This was asked recently on Server Fault.
I’m asking if there’s a way to prevent files from being encrypted. I’m referring to some extent to ransomware, but specifically I want the following scenario:
- Windows File server w/ shares (on the E: drive)
I want a way to tell the above server “don’t allow files on the E: drive to ever be encrypted by anyone or any software/process.”
And, of course, the answer to this question is “no”, as I and others said:
No, you cannot prevent files from being encrypted. How is the OS supposed to know if a file is encrypted vs being of some format it doesn’t “know” about?
You can disable OS-level encryption, and perhaps some programs from running via GPO, but that cannot stop every program, nor users uploading already encrypted files.
What you want to do is ensure users are only putting files where they are supposed to – and no where else.
But more interesting is why you would even ask something like this: is it because you really only want “plaintext” files on the share? (Even when the “plaintext” is a binary format (like an EXE, PNG, etc?) I suppose there could be “value” is disallowing even the concept of encrypted files .. but since encrypted files look like files (albeit ones that are not readably openable).
And I think this really belies an exceptionally-poor understanding of what encryption is – and what it is not. Encryption is meant to protect (or hide) specific content (the “specific content” might be the entirety of your phone or hard drive, or an email, or a trade secret, etc) from eyes who shouldn’t be allowed to see what is happening. Yes, there is ransomware that will encrypt or obfuscate files or file systems and demand payment to be decrypted – but attempting to solve for that corner case by attempting to disallow even the concept of encrypted data is highly misguided: the way to prevent/mitigate ransomware is by a combination of good system management practices, solid IDS and IDP software/appliances, sane anti-virus policies, and general good user behavior. (And, maybe, by using OSes less targeted by ransomware authors.)
I believe they were just trying to make it harder for Ransomware that uses Windows Bitlocker Drive Encryption to encrypt files. With all the Ransomware going around that uses the Bitlocker service against us, it is a good question. We found a way to disable Bitlocker using GPO’s. We do not require the Bitlocker service for any reason. So this was not a hard decision. As far as OS File System Encryption (EFS), I do not believe they were referring to that (I could be wrong). But thinking that a majority of people will suddenly develop an understanding of file encryption is kind of a silly thing to say. :-/ Perhaps the system admins will… But the end user… never gonna happen… Better to just protect them and train them the best we can on how to spot malicious attempts.
You should go read the full original question again. It starts off with: “I’m not talking about EFS or Bitlocker here.”
And, to quote another of the answers (http://serverfault.com/a/762466/2321), “most ransom ware programs aren’t using an encryption program”