AskME4Tech

We Do the best to understand Technology

You are here:

Protect File Servers from Ransomware

Ransomware is one of the most dangerous mailware today.Every day i hear for infections of File Servers with Ransomware and IT to try find the source and prevent more damage in the enviroment.New types of Ransomware born every day and the protection it is very difficult task. Cases of ransomware infection were first seen in Russia between 2005 – 2006. Trend Micro published a report on a case in 2006 that involved a ransomware variant (detected as TROJ_CRYZIP.A) that zipped certain file types before overwriting the original files, leaving only the password-protected zip files in the user’s system.

What is Ransomware

Base of Trend Micro << Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker).>>.

How can infected from Ransomware

Ransomware spreads through emai attachments infected program or infected websites. If user click in the attachment then the Ransomware activated and it starts spreading accross the system or network depends from the type of Ransomware. 

Finally locks the System or encrypt your files and ask a certain ammount of money to provide the access in your system or decrypt your files.

Types of Ransomware

Until now Ransomware divided in two categories

  • Lock Screen Rancomware
    In this category Ransomware locks your system and ask to pay an amount to unlock your system
  • Encryption Ransomware
    In this category Ransomware encrypt all your files in your PC or network and ask to pay to decrypt your files.

Precautions against ransomeware.

You can protect from Ransomware attacks with different ways but the most important is BACKUP BACKUP and BACKUP. If you have updated backup in any case you can restore your files and loose only few hours of work in worst case.

To prevent ransomware attack and keep it away i have write some steps that can follow

  • Keep your Windows up to date.
  • Keep your Antivirus up to date.
  • Don't open email attachments that you aren't sure.
  • Disable Remote Desktop feature whener you can.
  • Avoid browsing websites that are often the breeding grounds for malware such as illegal download sites, porn sites and gambling sites

Symantec very frequency announce for new types of Ransomware like http://www.symantec.com/connect/blogs/locky-ransomware-aggressive-hunt-victims.

In this Article i will share in IT Community a very interesting solution that found in Microsoft Technet Gallery and protect File Servers from any type of Ransomware that exist until today. 

Let's start to prevent the Damage!!

For the solution will use File Server Resource Manager (FSRM) and Powershell.

Install File Server Resource Manager

  • Open  Server Manager
  • Click Add  Roles and Features.

  • Click Next in Welcome Screen.

  • Select Role-based or feature based installation.Click Next.

  • Use the default options and click Next.

  • Expand File and Storage Services - - > File and iSCSI Services.

  • Select File Server Resource Manager.Click Add Features and Click Next.

  • Don't change anything and click Next.

  • Click Install to start the Installation and Wait to Finish.

 

Create FileScreen Group

After Finish the Installation now will proceed to create the Template that will use in File Server  Resource Manager to block all known extensions of Ransomware. I found the Template from https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce  which Tim Buntrock has do a very good Job with this Powershell Script.

For Windows Server 2008
-----------------------------------------------------------------------------------------------------

filescrn filegroup Add /filegroup:Ransomware_Extensions 
/Members:"*.k|*.encoderpass|*.key|*.ecc|*.ezz|*.exx|*.zzz|*.xyz|*.aaa|*.abc|*.ccc|*.vvv|*.xxx|
*.ttt|*.micro|*.encrypted|*.locked|*.crypto|_crypt|*.crinf|*.r5a|*.xrtn|*.XTBL|*.crypt|*.R16M01D05|
*.pzdc|*.good|*.LOL!|*.OMG!|*.RDM|*.RRK|*.encryptedRSA|*.crjoker|*.EnCiPhErEd|*.LeChiffre|
*.keybtc@inbox_com|*.0x0|*.bleep|*.1999|*.vault|*.HA3|*.toxcrypt|*.magic|*.SUPERCRYPT|*.CTBL|
*.CTB2|*.locky|HELPDECRYPT.TXT|HELP_YOUR_FILES.TXT|
HELP_TO_DECRYPT_YOUR_FILES.txt|RECOVERY_KEY.txt|HELP_RESTORE_FILES.txt|
HELP_RECOVER_FILES.txt|HELP_TO_SAVE_FILES.txt|DecryptAllFiles.txt|DECRYPT_INSTRUCTIONS.TXT|I
NSTRUCCIONES_DESCIFRADO.TXT|How_To_Recover_Files.txt|YOUR_FILES.HTML|YOUR_FILES.url|
Help_Decrypt.txt|DECRYPT_INSTRUCTION.TXT|HOW_TO_DECRYPT_FILES.TXT|ReadDecryptFilesHere.txt
|Coin.Locker.txt|_secret_code.txt|About_Files.txt|Read.txt|ReadMe.txt|DECRYPT_ReadMe.TXT|DecryptAllFiles.txt|
FILESAREGONE.TXT|IAMREADYTOPAY.TXT|HELLOTHERE.TXT|READTHISNOW!!!.TXT|SECRETIDHERE.KEY
|IHAVEYOURSECRET.KEY|SECRET.KEY|HELPDECYPRT_YOUR_FILES.HTML|help_decrypt_your_files.html|
HELP_TO_SAVE_FILES.txt|RECOVERY_FILES.txt|RECOVERY_FILE.TXT|RECOVERY_FILE*.txt|HowtoRESTORE_FILES.txt|HowtoRestore_FILES.txt|
howto_recover_file.txt|restorefiles.txt|howrecover+*.txt|_how_recover.txt|recoveryfile*.txt
|recoverfile*.txt|recoveryfile*.txt|Howto_Restore_FILES.TXT|help_recover_instructions+*.txt|_Locky_recover_instructions.txt"

-----------------------------------------------------------------------------------------------------

