Samba partition used by 70 users on slackware 13.37. ...and yes, unluckily all users must have rwx access.

Did not help how much protection I had on the windows7 pc's, two hours ago one user opened an attachment and it was done. 150GB to restore from backup that I am happy to say is intact.

The virus went through with no warnings either from updated windows defender or latest version and updated symantec AV. All pc's here had latest updates from microsoft. All files renamed HELP_DECRYPT on the local pc, the common partition on the samba share and the specific users home

I know that a samba share will be treated like a windows partition from windows7 though it is located on a linux filesystem, but are there nothing I can do in samba or the file system to prevent this scenario from happen? A kind of restriction for decryption? Write access for all users to this partition is a must....no way to protect the files then restricted permitions?

and for those who have been dealing with this virus, it will only run from the source file, right? Though someone have tried to open files named HELP_DECRYPT, infection will not go from samba to local pc?

Do the users have to have rwx access, or would rwxt be acceptable? rwxt means sticky bit everyone can create files on the share, but only the owner can remove/overwrite/etc. /tmp usually has rwxt access.

It is easy for a virus to make the scrambled files executable, so double-clicking any file affected by the virus would start an infection. I guess most cryptolockers don't bother, though.

If your files should usually not change too much, you could use some version control backed filesystem. This would worsen performance, but a virus attack would become easy to just roll back.