I am trying to see if there is any way to detect and stop encryption process on a windows server.
Basically one of the workstation opened a ransomware (SIGMA) and it has encrypted everything on her computer which is to be expected. However, it also encrypted everything on the mapped driver from the file server. The file-server has antivirus and even anti-ransom but it still encrypted the stuff on the mapped drives. All drives or folders that were not mapped to this particular workstation are fine.
So the question would be if there is anything to prohibit any type of encryption that is initiated from a workstation. If not, maybe someone knows a good solution to prevent this in another way.
By the way, I do have backups, however since I only have backups every 24 hours, I lots one days work. I do not really care about the files on the workstation because I simply restore a clean image but if it messes with my files on the domain server, it becomes a huge issue and I need to find some solution.
Any tip is very much appreciated. Thanks to all that are willing to assist me.
The server is Windows Server 2016