Prevent Workstation to encrypt server files

I am trying to see if there is any way to detect and stop encryption process on a windows server.

Basically one of the workstation opened a ransomware (SIGMA) and it has encrypted everything on her computer which is to be expected. However, it also encrypted everything on the mapped driver from the file server. The file-server has antivirus and even anti-ransom but it still encrypted the stuff on the mapped drives. All drives or folders that were not mapped to this particular workstation are fine.
So the question would be if there is anything to prohibit any type of encryption that is initiated from a workstation. If not, maybe someone knows a good solution to prevent this in another way.

By the way, I do have backups, however since I only have backups every 24 hours, I lots one days work. I do not really care about the files on the workstation because I simply restore a clean image but if it messes with my files on the domain server, it becomes a huge issue and I need to find some solution.

Any tip is very much appreciated. Thanks to all that are willing to assist me.
The server is Windows Server 2016
ThomasPartnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
It's easy: the ransomware is started with the user's credentials, so any pierce of data the user may change on that share can be encrypted. If you want to protect as much as possible, only allow the user write permissions to areas he really needs to write to - else, use read permissions.

On win10 v1709 and newer, there is ransomware protection built-in (but deactivated), that let's you select which folder may be writte to by what programs. So it's a per-program setting, not a per-user settiong. If you use these new OS', it's worth looking into it, although it does not seem to be mature, yet.
KimputerCommented:
For this reason, I enforce some form of software restriction policies in every company as possible (not everyone wants it, though it's one of the best solutions).
Users really don't need to execute anything that's been installed already anyway. And if they need it, just install it for them.
Naveen SharmaCommented:
Check this whitepaper which lets you how to detect, alert and respond to ransomware attacks.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

John TsioumprisSoftware & Systems EngineerCommented:
Well ransomwares have created new facts and we need to go back to the drawing board..
It seems that the simple share is way too dangerous so there is a need for changing habbits...
Solutions...many but i will throw some:
FTP...with the help of an Ftp client you can have a repository which is hard to access without all the security info.
Web/desktop replacement explorer  ...an application that connects to a restrictive repository...or even a file capable handling(firebird?)...
KimputerCommented:
All nice. theoretical and/or expensive. SRP is already proven to work and it's free.
btanExec ConsultantCommented:
application whitelisting on the workstation will be good to deter ransomware. This may include detecting the "dropper" payload binaries that are first installed or executed to exploit and call back to backend server to download more tools, ransomware to start exploiting existing machine. There are also CryptoMonitor tool that counts how often untrusted processed have modified “a certain number of personal files, under a certain time.
https://www.bleepingcomputer.com/forums/t/572146/cryptomonitor-stop-all-known-crypto-ransomware-before-it-encrypts-your-data/

File Services Resource Manager for server will be useful. the link stated for 2012 and 2008 but would be useful for 2016
https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce
(mentioned of frsm in 2016) https://gallery.technet.microsoft.com/File-Server-Resource-e778d377

besides the anomalies to detect, another scheme is actually to creates a set of document files in a decoy folder and monitors it for changes. AntiRansom is a tool capable of detect and stop attacks of Ransomware using honeypots.
http://www.security-projects.com/?Anti_Ransom

There are scheme to trap ransomware e.g.  setting up infinitely-recursive directories but dont think we should go into that realm and instead to reduce attack footprint by keeping the system patched timely. the hygiene and hardening is important to make the malware difficult to advance on top of the other layer of defence put in place.

Just some useful article in summary on preventive & detective measures
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
Why did you lose a day of data?  Don't you have VSS enabled?  At worst you should have lost half a day... less if you had a good VSS schedule or used DFSR with another server and staggered the VSS snapshots.
ThomasPartnerAuthor Commented:
Thank you for all the feedback. I found some solutions from the feedback.
Initially I was looking for a way to detect that a workstation in the Win Server 2016 Domain Network initiated a encrypting process. However, it is better to protect the workstation directly, so that this does not even happen.
Also I implemented more training to the employees because this user had to go through 5 steps to get this ransomware to start.
I would love if they would be giving this much attention to emails I send ;-)

Thank you everybody, this was very good feedback.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.