Stop CryptoLocker (and copy-cat variants of this badware) before it ruins your day


A shortcut to this page is: http://jpelectron.com/stopcrypto


This document was written with Windows Server 2008 R2 Standard in mind, but relevant on other server OS versions (2003R2 or later required for FSRM)

The method described on this website is to detect known dropped files (the payment instructions) or the new extension of files (after they get encrypted), as an alternative/supplement you could also leave a known file out in the open (on a share) and wait for it to get encrypted (changed) or deleted, that method can be found here.

Note: NTFS is usually case insensitive, and so FSRM works correctly, that is the default unless you explicitly changed this behavior.


____ Install File Server Resource Manager ____


2003R2: Control Panel > Add or Remove Programs > Add/Remove Windows Components
                > Windows Components Wizard > Management and Monitoring Tools > Details > File Server Resource Manager

2008(R2): Server Manager > Roles > Add Roles > Add Roles Wizard > Server Roles
                > File Services > Role Services > File Server Resource Manager

2012(R2): Server Manager > Manage > Add Roles and Features > Add Roles and Features Wizard > Server Roles
                > File and Storage Services > File and iSCSI Services > File Server Resource Manager


____ Server-side protection from further encryption ____


1) Open File Server Resource Manager (Start > Run > fsrm.msc)

2) File Screening Management > File Groups > Create File Group...
          File group name: 1-PreventCrypto
            Files to include:

NOTE: After creating the file group, you must add at least one entry in order to save it, do that now.
If you want this list to auto update, or just import it once so you don't have to type it all in,
Download the "FSRMUPDT.zip" from here: http://jpelectron.com/sample/Info and Documents/Stop crypto badware before it ruins your day/
Extract the folder from the .zip to the root of your OS drive letter (usually C)
NOTE: You might need to edit the "get-fsrmupdt.bat" file...
   to include the name of your filegroup, which by default = 1-PreventCrypto
   to include the correct working directory, which by default = C:\FSRMUPDT
On the "get-fsrmupdt.bat" file right-click Run as Administrator (just once now to import, and then use a scheduled task so it updates every night)
NOTE: When making a scheduled task you must check "Run with highest privileges" on the General tab
   also ensure the start in or working directory is C:\FSRMUPDT
See comments within the batch file for usage help.



...the above was last updated [ 20170728.1 ]

FAQ: Why is this list smaller than others offered on the web?
A: Only files known to reach network shares are added here since that's all FSRM will see. Files dropped/left locally on the infected machine are not added to the list above.

FAQ: Who else maintains such a file list?
A: There are a handful of posts on reddit such as r/Ransomware and r/Malware, also fsrm.experiant.ca, and avast.com/ransomware-decryption-tools

Below are some that I have not been able to verify if they will appear on network shares, create a custom file group for these if you are paranoid...



...the above list was last updated [ 20170811.1 ] and is NOT included in the auto-update.
If you want to include it, you could modify the batch to also wget filegroupalt.txt and then copy filegroup.txt + filegroupalt.txt biglist.txt

Below do appear on network shares, but contain a common filename/extension that may be used by legit software.
You should verify your software doesn't use such a name (or at least doesn't save a file to network drives)
If you DO use files named like the below, then add these to your "C:\FSRMUPDT\whitelist.txt" file so they won't get imported into FSRM.

*.enc
*.scl
message.txt

...the above list was last updated [ 20170322 ] and IS included in the auto-update.

   3) File Screening Management > File Screen Templates > Create File Screen Template...

    Settings tab
           Template name: 1-PreventCrypto
           Screening type: Passive screening
           File groups: Check "1-PreventCrypto"

    E-mail Message tab
           Subject: Unauthorized file from the [Violated File Group] file group detected
           Body:
User [Source Io Owner]
Saved [Source File Path] to [File Screen Path]
On server: [Server]
This file is in the [Violated File Group] file group in FSRM, which generated this alert.
A batch was run to remove all server shares until corrective action is taken.
Customer name: --INSERT CUSTOMER NAME HERE--

    Event Log tab
           Check "Send warning to event log"

    Command tab
           Check "Run this command or script"

Download the "1-PreventCrypto.bat" from here: http://jpelectron.com/sample/Info and Documents/Stop crypto badware before it ruins your day/
NOTE: You must edit the "1-PreventCrypto.bat" file to include the names of all your shares
See comments within the batch file for usage help.

