This document was written with Windows Server 2008 R2 Standard in mind, but relevant on other server OS versions (2003R2 or later required for FSRM)
The method described on this website is to detect known dropped files (the payment instructions) or the new extension of files (after they get encrypted), as an alternative/supplement you could
also leave a known file out in the open (on a share) and wait for it to get encrypted (changed) or deleted, that method can be found here.
2003R2: Control Panel > Add or Remove Programs > Add/Remove Windows Components
> Windows Components Wizard > Management and Monitoring Tools > Details > File Server Resource Manager
2008(R2): Server Manager > Roles > Add Roles > Add Roles Wizard > Server Roles
> File Services > Role Services > File Server Resource Manager
2012(R2): Server Manager > Manage > Add Roles and Features > Add Roles and Features Wizard > Server Roles
> File and Storage Services > File and iSCSI Services > File Server Resource Manager
____ Server-side protection from further encryption ____
1) Open File Server Resource Manager (Start > Run > fsrm.msc)
2) File Screening Management > File Groups > Create File Group...
File group name: 1-PreventCrypto
Files to include:
NOTE: After creating the file group, you must add at least one entry in order to save it, do that now.
If you want this list to auto update, or just import it once so you don't have to type it all in,
Download the "FSRMUPDT.zip" from here: http://jpelectron.com/sample/Info and Documents/Stop crypto badware before it ruins your day/
Extract the folder from the .zip to the root of your OS drive letter (usually C)
NOTE: You might need to edit the "get-fsrmupdt.bat" file...
to include the name of your filegroup, which by default = 1-PreventCrypto
to include the correct working directory, which by default = C:\FSRMUPDT
On the "get-fsrmupdt.bat" file right-click Run as Administrator (just once now to import, and then use a scheduled task so it updates every night)
NOTE: When making a scheduled task you must check "Run with highest privileges" on the General tab
also ensure the start in or working directory is C:\FSRMUPDT
See comments within the batch file for usage help.
...the above was last updated [ 20170301.1
FAQ: Why is this list smaller than others offered on the web?
A: Only files known to reach network shares are added here since that's all FSRM will see. Files dropped/left locally on the infected machine are not added to the list above.
Below are some that I have not been able to verify if they will appear on network shares,
create a custom file group for these if you are paranoid...
...the above list was last updated [ 20170322 ] and is NOT included in the auto-update.
Below do appear on network shares, but contain a common filename/extension that may be used by legit software.
You should verify your software doesn't use such a name (or at least doesn't save a file to network drives)
If you DO use files named like the below, then add these to your "C:\FSRMUPDT\whitelist.txt" file so they won't get imported into FSRM.
...the above list was last updated [ 20170322 ] and IS included in the auto-update.
E-mail Message tab
Subject: Unauthorized file from the [Violated File Group] file group detected
User [Source Io Owner]
Saved [Source File Path] to [File Screen Path]
On server: [Server]
This file is in the [Violated File Group] file group in FSRM, which generated this alert.
A batch was run to remove all server shares until corrective action is taken.
Customer name: --INSERT CUSTOMER NAME HERE--
Select radio button: "Local System"
4) File Screening Management > File Screens > Create File Screen...
File screen path: C:\ (or just the drive/folder containing shares)
Select radio button: "Derive properties from this file screen template (recommended)"
Select from dropdown: "1-PreventCrypto"
5) File Server Resource Manager (Local) > right-click: Configure options...
