Using File Server Resource Manager to Screen for Ransomware

Table of contents

The File Server Resource Manager role provides many features. File screening, in particular, can be used to help mitigate damage from a ransomware attack. With file screening, file servers can be configured to perform real time auditing on all shares for any files that become modified to any known ransomware extensions. In the event of a user getting infected with ransomware, the file screen will detect the modification of the files and deny that user access to the file shares, preventing them from damaging any other files. This can save hours of downtime and clean up.

I have created a script that will set up and configure all of this within minutes. The script performs the following actions:

  • Installs the file server resource manager role if it is not installed.
  • Configures file server resource manager to screen for known ransomware file extensions.
  • Configures the file screen to execute a script whenever a file is modified to a known ransomware extension. The script then blocks SMB share access to all shared files on the file server and sends an email message to whatever email specified.

The script requires the following prerequisites:

  • Windows Server 2012 – in order to use the cmdlet that blocks SMB share access.
  • Mail Relay Server – Used to configure email alert.

To create the powershell script, copy the code below into a notepad and save it as a .ps1 (for example, Install-FSRMRansomeware.ps1):

Update- Edited script to restart FSRM service after blocking SMB permissions. Ran into issue where the task was only triggering once.
function Install-FSRMRansomware {
<#
.SYNOPSIS
Installs the File Server Resource Manager role if not installed and then configured a file screen on all drives other than C. 
The file screen screens for possible ransomware infections and then deny's SMB access to the user who trigged the screen.
.PARAMETER SMTPServer
Specify the address of an email relay server. This is used to send the alert emails that generate when the file screen is triggered.
.PARAMETER EmailTO
Specify the email address to send the alerts to.
.PARAMETER EmailFrom
Specify the email address that the email alerts are sent from. 
#>
    [CmdletBinding()]
    param(
         [Parameter(Mandatory=$True,
                    HelpMessage="Please input the address for an accessible email relay server.")]
        [String]$SMTPServer,
        [Parameter(Mandatory=$True,
                   HelpMessage="Please input a valid Email address to send the email alerts to.")]
        [String]$EmailTo,
        [Parameter(Mandatory=$True,
                   HelpMessage="Please specify an email address to recieve alerts from.")]
        [String]$EmailFrom


    )
    
    Process{

            #add the FSRM role if it doesnt exist
            If ((Get-WindowsFeature fs-resource-manager).installed -like "False"){
                Write-Verbose "Installing File Server Resource Manage Role"
                Install-WindowsFeature fs-resource-manager
            }
            If ((Get-WindowsFeature RSAT-FSRM-Mgmt).installed -like "False"){
                Write-Verbose "Installed FSRM RSAT Tools"
                install-windowsfeature RSAT-FSRM-Mgmt
            }

            #Set notifications limit to 0
            Set-FsrmSetting -EmailNotificationLimit 0 -EventNotificationLimit 0 -CommandNotificationLimit 0 -ReportNotificationLimit 0

            #Create File Group for FSRM
            New-FsrmFileGroup -name "Ransomware Files" -IncludePattern @( "*DECRYPT_INSTRUCTION.HTML*",
                              "*HELP_DECRYPT.HTML*", 
                              "*decrypt all files*.bmp*", 
                              "*.ecc",
                              "*.ezz", 
                              "*.exx", 
                              "*.zzz", 
                              "*.xyz", 
                              "*.aaa",
                              "*.abc",
                              "*.ccc", 
                              "*.vvv",
                              "*.xxx", 
                              "*.ttt",
                              "*.micro",
                              "*.encrypted",
                              "*.locked",
                              "*.crypto"
                              "*_crypt",
                              "*.crinf", 
                              "*.r5a", 
                              "*.XRNT", 
                              "*.XTBL", 
                              "*.crypt", 
                              "*.R16M01D05", 
                              "*.pzdc", 
                              "*.good", 
                              "*.LOL!", 
                              "*.OMG*", 
                              "*.RDM", 
                              "*.RRK", 
                              "*.encryptedRSA", 
                              "*.crjoker", 
                              "*.EnCiPhErEd", 
                              "*.LeChiffre", 
                              "*.keybtc@inbox_com", 
                              "*.0x0", 
                              "*.bleep", 
                              "*.1999", 
                              "*.vault", 
                              "*.HA3", 
                              "*.toxcrypt", 
                              "*.magic", 
                              "*.SUPERCRYPT", 
                              "*.CTBL", 
                              "*.CTB2", 
                              "*.locky" )




