In this article, we’ll consider the methods of using File Server Resource Manager (FSRM) features on a file server running Windows Server 2012 R2 to detect and block ransomware. In particular, we’ll tell how to install FSRM service on the file server, configure file screening, and in the case ransomware detection block user access to the share.
How to Detect Ransomware Using FSRM
If File Server Resource Manager (FSRM) feature is not installed on your file server, install it using Server Manager graphic console or PowerShell command prompt:
Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools
Make sure that the role has been installed:
Get-WindowsFeature -Name FS-Resource-Manager
After the feature has been installed, restart the server.
How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications
The next step is the configuring of SMTP settings of FSRM to sending e-mail notifications to admins. To do it, start fsrm.msc, right-click the root of File Server Resource Manager console and select Configure Options.
Specify the SMTP server name or IP address, the administrator and sender e-mail addresses.
To make sure that the SMTP server is configured correctly, send a test e-mail using Send Test E-mail button.
SMTP settings of FSRM can also be configured from PowerShell:
Set-FsrmSetting -AdminEmailAddress "FileServerAdmins@adatum.com" –smtpserver smtp.adatum.com –FromEmailAddress "FSRM@LON-FS02.adatum.com"
How to Create a Group of File Extensions for the Ransomware
The next step is to create a group of files containing known extensions and file names, created by encryption malware during its work.
This list can be created in the FSRM console. To do it, expand File Screening Management -> File Groups and select Create File Group.
You have to specify group name (for example, Crypto-files) and enter all known extensions to the list using Files to include field.
The list of known file extensions created by ransomware is quite long, so it is easier to create it using PowerShell.
In Windows Server 2012, you can create the file group using PowerShell as follows:
New-FsrmFileGroup -Name "Crypto-files" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT", "DECRYPT_INSTRUCTION.TXT", "HELP_DECRYPT.TXT", "HELP_DECRYPT.HTML", "DecryptAllFiles.txt", "enc_files.txt", "HowDecrypt.txt", "How_Decrypt.txt", "How_Decrypt.html", "HELP_RESTORE_FILES.txt", , "restore_files*.txt", "restore_files.txt", "RECOVERY_KEY.TXT", "how to decrypt aes files.lnk", "HELP_DECRYPT.PNG", "HELP_DECRYPT.lnk", "DecryptAllFiles*.txt", "Decrypt.exe", "AllFilesAreLocked*.bmp", "MESSAGE.txt","*.locky","*.ezz", "*.ecc", "*.exx", "*.7z.encrypted", "*.ctbl", "*.encrypted", "*.aaa", "*.xtbl", "*.abc", "*.JUST", "*.EnCiPhErEd", "*.cryptolocker","*.micro","*.vvv")
In Windows Server 2008 R2, you will have to use filescrn.exe:
filescrn.exe filegroup add /filegroup:"Crypto-files" /members:"DECRYPT_INSTRUCTIONS.TXT|DECRYPT_INSTRUCTION.TXT| DecryptAllFiles.txt|enc_files.txt|HowDecrypt.txt|How_Decrypt.txt| How_Decrypt.html|HELP_TO_DECRYPT_YOUR_FILES.txt|HELP_RESTORE_FILES.txt| HELP_TO_SAVE_FILES.txt|restore_files*.txt| restore_files.txt|RECOVERY_KEY.TXT|HELP_DECRYPT.PNG|HELP_DECRYPT.lnk| DecryptAllFiles*.txt|Decrypt.exe|ATTENTION!!!.txt|AllFilesAreLocked*.bmp| MESSAGE.txt|*.locky|*.ezz|*.ecc|*.exx|*.7z.encrypted|*.ctbl| *.encrypted|*.aaa|*.xtbl|*.EnCiPhErEd|*.cryptolocker|*.micro|*.vvv| *.ecc|*.ezz|*.exx|*.zzz|*.xyz|*.aaa|*.abc|*.ccc|*.vvv|*.xxx| *.ttt|*.micro|*.encrypted|*.locked|*.crypto|*_crypt|*.crinf| *.r5a|*.XRNT|*.XTBL|*.crypt|*.R16M01D05|*.pzdc|*.good| *.LOL!|*.OMG!|*.RDM|*.RRK|*.encryptedRSA|*.crjoker| *.LeChiffre|*.keybtc@inbox_com|*.0x0|*.bleep|*.1999| *.vault|*.HA3|*.toxcrypt|*.magic|*.SUPERCRYPT|*.CTBL|*.CTB2|*.locky"
File Screen Templates Configuration
Create a new File Screen Template to determine the actions FSRM has to perform if it detects these files. To do it, in the FSRM console go to File Screen Management -> File Screen Templates. Create a new template by selecting Create File Screen Template.
In the Settings tab, specify the template name “Block_crypto_files”, screening type Active screening (do not allow to save these file types) and select Crypto-Files in the list of file groups.
In the E-mail Message tab, enable sending e-mail notifications and specify text of message subject and body.
In the Command tab, you can select what to do if one of these file types is detected. We’ll discuss it a bit later.
Save the changes. One more template will appear in the list.
How to Apply File Screen Template to a Disk or Folder
Now you only have to assign the created template to a disk or network share on your server. In the FSRM console, create a new rule Create File Screen.
In File screen path field, specify the local disk or the path to the directory you want to protect from the ransomware, and select the template Block_crypto_files created earlier in the list of templates.
Automatic Block of the User Infected by Ransomware
Now you have to configure the action FSRM will perform if files created by encryption malware are detected. We’ll use a ready script: Protect your File Server against Ransomware by using FSRM and Powershell (https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce). What does this script do? At the attempt of writing a prohibited file type to the network share, FSRM runs this script, which analyses the event log and prohibits a user to write files to the shared folder. Thus, the access of the infected user to the network share will be blocked.
Download this script and unpack it to the root of C:\ directory on your file server. Copy SubInACL (a tool that allows to change permissions for the network share) in to the same directory. The following files have to be located in the directory:
In the Command tab of “Block crypto files” template settings, specify that the command prompt containing the argument StartRansomwareBlockSmb.cmd must be started:
Run this command or script: c:\windows\system32\cmd.exe
Command arguments: /c “c:\StartRansomwareBlockSmb.cmd”
The command has to be run as Local System.
FSRM Protection Test
Let’s test how the FSRM protection against ransomware. To do it, create a file with any extension in the protected directory and try to change this extension to the prohibited one .locky.
When trying to save the prohibited file, FSRM will make an entry in the log:
Event ID: 8215
Based on the data from the log, RansomwareBlockSmb.ps1 script will prohibit the current user from accessing this directory, by changing share access permissions.
The protection works! In the log located in the root of the disk you can see the directory and the user account the ransomware has been attempted to be run from.
If you need a higher protection level, you can switch from the black list of files to the white list, and then you’ll be able to save only allowed file types.
So, we have considered how to automatically block network share access to the users whose computers are infected by ransomware. Naturally, using FSRM in this way cannot fully protect files on your servers from this kind of malware, but it is suitable as one of the protection levels. In the next article, we’ll consider another variant of protection against encryption ransomware: How to Recover User Files from VSS Snapshots After Getting Infected with the Ransomware.