Posted on November 8, 2016 · Posted in Windows Server 2012 R2

Using FSRM on Windows File Server to Prevent Ransomware

In this article, we’ll consider the methods of using File Server Resource Manager (FSRM) features on a file server running Windows Server 2012 R2 to detect and block ransomware. In particular, we’ll tell how to install FSRM service on the file server, configure file screening, and in the case ransomware detection  block user access to the share.

How to Detect Ransomware Using FSRM

If File Server Resource Manager  (FSRM) feature  is not installed on your file server, install it using Server Manager graphic console or PowerShell command prompt:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Make sure that the role has been installed:

Get-WindowsFeature -Name FS-Resource-Manager

Install-WindowsFeature FS-Resource-Manager

After the feature has been installed, restart the server.

How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications

The next step is the configuring of SMTP settings of FSRM  to sending e-mail notifications to admins. To do it, start fsrm.msc, right-click the root of File Server Resource Manager console and select Configure Options.

Specify the SMTP server name or IP address, the administrator and sender e-mail addresses.

Tip. If you don’t have an internal mail server, you can configure sending mail using SMTP relay.

FSRM SMTP Settings

To make sure that the SMTP server is configured correctly, send a test e-mail using Send Test E-mail button.

SMTP settings of FSRM can also be configured from PowerShell:

Set-FsrmSetting -AdminEmailAddress "FileServerAdmins@adatum.com" –smtpserver smtp.adatum.com –FromEmailAddress "FSRM@LON-FS02.adatum.com"

How to Create a Group of File Extensions for the Ransomware

The next step is to create a group of files containing known extensions and file names, created by encryption malware during its work.

This list can be created in the FSRM console. To do it, expand File Screening Management -> File Groups and select Create File Group.

fsrm create file group

You have to specify group name (for example, Crypto-files)  and enter all known extensions to the list using Files to include field.

ransomware file group

The list of known file extensions created by ransomware is quite long, so it is easier to create it using PowerShell.

In Windows Server 2012, you can create the file group using PowerShell as follows:

New-FsrmFileGroup -Name "Crypto-files" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT", "DECRYPT_INSTRUCTION.TXT", "HELP_DECRYPT.TXT", "HELP_DECRYPT.HTML", "DecryptAllFiles.txt", "enc_files.txt", "HowDecrypt.txt", "How_Decrypt.txt", "How_Decrypt.html", "HELP_RESTORE_FILES.txt", , "restore_files*.txt", "restore_files.txt", "RECOVERY_KEY.TXT", "how to decrypt aes files.lnk", "HELP_DECRYPT.PNG", "HELP_DECRYPT.lnk", "DecryptAllFiles*.txt", "Decrypt.exe", "AllFilesAreLocked*.bmp", "MESSAGE.txt","*.locky","*.ezz", "*.ecc", "*.exx", "*.7z.encrypted", "*.ctbl", "*.encrypted", "*.aaa", "*.xtbl", "*.abc", "*.JUST", "*.EnCiPhErEd", "*.cryptolocker","*.micro","*.vvv")

In Windows Server 2008 R2, you will have to use filescrn.exe:

filescrn.exe filegroup add /filegroup:"Crypto-files" /members:"DECRYPT_INSTRUCTIONS.TXT|DECRYPT_INSTRUCTION.TXT| DecryptAllFiles.txt|enc_files.txt|HowDecrypt.txt|How_Decrypt.txt| How_Decrypt.html|HELP_TO_DECRYPT_YOUR_FILES.txt|HELP_RESTORE_FILES.txt| HELP_TO_SAVE_FILES.txt|restore_files*.txt| restore_files.txt|RECOVERY_KEY.TXT|HELP_DECRYPT.PNG|HELP_DECRYPT.lnk| DecryptAllFiles*.txt|Decrypt.exe|ATTENTION!!!.txt|AllFilesAreLocked*.bmp| MESSAGE.txt|*.locky|*.ezz|*.ecc|*.exx|*.7z.encrypted|*.ctbl| *.encrypted|*.aaa|*.xtbl|*.EnCiPhErEd|*.cryptolocker|*.micro|*.vvv| *.ecc|*.ezz|*.exx|*.zzz|*.xyz|*.aaa|*.abc|*.ccc|*.vvv|*.xxx| *.ttt|*.micro|*.encrypted|*.locked|*.crypto|*_crypt|*.crinf| *.r5a|*.XRNT|*.XTBL|*.crypt|*.R16M01D05|*.pzdc|*.good| *.LOL!|*.OMG!|*.RDM|*.RRK|*.encryptedRSA|*.crjoker| *.LeChiffre|*.keybtc@inbox_com|*.0x0|*.bleep|*.1999| *.vault|*.HA3|*.toxcrypt|*.magic|*.SUPERCRYPT|*.CTBL|*.CTB2|*.locky"