            #Create FSRM Template xml file and import template then remove xml file
            $FSRMTemplate = @"
<?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0' ></Header><QuotaTemplates ></QuotaTemplates><DatascreenTemplates ><DatascreenTemplate Name = 'RansomwareCheck' Id = '{122F5AB4-9DF0-4F09-B89E-0F7BDC9D46CC}' Flags = '1' Description = '' ><BlockedGroups ><FileGroup FileGroupId = '{82D08F60-7319-4BE2-8621-066DB91A958E}' Name = 'Ransomware%sFiles' ></FileGroup></BlockedGroups><FileGroupActions ><Action Type="1" Id="{73AFB339-FF17-42DC-B9B9-E7C9A8E7C9A9}" EventType="2" MessageText="User%s[Source%sIo%sOwner]%sattempted%sto%ssave%s[Source%sFile%sPath]%sto%s[File%sScreen%sPath]%son%sthe%s[Server]%sserver.%sThis%sfile%sis%sin%sthe%s[Violated%sFile%sGroup]%sfile%sgroup,%swhich%sis%snot%spermitted%son%sthe%sserver." /><Action Type="3" Id="{D0B80CC5-E6DD-481C-9534-19944A851A72}" ExecutablePath="C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" Arguments="&quot;C:ScriptsScriptToDenyPermissions.PS1&quot;" WorkingDirectory="C:WindowsSystem32WindowsPowerShellv1.0" Account="3" MonitorCommand="0" KillTimeOut="0" LogResult="1" CurrentSid="S-1-5-21-3468280891-3112941812-1175424509-500" /></FileGroupActions></DatascreenTemplate></DatascreenTemplates><FileGroups ></FileGroups></Root>
"@
            $FSRMTemplate | Out-File -FilePath C:userspublicFSRMTemplate.xml 

            Filescrn template import /file:C:userspublicFSRMTemplate.xml 

            Remove-Item -path C:UsersPublicFSRMTemplate.xml 


            #Creates Script Block to perform email message and block SMB Permissions. Exports script block to a PS1 for the File Screen Template.
            $DenyPermissionsScript = @"
                                        
                                        #One second delay to give script enough time to grab newest event logs
                                        sleep -Seconds 1

                                        #Looks in event log for the custom event message generated by the file screen audit. Input's username of the offender into a variable.
                                        `$RansomwareEvents = get-eventlog -logname Application -message "*ransomware*" -newest 50 | where {`$_.eventid -eq 8215}
                                        `$username = (`$RansomwareEvents.message).split()[1]
                                        `$username = `$username -replace ".*\"

                                        #Blocks SMB share access for user
                                        Get-SmbShare | Where-Object currentusers -gt 0 | Block-SmbShareAccess -AccountName `$username -force

                                        #get name of computer and domain name for email message
                                        `$computername = Hostname
                                        `$domain = (Get-WmiObject win32_computersystem).domain

                                        #Send Email Report to servicedesk with information
                                       
                                        `$client = hostname
                                        `$messageSubject = "Server `$computername on the domain `$domain is Infected being attacked by Ransomware"
                                        `$messagebody= "The User `$username has infected the server. They have been denied access to all file shares. Please open a ticket to disinfect their machine. Once they have been disinfected, run the following powershell command on the server `$computername to unblock the user from file shares: get-smbshare | unblock-smbshareaccess -accountname `$username -force "
                                        `$message = New-Object System.Net.Mail.MailMessage "$EmailFrom", "$EmailTo"
                                        `$message.Subject = `$messageSubject
                                        `$message.IsBodyHTML = `$true
                                        `$message.Body =  `$messagebody
                                        `$smtp = New-Object Net.Mail.SmtpClient("$smtpserver")
                                        `$smtp.Send(`$message)

