Ransomware-resilient Linux Samba file server
I think backups are your only sure bet. What you suggest as a solution basically consists of making a special backup; I'd suggest you just keep several (at least two) full backups around. The problem is then reduced to detecting ransomware working on your files and recovering from the last good backup. You can use deduplicating backups to save space. The advantage of going the backup route is that
- you introduce less complexity (no additional system just for ransomware)
- you improve the quality of your backup routine - once you're automating alerts and recovery, you've put in place a lot of stuff to make backup recovery a breeze. That's good for a much broader category of failures than just ransomware.
As for detecting ransomware, that's easy: Encrypted files all look like random data, so you can simply do statistical tests for each file (equal distribution of bytes? not compressable using zip? etc) and count the number of files that look random.