Introduction
Ransomware on shared storage (NFS shares, SMB/CIFS shares, cloud storage like S3) is particularly devastating because a single compromised client can encrypt files accessible to an entire organization. Unlike local ransomware, shared storage attacks can encrypt thousands of files in minutes across multiple mount points. The encrypted files typically have a new extension appended and a ransom note placed in each affected directory.
Symptoms
- Files on shared storage have unexpected extensions (
.locked,.encrypted,.crypt) - Ransom note files (
README.txt,HOW_TO_DECRYPT.html) appear in directories - File sizes change after encryption (often slightly larger due to encryption overhead)
- Users report inability to open documents on the shared drive
- Storage I/O spikes as ransomware rapidly encrypts files
Common Causes
- Compromised user account with write access to the shared storage
- Malware on a workstation that has the shared drive mounted
- Vulnerable SMB/NFS server exploited for initial access
- Phishing email delivering ransomware payload to a user with storage access
- Unpatched vulnerability in file sharing software (e.g., SMBv1 EternalBlue)
Step-by-Step Fix
- 1.Immediately isolate the affected storage:
- 2.```bash
- 3.# Unmount the shared storage from all clients
- 4.sudo umount -f /mnt/shared-storage
- 5.# For NFS
- 6.sudo exportfs -u *:/path/to/share
- 7.# For SMB, stop the share
- 8.sudo smbcontrol smbd close-share sharename
- 9.
` - 10.Identify the source of the encryption:
- 11.```bash
- 12.# Check NFS logs for the client that made the most write requests
- 13.sudo grep "WRITE" /var/log/nfsd.log | tail -100
- 14.# Check SMB logs
- 15.sudo grep "write" /var/log/samba/log.* | tail -100
- 16.# Check which client had the share mounted at the time
- 17.showmount -a # NFS
- 18.smbstatus # SMB
- 19.
` - 20.Assess the scope of encryption:
- 21.```bash
- 22.# Count encrypted files
- 23.sudo find /mnt/shared-storage -name "*.locked" -o -name "*.encrypted" | wc -l
- 24.# Find ransom notes
- 25.sudo find /mnt/shared-storage -name "README*" -o -name "HOW_TO*"
- 26.# Check what percentage of files are affected
- 27.total=$(sudo find /mnt/shared-storage -type f | wc -l)
- 28.encrypted=$(sudo find /mnt/shared-storage -name "*.locked" | wc -l)
- 29.echo "Encrypted: $encrypted / $total"
- 30.
` - 31.Restore from backups:
- 32.```bash
- 33.# Mount the backup
- 34.sudo mount /dev/backup-volume /mnt/backup
- 35.# Verify backup integrity
- 36.sudo rsync -avn /mnt/backup/shared-storage/ /mnt/shared-storage/ | head -20
- 37.# Restore
- 38.sudo rsync -avz --progress /mnt/backup/shared-storage/ /mnt/shared-storage/
- 39.
` - 40.Preserve evidence before restoration:
- 41.```bash
- 42.# Create a forensic image of a sample of encrypted files
- 43.sudo tar czf /evidence/ransomware-sample.tar.gz \
- 44./mnt/shared-storage/encrypted-file1.docx.locked \
- 45./mnt/shared-storage/README.txt
- 46.# Save logs
- 47.sudo cp /var/log/samba/* /evidence/samba-logs/
- 48.sudo cp /var/log/auth.log /evidence/
- 49.
` - 50.Harden the shared storage against future attacks:
- 51.```bash
- 52.# Disable SMBv1 (vulnerable to EternalBlue)
- 53.sudo nano /etc/samba/smb.conf
- 54.# Add:
- 55.[global]
- 56.server min protocol = SMB2_10
- 57.# Implement file permission restrictions
- 58.sudo chmod -R 750 /mnt/shared-storage
- 59.# Enable SMB/NFS access logging
- 60.
`
Prevention
- Implement immutable backups (WORM storage) that cannot be modified or deleted
- Use versioned storage (S3 versioning, ZFS snapshots) for rapid file recovery
- Restrict shared storage write permissions to the minimum necessary
- Deploy endpoint detection on all workstations that mount shared storage
- Implement network segmentation to limit lateral movement from compromised endpoints
- Regularly test backup restoration procedures to ensure they work when needed