                                        
                                     
"@
     

            #Creates file path to store block smb script that is called by the FSRM template
            New-Item -Path "C:scripts" -Force -Type directory
            $DenyPermissionsScript | Out-File -FilePath "C:scriptsScriptToDenyPermissions.PS1"

            #unblocks the script to allow for execution 
            Unblock-file "C:scriptsScriptToDenyPermissions.PS1"

            #find all drives that are not the C drive and create file screen for those drives. Essentially all drives except the C drive will be monitored for crypto locker files.
            $disks = GET-WMIOBJECT win32_logicaldisk -filter "DriveType='3'" | Where {$_.deviceid -ne "C:"}
            ForEach($disk in $disks) {
                                        $DRIVE = $DISK.DeviceID

                                        New-FSRMFILEScreen -path "$DRIVE" -template "RansomwareCheck"

                                     }

            restart-service "File Server Resource Manager" -force
  
        }
   
}
Install-FSRMRansomware -SMTPServer InsertValidMailRelayServer -EmailTo InsertEmailToSendAlertsTo -EmailFrom InsertEmailToSendEmailFrom

How to Run the Script

Running the script is really simple. I’ve created an advanced function that includes all the parameters necessary to set up the email alerts. All we need to do is edit the parameters for the function being called at the end of the script:

1-Editing Script

 

Once you have inserted your own parameters, save the script. To execute the script, hold down SHIFT and RIGHT CLICK on the .ps1 file. Select COPY AS PATH:

2-Cpypath

Open up an administrative powershell prompt, type in “powershell” and paste in the path we copied, press ENTER to run the script:

PSRun

The script will start to run, if the File Server Resource Manager role is not installed it will begin installing.Once the script finishes, we can look at what was done by opening up Server Manager and clicking on Tools and then selecting File Server Resource Manager:

4-servermanager

If we select the File Groups in the left window pane, we can see our newly created file group called “Ransomware files” that contains all of our known ransomware extensions to screen for:

5-filegroup

If we select File Screen Templates in the left window pane, we can see our “RansomwareCheck” template has been created. Right click and select Edit to look at the configurations. We can see that the Ransomeware Files file group is selected:

6-template

 

If we select the Command tab we can see that the script has been created in the C:Scripts directory on the server. This is the script that performs the SMB blocking action and sends the alert email through the email relay server specified in the script parameters:

7-edittemplate

If we selec the file screens section in the left window pane,  we can see that there is an active file screen on our F drive. By default the script will scan for all available volumes besides the C drive and will create a file screen for that volume. This can be manually modified if desired:

8-filescreen

Testing the Script

If we wanted to test this out, we can go to a workstation and browse out to a shared folder on the newly configured file server. We will mimic the extension change that occurs when a file is encrypted by the cryptolocker virus by renaming the extension of a file to “.crypto”. We can see that the change gets denied:

9-Permissions

 

Also our user’s access to their mapped drive on the file server is now denied access:

10-SMB Blocked

An email is then sent to the email address that we configured in the scripts parameters. We get the information on the user that was infected and the server being attacked. We also get the command that can be run to enable access once again for the user:

11-Alert

If we paste in that command into an administrative powershell prompt on the infected file server, that user can now access their shared folders again:

12-unblock

Keeping Updated on Known Ransomware Extensions

You will want to do your due diligence on making sure the extensions being screened are kept up to date, you can easily edit the file group and add in the extensions at any time. Tripwire has been doing an amazing job at producing security awareness posts that include the most recently discovered ransomware flavors and the extensions they use. Check out their most recent post here. This is great way to protect your organizations data by mitigating the damage done during a ransomware attack. Also, it is free which makes it even better.

Altaro Hyper-V Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

110 thoughts on "Using File Server Resource Manager to Screen for Ransomware"

  • Paul Passingham says:

    Hi Luke,
    Great Article, Will be implementing this across all our our 2012 servers. As our relay server listens on a non standad port and requires authentication would you be able to modify the script to accomodate this.

