I have a question about the nature of snapshots in truenas in general. The way I understand it is that snapshots take the differential of the system state from the last snapshot.
One thing I have always worried about is that because the nature of ransomware is to encrypt all your files, this would effectively be considered a system state change. If the ransomware finishes encrypting all your files then your snapshot will become the size of all your files from the way I understand this.
Assuming there were 1 Tb of files, this would cause the total capacity to now be 1 Tb original (now encrypted) + 1 Tb snapshot differential = 2 Tb total drive capacity used.
So the question is, is my entire NAS safe when using snapshots against ransomware only and only if I have at least over half of my NAS capacity remaining to store that new snapshot from pre ransomware attack?