypted and MIGHT affect (contaminate) the files on FS2 during either BackupExec process or SecureCopy sync . We want to prevent this and stop the infection at the source, which is FS1
We noticed that SecureCopy has a Special Handling option called "Allow copy of encrypted files as unencrypted if encryption fails" (See attached picture) So what is saying in the pop-up that ]SecureCopy attempts to encrypt a file on the target (FS2) using EFS when it copies a file which is encrypted on the source
So we assume that a file is encrypted with ransomware. If this SpecialHandling option is not enabled then SecureCopy
1. Attempts to encrypt the file at the target (FS2) when encrypted at the source .
2. File on source FS1 already encrypted by something else different from EFS so the encryption attempt at the target FS2 (EFS) will fail because the file encrypted by ransomware cannot be modified
3. The pop-up says "If SecureCopy is unable to encrypt the file on the target the copy will fail, unless this option is selected
4. Following 1-3 above, I think that the copy process will fail and that is exactly what we want, not to spread the infection
Not sure if someone came across with this scenario but i would like your opinion regarding this logic (could be totally wrong..)