    Many thanks

    Paul

    • Thanks! I will modify the script to include parameters for those requirements. In the meantime, you can modify the ScriptToDenyPermissions.PS1 file that gets created. Paste the following over the “#send email report” section around line 17 and edit the values to include your own requirements:

      #Send Email Report to servicedesk with information

      $SMTPPort= “587”
      $SMTPUsername = “username”
      $SMTPPassword= “password”
      $SMTPServer= “smtp.myrelay.com”
      $SMTPFrom = “[email protected]
      $SMTPto = “[email protected]

      $client = hostname
      $messageSubject = “Server $computername on the domain $domain is Infected being attacked by Ransomware”
      $messagebody= “The User $username has infected the server. They have been denied access to all file shares. Please open a ticket to disinfect their machine. Once they have been disinfected, run the following powershell command on the server $computername to unblock the user from file shares: get-smbshare | unblock-smbshareaccess -accountname $username -force ”
      $message = New-Object System.Net.Mail.MailMessage $smtpfrom, $smtpto
      $message.Subject = $messageSubject
      $message.IsBodyHTML = $true
      $message.Body = $messagebody
      $smtp = New-Object Net.Mail.SmtpClient($SMTPServer, $SMTPPort)
      $SMTP.EnableSsl= $true
      $smtpCreds = New-Object System.Net.NetworkCredential($SMTPUsername, $SMTPPassword)
      $smtp.Send($message)

  • John Albrektson says:

    What a great resource! I just finished setting it up and am delighted with the result. I removed the line that blocked shared access–that may be too draconian for our needs. I love the notifications! Way to really help the community.

  • Wouter Kokshoorn says:

    First I want to thank you for this information. It will help us creating a better security against Ransomware.

    I configured this solution for several of our customers. The only thing that would be nice is adding functionality to auto update the patterns, or import them from a list. For example you place a txt file on the server and a scheduled task imports de data automatically.

  • Bill says:

    Can this be made to run on Windows 2008R2 servers – we don’t have any 2012’s as yet but could use this extra protection on the 2008s. Thanks!

  • Myke says:

    Error for me!!! Help!! Sorry i don’t speak english, I from Brazil!!

    Windows Server 2012

    Filescrn : The term ‘Filescrn’ is not recognized as the name of a cmdlet, function, script file, or operable program.
    Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At C:ScriptsInstall-FSRMRansomeware.ps1:53 char:13
    Filescrn template import /file:C:userspublicFSRMTemplate.xml
    ~~~~~~~~
    CategoryInfo : ObjectNotFound: (Filescrn:String) [], CommandNotFoundException
    FullyQualifiedErrorId : CommandNotFoundException

    • Make sure the File Server Resource Manager role is installed on your file server. The script does the work of installing it, but it’s possible that portion was not successful.

      Try running the following command in an administrative powershell console and then re-run the script:
      Install-WindowsFeature fs-resource-manager

  • Myke says:

    Error for me!!! Help!! Sorry i don’t speak english, I from Brazil!!

    Windows Server 2012

    Filescrn : The term ‘Filescrn’ is not recognized as the name of a cmdlet, function, script file, or operable program.
    Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At C:ScriptsInstall-FSRMRansomeware.ps1:53 char:13
    Filescrn template import /file:C:userspublicFSRMTemplate.xml
    ~~~~~~~~
    CategoryInfo : ObjectNotFound: (Filescrn:String) [], CommandNotFoundException
    FullyQualifiedErrorId : CommandNotFoundException

  • Aaron says:

    Legend! Thanks mate. Best solution I have found so far. I did get this error after it completed the screen for the last drive but hasn’t prevented it from working. I already had the email details set in FSRM though.