Tip. You can make a list of known file extensions yourself or use ready regularly updated lists from the following pages:

https://www.bleib-virenfrei.de/ransomware/

https://fsrm.experiant.ca/api/v1/combined

In the second case, you can download an up-to-date list of file extensions for FSRM directly from the webserver using Invoke-WebRequest

new-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined").content | convertfrom-json | % {$_.filters})

Or use a ready file crypto_extensions.txt. You can save this file to the disk and update the created FSRM file group with it:

$ext_list = Get-Content .\ransomware_extensions.txt
Set-FsrmFileGroup -Name "Crypto-files" -IncludePattern ($ext_list)

File Screen Templates Configuration

Create a new File Screen Template to determine the actions FSRM has to perform if it detects these files. To do it, in the FSRM console go to File Screen Management -> File Screen Templates. Create a new template by selecting Create File Screen Template.

Create File Screen Template

In the Settings tab, specify the template name “Block_crypto_files”, screening type Active screening (do not allow to save these file types) and select Crypto-Files in the list of file groups.

block cryptolocker files template

In the E-mail Message tab, enable sending e-mail notifications and specify text of message subject and body.

email settings
In the Event Log tab, check making an entry to the system log with the note to specify only the name of the user: [Source Io Owner]

event log settings

In the Command tab, you can select what to do if one of these file types is detected. We’ll discuss it a bit later.

Save the changes. One more template will appear in the list.

list of file screen templates

How to Apply File Screen Template to a Disk or Folder

Now you only have to assign the created template to a disk or network share on your  server. In the FSRM console, create a new rule Create File Screen.

Create File Screen.

In File screen path field, specify the local disk or the path to the directory you want to protect from the ransomware, and select the template Block_crypto_files created earlier in the list of templates.

assign template to public folder

Automatic Block of the User Infected by Ransomware

Now you have to configure the action FSRM will perform if files created by encryption malware are detected. We’ll use a ready script: Protect your File Server against Ransomware by using FSRM and Powershell (https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce). What does this script do? At the attempt of writing a prohibited file type to the network share, FSRM runs this script, which analyses the event log and prohibits a user to write files to the shared folder. Thus, the access of the infected user to the network share will be blocked.

Download this script and unpack it to the root of C:\ directory on your file server. Copy SubInACL (a tool that allows to change permissions for the network share) in to the same directory. The following files have to be located in the directory:

  • RansomwareBlockSmb.ps1
  • StartRansomwareBlockSmb.cmd
  • subinacl.exe

StartRansomwareBlockSmb.cmd

Note. I had to change these strings in PS script:

$SubinaclCmd = "C:\subinacl /verbose=1 /share \\127.0.0.1\" + "$SharePart" + " /deny=" + "$BadUser"

and

if ($Rule -match "Crypto-Files")

In the Command tab of “Block crypto files” template settings, specify that the command prompt containing the argument StartRansomwareBlockSmb.cmd must be started:

Run this command or script: c:\windows\system32\cmd.exe

Command arguments: /c “c:\StartRansomwareBlockSmb.cmd”

The command has to be run as Local System.

fsrm event run script

FSRM Protection Test

Let’s test how the FSRM protection against ransomware. To do it, create a file with any extension in the protected directory and try to change this extension to the prohibited one  .locky.

When trying to save the prohibited file, FSRM will make an entry in the log:

Event ID: 8215
Source: SRMSVC

Based on the data from the log, RansomwareBlockSmb.ps1 script will prohibit the current user from accessing this directory, by changing share access permissions.

share permissions

The protection works! In the log located in the root of the disk you can see the directory and the user account the ransomware has been attempted to be run from.

If you need a higher protection level, you can switch from the black list of files to the white list, and then you’ll be able to save only allowed file types.

So, we have considered how to automatically block network share access to the users whose computers are infected by ransomware. Naturally, using FSRM in this way cannot fully protect files on your servers from this kind of malware, but it is suitable as one of the protection levels. In the next article, we’ll consider another variant of protection against encryption ransomware: How to Recover User Files from VSS Snapshots After Getting Infected with the Ransomware.

Previous:
Next:
Related Articles