           Browse... C:\Windows\1-PreventCrypto.bat
           Select radio button: "Local System"

4) File Screening Management > File Screens > Create File Screen...
          File screen path: C:\ (or just the drive/folder containing shares)
          Select radio button: "Derive properties from this file screen template (recommended)"
            Select from dropdown: "1-PreventCrypto"

5) File Server Resource Manager (Local) > right-click: Configure options...
          Email Notifications tab
            Set SMTP server name (use a SMTP relay if you don't have a mail server on-site)
            Set Default administrator (see how to)
          Notification Limits tab
            Set all to 2 minutes


____ Other protections worth doing ____


1) Ensure Internet filter is updating to block known badware domains (suggestion: DNS Redirector)
2) Ensure Internet filter is blocking ccTLDs and IDNs that are not relevant to your business (suggestion: DNS Redirector, see how to)
3) Ensure Firewall is blocking any URLs with an IP address (only the bad guys do this)
           Bad: http://93.184.216.34 | Good: http://example.com | see how to
4) Ensure Firewall is blocking DNS outbound from everything except your internal/AD DNS server IP(s)
5) Ensure Firewall is allowing only good/necessary ports outbound (NOT any/any)
           Suggestion for DCs: 53,80,123,443,3544 | Suggestion for End-Users: 80,443,1935,3544
6) Run CryptoPrevent by Foolish IT on every end-user workstation, the free one is just fine, apply at least the standard rules, then restart
7) Disable vssadmin.exe with this batch
8) Consider implementing Software Restriction Policies (SRP) via Group Policy (or AppLocker, or application whitelist)
9) Use an anti-virus product and/or Malwarebytes on end-user workstations, ensure it is updating


FAQ: Have I ever had a ransomware infection on any of the networks I manage?
A: No, because I believe in internet filtering and that the corporate network is provided for work, not end-users personal Internet connection. If company management doesn't support you with this, get out now! Want end-users to view ads that give you malware, open emails that give you malware, shop for shoes, find coupons, travel deals, jerk off, or contribute to the train wreck/waste of time that is "social media" - then great, they can do that on their own time/at home (or on their own device connected to a isolated/wireless network) not on the corporate network! I've been using DNS Redirector as a filter for several years now and enjoy not having to clean up viruses/malware. Really want to protect your network? Then stop messing around with the "catch me if you can" game of virus scan, expensive IDS firewalls, or even FSRM scripts - get an Internet filter and use it to block advertisements, ccTLDs, IDNs, and any other content your company doesn't absolutely need to stay in business. I assure you that end-users, and the IT department, will be more productive!


____ Cleanup procedure ____


1) Either you received an email from FSRM with the details, or you suddenly realized all server shares are missing...
           On the server which detected the bad files go to Event Viewer > Windows Logs > Application
           Look for a Warning entry from SRMSVC as the source, the General box contains the details of
           the username and filename which triggered the shares to be removed
2) Unplug the offending user's machine from the network and take the actions you feel appropriate...
           - Burn the entire system with hot lava and buy a new machine
           - Format the drive and reload the OS
           - Delete the users profile and let the system create a fresh one upon first login
           - Cleanup user's temp folders and startup items (suggestion: CCleaner)
           - Ensure user's machine is malware/toolbar/nonsense free (suggestion: Malwarebytes)
           - Run CryptoPrevent by Foolish IT apply at least the standard rules, restart
           - Scold the end-user
3) Restore any files that did get encrypted from your backups
           NOTE: Many variants of this badware do NOT change the file modified time/date stamp to when encryption occurred
4) Add all the shares back to the server (see created file: C:\Windows\1-PreventCrypto-PreviousShares.txt)
5) Re-enable the Windows firewall rules for File and Printer Sharing


____ Disclaimer ____


NO WARRANTY

THIS INFORMATION IS DISTRIBUTED IN THE HOPE THAT IT WILL BE USEFUL, BUT WITHOUT ANY WARRANTY. IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THIS INFORMATION IS WITH YOU. SHOULD THIS PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

IN NO EVENT WILL THE AUTHOR BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS INFORMATION (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE EFFECTIVENESS OF THIS INFORMATION), EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THIS PART YOU SHOULD ACTUALLY READ:
THIS IS NOT A FOOL-PROOF SOLUTION TO PREVENTING CRYPTO NONSENSE SETTING UP YOUR NETWORK CORRECTLY; BLOCKING ADS AND MALWARE FROM COMING IN YOUR INTERNET CONNECTION IS MORE EFFECTIVE THIS IS A LAST RESORT. ALSO, BACKUPS!


FAQ: Can I contact you?
A: It's more likely I won't respond, this page has received more hits in the last year that my entire site has since it went online in Y2K. I get too many threats and phishing attempts and will not help you do your job, hire a real IT person to read these instructions if it's outside the realm of your capabilities. If reporting a new extension you found, you must also include verifiable details of the infection or other online articles documenting the behavior, do not send me randomized extensions as I will not be adding them to the list.

____ End of line ____