The face of malware has changed over recent years and it’s safe to say that it’s become an industry like any other. Your data, and it’s importance to you, has a value and it’s one that people are only to keen to capitalise on. With ransomware such as CryptoLocker and Locky, this is something that’s become all too easy.
In your organisation you’ll have several tools in your arsenal which can be put to good use – mail filtering, gateway AV, web filtering, but one which you really should be making use of is the File Screening feature of your Windows servers. This allows you to build rulesets to report on, or block, files on your server.
I’m going to look at how to block many of the filetypes associated with CryptoLocker and Locky.
- First thing to do is to install the File Server Resource Manager Role on your Windows server, either 2008, 2008 R2, 2012 or 2012 R2. Do this from the Manage > Add Roles and Features menu in Server Manager.
![FSRM Role]()
- You can now load the File Server Resource Manager from Administrative Tools.
- Right click the File Server Resource Manager top level node on the left hand nav bar and choose Configure Options. This is where you’ll configure your email settings. Enter your email server information and hit the Test button to ensure you get a test email back, then click OK.
![FSRM Email]()
- Right click the File Groups nav node and choose Create File Group. Create a new group called Malware Files and add the files you want to exclude. In this case I’m using the following list which I’ll update as I find new file names. If you don’t want to paste all these in then you can use the handy powershell command at the bottom of this post to create the File Group and then skip this step.
_Locky_recover_instructions.txt DECRYPT_INSTRUCTIONS.TXT DECRYPT_INSTRUCTIONS.HTML DECRYPT_INSTRUCTION.TXT DECRYPT_INSTRUCTION.HTML HELP_DECRYPT.TXT HELP_DECRYPT.HTML DecryptAllFiles.txt enc_files.txt HowDecrypt.txt How_Decrypt.txt How_Decrypt.html HELP_TO_DECRYPT_YOUR_FILES.txt HELP_RESTORE_FILES.txt HELP_TO_SAVE_FILES.txt restore_files*.txt restore_files.txt RECOVERY_KEY.TXT how to decrypt aes files.lnk HELP_DECRYPT.PNG HELP_DECRYPT.lnk DecryptAllFiles*.txt Decrypt.exe ATTENTION!!!.txt AllFilesAreLocked*.bmp MESSAGE.txt *.locky *.ezz *.ecc *.exx *.7z.encrypted *.ctbl *.encrypted *.aaa *.xtbl *.abc *.JUST *.EnCiPhErEd *.cryptolocker ”*.micro”
- Next up, right click the File Screen Templates node and choose Create File Screen Template. In my example I’ve called it Malware Files. Select the “Malware Files” group from the list of groups shown then click on the email tab. Here you want to enable email alerts – you really want to be told if you have some ransomware on your server – and click OK.
![2016-02-29 16_09_10-192.168.8.13 - Remote Desktop Connection]()
![2016-02-29 16_08_42-192.168.8.13 - Remote Desktop Connection]()
- Now we want to apply our template to our file locations. Right click the File Screens node and choose Create File Screen. Choose the folder to assign the file screening template to and choose the template that you create before. Click Ok.
![2016-02-29 16_19_10-192.168.8.13 - Remote Desktop Connection]()
- If you open a command prompt you can test what will happen. Pop in to your folder and try creating a malicious looking file. You should also receive an email if you’ve enabled email alerts.
![2016-02-29 16_29_51-192.168.8.13 - Remote Desktop Connection]()
Powershell
To help with adding the file names to be blocked, you can use this powershell command. Just paste it in to the powershell prompt on the server and the File Screen Group will be created for you. You will then just need to create a template and assign it to a folder.
New-FsrmFileGroup -Name "Malware Files" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT", "DECRYPT_INSTRUCTIONS.HTML", "DECRYPT_INSTRUCTION.TXT", "DECRYPT_INSTRUCTION.HTML", "HELP_DECRYPT.TXT", "HELP_DECRYPT.HTML", "DecryptAllFiles.txt", "enc_files.txt", "HowDecrypt.txt", "How_Decrypt.txt", "How_Decrypt.html", "HELP_TO_DECRYPT_YOUR_FILES.txt", "HELP_RESTORE_FILES.txt", "HELP_TO_SAVE_FILES.txt", "restore_files*.txt", "restore_files.txt", "RECOVERY_KEY.TXT", "how to decrypt aes files.lnk", "HELP_DECRYPT.PNG", "HELP_DECRYPT.lnk", "DecryptAllFiles*.txt", "Decrypt.exe", "ATTENTION!!!.txt", "AllFilesAreLocked*.bmp", "MESSAGE.txt","*.locky","*.ezz", "*.ecc", "*.exx", "*.7z.encrypted", "*.ctbl", "*.encrypted", "*.aaa", "*.xtbl", "*.abc", "*.JUST", "*.EnCiPhErEd", "*.cryptolocker",”*.micro”)The post How to use File Screening to help block CryptoLocker appeared first on Oliver Marshall.