    New-FSRMFILEScreen : 0x80045306, The specified path is invalid.
    At C:Install-FSRMRansomeware.ps1:149 char:41
    New-FSRMFILEScreen -path “$DRIVE” -temp …
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    CategoryInfo : NotSpecified: (MSFT_FSRMFileScreen:Root/Microsoft/…_FSRMFileScreen) [New-FsrmFileScree
    n], CimException
    FullyQualifiedErrorId : HRESULT 0x80045306,New-FsrmFileScreen

  • Aaron says:

    Legend! Thanks mate. Best solution I have found so far. I did get this error after it completed the screen for the last drive but hasn’t prevented it from working. I already had the email details set in FSRM though.

    New-FSRMFILEScreen : 0x80045306, The specified path is invalid.
    At C:Install-FSRMRansomeware.ps1:149 char:41
    New-FSRMFILEScreen -path “$DRIVE” -temp …
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    CategoryInfo : NotSpecified: (MSFT_FSRMFileScreen:Root/Microsoft/…_FSRMFileScreen) [New-FsrmFileScree
    n], CimException
    FullyQualifiedErrorId : HRESULT 0x80045306,New-FsrmFileScreen

  • Dariusz says:

    Hi

    This is a great script and works almost perfect! I’m saying almost because I have found one problem. When I unblock user’s access to SMB and logon to the workstation and change extension of the file again, it will block the file extension change but will not block access to the share! Have anyone tested it that way and what results did you get?

  • Dariusz says:

    Hi

    This is a great script and works almost perfect! I’m saying almost because I have found one problem. When I unblock user’s access to SMB and logon to the workstation and change extension of the file again, it will block the file extension change but will not block access to the share! Have anyone tested it that way and what results did you get?

  • Jim says:

    There’s a well-maintained list of extensions and files used by many cryptolocker variants here (https://fsrm.experiant.ca/api/v1/get) in json format. There’s also a similar (but not as elegant on Windows 2012) project here (https://github.com/m-dwyer/CryptoBlocker) that contains powershell to acquire the json and split it into 4kb chunks for FSRM.
    I’m going to look at combining the 2, so using your script above but downloading the file list from experiant so that I can schedule it to stay up-to-date with new variants, just thought I@d mention it in case you want to incorporate this yourself. The last infection I dealt with would have been caught by the experiant list but not this one.

    • Ryan says:

      Hi Jim,
      I am looking at exactly the same thing. This script is certainly more elegant – but the extension list is minimal. A constantly updating script sourcing the extension repository is all it needs to really make this work well. I realise I am a bit late to the party on this one – did you manage to achive this aim at all, and if so would you be willing to share your findings?

      Thanks to Luke for the work done on this.

  • Sparky Henderson says:

    I know this thread is three years stale but I found a slight bug and I think others might benefit from the fix. This has to do with creating the $DenyPermissionsScript variable that gets written to a file. The very last line is
    `restart-service “File Server Resource Manager” -force

    See that backtick at the beginning of the line? What actually gets written to the file is “estart-service”. That’s the bug. Get rid of the tick and “restart-service” is correctly rendered.

    Finally a huge Thank You to Luke O for writing this article and give me a jumping off point.

    • Jason Kreisler says:

      I was so inspired by Luke’s original script that I wrote a brand new script that achieves the same goals but uses Windows 2012 PowerShell cmdlets and works with Experiant’s well maintained list of ransomware filespecs. The script also implements honey traps to try and catch zero-day ransomware behavior. I also have a few Python scripts that will help scan your existing systems for any sign of ransomware. Without exageration, it will scan a system with 2.5 million files in about 2 minutes and 10 seconds using VoidTools Everything Search. I hope you’ll take a look and contribute at:
      https://github.com/SparkyzCodez/FSRM-Anti-ransomware

  • Eric Morrison says:

    I have a 2016 general file server cluster and a 2016 SOFS cluster. Is your script supported to run on those systems? Would I copy the script to the same location on both nodes so that whichever one is active, FSRM will be able to find the script to send alerts?

  • David says:

    Hi Luke,

    The command is still not triggering as what Dariusz has mentioned above, even after you have added the workaround.

    Which means SMB access is still not blocked.
    Deny rename is working though.

    Any idea with regards to this?

