The File Server Resource Manager role provides many features. File screening, in particular, can be used to help mitigate damage from a ransomware attack. With file screening, file servers can be configured to perform real time auditing on all shares for any files that become modified to any known ransomware extensions. In the event of a user getting infected with ransomware, the file screen will detect the modification of the files and deny that user access to the file shares, preventing them from damaging any other files. This can save hours of downtime and clean up.

I have created a script that will set up and configure all of this within minutes. The script performs the following actions:

  • Installs the file server resource manager role if it is not installed.
  • Configures file server resource manager to screen for known ransomware file extensions.
  • Configures the file screen to execute a script whenever a file is modified to a known ransomware extension. The script then blocks SMB share access to all shared files on the file server and sends an email message to whatever email specified.

The script requires the following prerequisites:

  • Windows Server 2012 – in order to use the cmdlet that blocks SMB share access.
  • Mail Relay Server – Used to configure email alert.

To create the powershell script, copy the code below into a notepad and save it as a .ps1 (for example, Install-FSRMRansomeware.ps1):

Update- Edited script to restart FSRM service after blocking SMB permissions. Ran into issue where the task was only triggering once.

How to Run the Script

Running the script is really simple. I’ve created an advanced function that includes all the parameters necessary to set up the email alerts. All we need to do is edit the parameters for the function being called at the end of the script:

1-Editing Script

 

Once you have inserted your own parameters, save the script. To execute the script, hold down SHIFT and RIGHT CLICK on the .ps1 file. Select COPY AS PATH:

2-Cpypath

Open up an administrative powershell prompt, type in “powershell” and paste in the path we copied, press ENTER to run the script:

PSRun

The script will start to run, if the File Server Resource Manager role is not installed it will begin installing.Once the script finishes, we can look at what was done by opening up Server Manager and clicking on Tools and then selecting File Server Resource Manager:

4-servermanager

If we select the File Groups in the left window pane, we can see our newly created file group called “Ransomware files” that contains all of our known ransomware extensions to screen for:

5-filegroup

If we select File Screen Templates in the left window pane, we can see our “RansomwareCheck” template has been created. Right click and select Edit to look at the configurations. We can see that the Ransomeware Files file group is selected:

6-template

 

If we select the Command tab we can see that the script has been created in the C:Scripts directory on the server. This is the script that performs the SMB blocking action and sends the alert email through the email relay server specified in the script parameters:

7-edittemplate

If we selec the file screens section in the left window pane,  we can see that there is an active file screen on our F drive. By default the script will scan for all available volumes besides the C drive and will create a file screen for that volume. This can be manually modified if desired:

8-filescreen

Testing the Script

If we wanted to test this out, we can go to a workstation and browse out to a shared folder on the newly configured file server. We will mimic the extension change that occurs when a file is encrypted by the cryptolocker virus by renaming the extension of a file to “.crypto”. We can see that the change gets denied:

9-Permissions

 

Also our user’s access to their mapped drive on the file server is now denied access:

10-SMB Blocked

An email is then sent to the email address that we configured in the scripts parameters. We get the information on the user that was infected and the server being attacked. We also get the command that can be run to enable access once again for the user:

11-Alert

If we paste in that command into an administrative powershell prompt on the infected file server, that user can now access their shared folders again:

12-unblock

Keeping Updated on Known Ransomware Extensions

You will want to do your due diligence on making sure the extensions being screened are kept up to date, you can easily edit the file group and add in the extensions at any time. Tripwire has been doing an amazing job at producing security awareness posts that include the most recently discovered ransomware flavors and the extensions they use. Check out their most recent post here. This is great way to protect your organizations data by mitigating the damage done during a ransomware attack. Also, it is free which makes it even better.