Email Notifications tab
Set SMTP server name (use a SMTP relay if you don't have a mail server on-site)
Set Default administrator (see how to)
Notification Limits tab
Set all to 2 minutes
____ Other protections worth doing ____
1) Ensure Internet filter is updating to block known badware domains (suggestion: DNS Redirector)
2) Ensure Internet filter is blocking ccTLDs and IDNs that are not relevant to your business (suggestion: DNS Redirector, see how to)
3) Ensure Firewall is blocking any URLs with an IP address (only the bad guys do this)
Bad: http://188.8.131.52 | Good: http://example.com | see how to
4) Ensure Firewall is blocking DNS outbound from everything except your internal/AD DNS server IP(s)
5) Ensure Firewall is allowing only good/necessary ports outbound (NOT any/any)
Suggestion for DCs: 53,80,123,443,3544 | Suggestion for End-Users: 80,443,1935,3544
6) Run CryptoPrevent by Foolish IT on every end-user workstation, the free one is just fine, apply at least the standard rules, then restart
7) Disable vssadmin.exe with this batch
8) Consider implementing Software Restriction Policies (SRP) via Group Policy (or AppLocker, or application whitelist)
9) Use an anti-virus product and/or Malwarebytes on end-user workstations, ensure it is updating
FAQ: Have I ever had a ransomware infection on any of the networks I manage?
A: No, because I believe in internet filtering and that the corporate network is provided for work,
not end-users personal Internet connection. If company management doesn't support you with this, get out now!
Want end-users to view ads that give you malware, open emails that give you malware,
shop for shoes, find coupons, travel deals, jerk off, or contribute to the train wreck/waste of time that is "social media" -
then great, they can do that on their own time/at home (or on their own device connected to a isolated/wireless network) – not on the corporate network!
I've been using DNS Redirector as a filter for several years now and enjoy not having to clean up viruses/malware.
Really want to protect your network? Then stop messing around with the "catch me if you can" game of virus scan, expensive IDS firewalls, or even FSRM scripts -
get an Internet filter and use it to block advertisements, ccTLDs, IDNs, and any other content your company doesn't absolutely need to stay in business.
I assure you that end-users, and the IT department, will be more productive!
____ Cleanup procedure ____
1) Either you received an email from FSRM with the details, or you suddenly realized all server shares are missing...
On the server which detected the bad files go to Event Viewer > Windows Logs > Application
Look for a Warning entry from SRMSVC as the source, the General box contains the details of
the username and filename which triggered the shares to be removed
2) Unplug the offending user's machine from the network and take the actions you feel appropriate...
- Burn the entire system with hot lava and buy a new machine
- Format the drive and reload the OS
- Delete the users profile and let the system create a fresh one upon first login
- Cleanup user's temp folders and startup items (suggestion: CCleaner)
- Ensure user's machine is malware/toolbar/nonsense free (suggestion: Malwarebytes)
- Run CryptoPrevent by Foolish IT apply at least the standard rules, restart
- Scold the end-user
3) Restore any files that did get encrypted from your backups
NOTE: Many variants of this badware do NOT change the file modified time/date stamp to when encryption occurred
4) Add all the shares back to the server (see created file: C:\Windows\1-PreventCrypto-PreviousShares.txt)
5) Re-enable the Windows firewall rules for File and Printer Sharing
____ Disclaimer ____
THIS INFORMATION IS DISTRIBUTED IN THE HOPE THAT IT WILL BE USEFUL, BUT WITHOUT ANY WARRANTY.
IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THIS INFORMATION IS WITH YOU. SHOULD THIS
PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
IN NO EVENT WILL THE AUTHOR BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THIS INFORMATION
(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE EFFECTIVENESS OF THIS INFORMATION), EVEN IF THE AUTHOR HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THIS PART YOU SHOULD ACTUALLY READ:
THIS IS NOT A FOOL-PROOF SOLUTION TO PREVENTING CRYPTO NONSENSE –
SETTING UP YOUR NETWORK CORRECTLY; BLOCKING ADS AND MALWARE FROM COMING IN YOUR INTERNET CONNECTION IS MORE EFFECTIVE –
THIS IS A LAST RESORT. ALSO, BACKUPS!
FAQ: Can I contact you?
A: It's more likely I won't respond, this page has received more hits in the last year that my entire site has
since it went online in Y2K. I get too many threats and phishing attempts and will not help you do your job,
hire a real IT person to read these instructions if it's outside the realm of your capabilities.
If reporting a new extension you found, you must also include verifiable details of the infection or other online articles
documenting the behavior, do not send me randomized extensions as I will not be adding them to the list.