Hi Jenner,
Best thing against malicious attacks would consist of at least the following:
1. proper backup (plus snapshot) policy
2. setup fpolicy to prevent known extensions, thus preventing encryption
3. in case of a known malicious attack:
a. Create a snapshot IMMEDIATELY so you know what is going on
b. either stop CIFS services
c. or set all CIFS shares to readonly (this will impact your business less and prevent encryption/deletion as well
The steps in point 3 can be easily automated using powershell SDK or linux shell scripting depending on your environment.
Make sure to make the scripting dynamic so newly created/deleted CIFS shares are automatically added.
Besides that you should look into a good security information and event monitoring service so you get early alerting on when attacks happen. Unfortunately we cannot prevent such attacks but timely detection can save you loads of work and problems.
/Xander