  • jimmy says:

    hi; good job and man thanks

    can i apply active screen on C: Or C:windows ??

    windows 20008R2

    • You could modify line 149 to include C: by removing | Where {$_.deviceid -ne “C:”} from that line. However, this script will only work on Server 2012 and higher since it requires PowerShell cmdlets that are native to that OS.

  • Frank says:

    Hi! I see you tried to fix the issue with blocking smbshare only happening once by adding a restart of the service which WORKS but… your script leaves out the letter ‘r’ in the word ‘restart’. Add that and it’s good to go!

    • File or application whitelisting is starting to become a more common approach. It is much more secure but the trade off is accessibility and maintenance on the list of approved extension types.

  • Albert Yang says:

    anyone else has an issue as for the script needs to runs twice for it to work?
    if i delete the logs from windows and test it changing the extension it does not block the user and when it email it says User was infected but if again i change the extension it works, whats worst is that if another user on another computer changes the extension it blocks and email alert saying it was the previous one rather then the one that got infected. Anyone else has had this issue?

  • Heath says:

    Hi Luke,

    Very nice script, thanks a stack it works a treat on Server 2012 R2 but I’m having problems with the ‘ScriptToDenyPermissions” in Server 2016?

    Essentially the’ScriptToDenyPermissions’ is not correctly identifying the $username variable so this variable is not being fed into any actions that require the $username variable.

    Have you by any chance tested this on Server 2016 yet?

    • I did confirm that this script works with Server 2016. There may be a formatting issue with the username. Try running this snippet on the server and see what $username is set to:

      $RansomwareEvents = get-eventlog -logname Application -message “*ransomware*” -newest 50 | where {`$_.eventid -eq 8215}
      $username = (`$RansomwareEvents.message).split()[1]
      $username = `$username -replace “.*\”
      $username

  • Cyndi Sayce says:

    I think using “crypto canary” is more efficient especially because you are not having to update the file extensions frequently. I’ve also had some concerns about the read write lag of the file server having to check the file extensions against the list every time a file is saved or modified. In our environment, that has not worked well.

  • Wouter Kokshoorn says:

    First I want to thank you for this information. It will help us creating a better security against Ransomware.

    I configured this solution for several of our customers. The only thing that would be nice is adding functionality to auto update the patterns, or import them from a list. For example you place a txt file on the server and a scheduled task imports de data automatically.

  • albert says:

    Really awesome script, just have one tiny problem for the smb block i have been trying to test it out and no luck, I would get error on line 7 character 41 and on line 11 character 124 which one says cannot call upon expression with value NULL and the other error says cannot validate argument “account name”

    Thank you

  • albert says:

    Just wanted to be more specific on the error

    these are the lines that are giving the issue the rest is fine

    PS C:UsersAdministrator> $username = ($RansomwareEvents.message).split()[1]
    You cannot call a method on a null-valued expression.
    At line:1 char:1
    $username = ($RansomwareEvents.message).split()[1]
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    CategoryInfo : InvalidOperation: (:) [], RuntimeException
    FullyQualifiedErrorId : InvokeMethodOnNull

    PS C:UsersAdministrator> Get-SmbShare | Where-Object currentusers -gt 0 | Block-SmbShareAccess -AccountName $username -force
    Block-SmbShareAccess : Cannot validate argument on parameter ‘AccountName’. The argument is null or empty. Provide an argument that is not null or empty, and
    then try the command again.
    At line:1 char:84
    … s -AccountName $username -force
    ~~~~~~~~~
    CategoryInfo : InvalidData: (:) [Block-SmbShareAccess], ParameterBindingValidationException
    FullyQualifiedErrorId : ParameterArgumentValidationError,Block-SmbShareAccess

  • Hi Luke,

    Thanks for the info when I try to run the script nothing happens powershell just drops back to the prompt, don’t get an error, I am sure it is something I am doing wrong, I copied everything in the script above until notepad.

    Thanks,
    Craig

  • Sorry have installed the script now and done a test which worked, but 2nd time I tested it although I couldn’t rename the file it didn’t block me or send the email ?