For Windows Server 2012
-----------------------------------------------------------------------------------------------------

New-FsrmFileGroup -Name "Ransomware_Extensions" –IncludePattern @("*.k","*.encoderpass","*.key","*.ecc","*.ezz","*.exx","*.zzz","*.xyz","*.aaa","*.abc","*.ccc","*.vvv","*.xxx","*.ttt","*.micro","*.
encrypted","*.locked","*.crypto","_crypt","*.crinf","*.r5a","*.xrtn","*.XTBL","*.crypt","*.R16M01D05","*.pzdc","*.good","*.LOL!","*
.OMG!","*.RDM","*.RRK","*.encryptedRSA","*.crjoker","*.EnCiPhErEd","*.LeChiffre","*.keybtc@inbox_com","*.0x0","*.bleep","*.
1999","*.vault","*.HA3","*.toxcrypt","*.magic","*.SUPERCRYPT","*.CTBL","*.CTB2","*.locky","HELPDECRYPT.TXT",
"HELP_YOUR_FILES.TXT","HELP_TO_DECRYPT_YOUR_FILES.txt","RECOVERY_KEY.txt","HELP_RESTORE_FILES.txt",
"HELP_RECOVER_FILES.txt","HELP_TO_SAVE_FILES.txt","DecryptAllFiles.txt","DECRYPT_INSTRUCTIONS.TXT","INSTRUCCIONES_DESCIFRADO.TXT",
"How_To_Recover_Files.txt","YOUR_FILES.HTML","YOUR_FILES.url","Help_Decrypt.txt","DECRYPT_INSTRUCTION.TXT","HOW_TO_DECRYPT_FILES.TXT",
"ReadDecryptFilesHere.txt","Coin.Locker.txt","_secret_code.txt","About_Files.txt","Read.txt","ReadMe.txt","DECRYPT_ReadMe.TXT","DecryptAllFiles.txt","FILESAREGONE.TXT",
"IAMREADYTOPAY.TXT","HELLOTHERE.TXT","READTHISNOW!!!.TXT","SECRETIDHERE.KEY","IHAVEYOURSECRET.KEY","SECRET.KEY","HELPDECYPRT_YOUR_FILES.HTML",
"help_decrypt_your_files.html","HELP_TO_SAVE_FILES.txt","RECOVERY_FILES.txt","RECOVERY_FILE.TXT","RECOVERY_FILE*.txt","HowtoRESTORE_FILES.txt",
"HowtoRestore_FILES.txt","howto_recover_file.txt","restorefiles.txt","howrecover+*.txt","_how_recover.txt","recoveryfile*.txt","recoverfile*.txt","recoveryfile*.txt",
"Howto_Restore_FILES.TXT","help_recover_instructions+*.txt","_Locky_recover_instructions.txt")

-----------------------------------------------------------------------------------------------

So now we have create the FileScreen Group with name Ransomware_Extensions that will be use in next Step.

Create New FileScreen

  • First of all must configure FSRM to send email notifications  so open File Server Resource Manager.
  • Right click in File Server Resource Manager and select Configure Options.

  • Fill the SMTP Server and Default Administrator Recipients. Click the Button Send Test Email  to verify that receive emails from FSRM.

  • Click in Tab Notification Limits and change Event Log Notifications (minutes) and Command Notifications(minutes) to 0. Click OK

  • Right Click in File Screens and Select Create File Screen.

  • Select the File Screen Path which is the Folder or Drive to monitoring for any incident base on the Ransomware_Extensions Group  that create in previous Steps.
  • Select Define Custom file screen Properties and click in Button Custom Properties

  • In Screening Type select Active Screening: ..............
  • In File Groups select Ransomware_Extensions. This is the File Group that created with the Powershell in Create FileScreen Group

  • Go in Tab Email Notifications and check Send e-mail to the following Administrators and Send e-mail to the user that attempted to save and unauthorized file.

  • Click in Tab Command.
  • Select Run this command or Script and browse to find C:\Windows\System32\cmd.exe
  • In the command arguments type the following but change the folder path which have save and extract the RansomwareBlockSmb.zip
    /c "C:\Script\StartRansomwareBlockSmb.cmd"
  • In the Command Security select the Local System.
  • Click OK to create the File Screen.

 

Verify that the File Screen works

Now we have complete the configuration and suppose that when someone infected with Ransomware and start to encrypt files will be deny to change or create any file with extensions that use Ransomware until today. But it's better to do a test to check if working.

  • Open the folder that you have enable the file screen and create a Word Document. Change the extension of .docx to .locky or any other extension which included in Template and check the results.
  • If the configuration is correct you will not allow to change the file wit a promote window

  • and you will receive an email notification like.
    <<User ktzouvaras attempted to save E:\Users\Tzouvaras\Public\Test.locky to E:\ on the FS1 server. This file is in the "Ransomware_Extensions" file group, which is not permitted on the server.>>

 

Some of you maybe ask and what about new types and extensions of Ransomware. How can protect? This is he disadvantage but at least you are protected from all the Ransomware attacks that already exists. It's very important and you will prevent the damage from lot of attacks if will happen.

Most of the companies has a Spam Filtering Solution but this is a second Layer of Protection in case of something pass the filtering.

Do you have something to share related with Tansomeware? Share it in our Commented System and discuss it with other IT Pro.

 

Have a nice weekend!!

 

Similar Posts

Keep up to date Windows Server 2012 FSRM with new Ransomware Types

Rise of Cyber attacks for the year 2016 it has create the need for better security in all environ

How can Reduce PDF File Size

If you work with pdf files you know that the size can become very large quickly probably if in th

Keep in Touch with Askme4Tech

Twitter icon
Facebook icon
Google+ icon