    • Try running this to set the notification levels to 0 per Doug Glasgow’s findings it should allow for multiple triggers: Set-FsrmSetting -EmailNotificationLimit 0 -EventNotificationLimit 0 -CommandNotificationLimit 0 -ReportNotificationLimit 0

      I’ll try to get this added to the script. Thanks!

  • Patrick says:

    The ressource manager is a bit slow isn’t it?

    user 1 is changing a file extension to a cryptolocker extension. -> getting an email, log entry, can not change the filename and the user is getting blocked.

    about 1 minute later user 2 is changing a file extension to a cryptolocker extension. -> getting no email, no log entry, is not getting blocked, but he can not change the filename.

    • The solution is definitely at the mercy of the limitations of resource manager. However, this works as a great free “safety net” that people can use to protect themselves from potential havoc on their environment. In the case were multiple users receive the same email and click on the attachment, the notification email would hopefully provide awareness where IT operations can catch it before it encrypts too many files.

  • Patrick says:

    i was playing around a little bit and found out, that if the ressource manager blocks a user from changing a file, i have to reset the “start task as” to “system” in the comand tab. Then it works a second time.

    • Try running this to set the notification levels to 0 per Doug Glasgow’s findings it should allow for multiple triggers: Set-FsrmSetting -EmailNotificationLimit 0 -EventNotificationLimit 0 -CommandNotificationLimit 0 -ReportNotificationLimit 0

  • John says:

    Hi there,

    Where can I get an update list of ransomware extensions?

    Thanks!

  • Dan says:

    Here is a site that updates the extensions also https://fsrm.experiant.ca/

    On Github they have a script https://github.com/m-dwyer/CryptoBlocker
    that does pull from the site but you need to modify the script so it breaks the File Group length into multiple groups. Also if you rerun the script it will remove existing exclusions and any custom email message. Maybe you can modify your script with this to get the perfect script. Only downside is that if that person whom owns frsm.experiant.ca adds good extensions like *.doc that will cause a lot of pain. Wondering if there is a way to have the script update from a text file that you can keep updating your self.

    • That is a great point, the experian API could potentially break an environment. You could edit line 42 and put in something like this to collect the extensions from a text file: New-FsrmFileGroup -name “Ransomware Files” -IncludePattern (get-content c:cryptoexts.txt)

  • Varma says:

    Luke,

    Thanks for the script.

    I executed the same script on my environment but the file server resource manger is not installating automatically from script.

    Regards,
    Varma.

  • Jim says:

    There’s a well-maintained list of extensions and files used by many cryptolocker variants here (https://fsrm.experiant.ca/api/v1/get) in json format. There’s also a similar (but not as elegant on Windows 2012) project here (https://github.com/m-dwyer/CryptoBlocker) that contains powershell to acquire the json and split it into 4kb chunks for FSRM.
    I’m going to look at combining the 2, so using your script above but downloading the file list from experiant so that I can schedule it to stay up-to-date with new variants, just thought I@d mention it in case you want to incorporate this yourself. The last infection I dealt with would have been caught by the experiant list but not this one.

    • Thanks for the share! I’m glad to hear people are using this as a base to make their own. I really like the experiant API and think it make’s perfect sense to integrate it into this script.

  • Tom says:

    First of all thanks for the work on this. I have been trying to set this up using different scripts and found yours today after the most I could get was an alert and not locking the user out.

    The ScriptToDenyPermissions works, but only if I run it after trying to save a test file. What do I need to do to have it alert and lock the share for the user when they attempt to save a “bad” file to the share?

  • Renier says:

    Hi Luke,

    Thanks a lot for the script 🙂 I’m going to give it a bash. Are you aware of an updated ransomware file extension list or point me in the right direction?

    Kind Regards

Leave a comment or ask a question

Your email address will not be published. Required fields are marked *

Your email address will not be published. Required fields are marked *

Notify me of follow-up replies via email

Yes, I would like to receive new blog posts by email

What is the color of grass?

Please note: If you’re not already a member on the Dojo Forums you will create a new account and receive an activation email.