Rise of Cyber attacks for the year 2016 it has create the need for better security in all environments. IT Pro comes to redesign infrastructure for better security or enhance the security everywhere for 2017.
Ransomware keep the first position of the most dangerous and catastrophic malware until now. To be honest i don't have seen anything like Ransomware and every day i try to keep my environment more secure with new solutions in every aspect of my LAN.
In the past i wrote article related to Ransomware Protect File Servers from Ransomware to describe how can use FSRM Role with a Template from Tim Buntrock which can download from https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce
It's a good solution but after months i see that new Ransomware Types created.
So how can update the File Group you have create in FSRM with the new Ransomware Types ?
With his question i start a research and i found a new way to you can keep up to date with new Ransomware Types.
Let's start !!
Before continue with this article you must Read the Section Install File Server Resource Manager from the Article Protect File Servers from Ransomware .
It's a good point to start but i will repeat the process from the beginning for the users that first time read this article.
After finish with the installation of FSRM Role follow the steps to create the Templates and keep it up to date
Create the new File Group
Now it's time to create the new File Group that will use it for the Ransomware File Types.
- The website https://fsrm.experiant.ca/ which create by Bleeping Computers keep an updated List of Ransomware File Types .
- Open Powershell and type the following that you can find it also in https://fsrm.experiant.ca/
new-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined" -UseBasicParsing).content | convertfrom-json | % {$_.filters})
For users that already have install FSRM Role and use File Screens to protect from Ransomware
- Now open the File Server Resource Manager Console.
- Click in File Group and find the Anti-Ransomware File Groups.
- Now click in File Screens.
- Find the File Screen that you have create and double click.
- In the Tab Settings go in File Groups and Select the Anti-Ransomware File Groups.
That's it .
For users that not use FSRM Role
If you don't have use before FSRM Role then follow the steps.
Install File Server Resource Manager
- Open Server Manager
- Click Add Roles and Features.
- Click Next in Welcome Screen.
- Select Role-based or feature based installation.Click Next.
- Use the default options and click Next.
- Expand File and Storage Services - - > File and iSCSI Services.
- Select File Server Resource Manager.Click Add Features and Click Next.
- Don't change anything and click Next.
- Click Install to start the Installation and Wait to Finish.
Create New FileScreen
- First of all must configure FSRM to send email notifications so open File Server Resource Manager.
- Right click in File Server Resource Manager and select Configure Options.
- Fill the SMTP Server and Default Administrator Recipients. Click the Button Send Test Email to verify that receive emails from FSRM.
- Click in Tab Notification Limits and change Event Log Notifications (minutes) and Command Notifications(minutes) to 0. Click OK
- Right Click in File Screens and Select Create File Screen.
- Select the File Screen Path which is the Folder or Drive to monitoring for any incident base on the Ransomware_Extensions Group that create in previous Steps.
- Select Define Custom file screen Properties and click in Button Custom Properties
- In Screening Type select Active Screening: ..............
- In File Groups select Anti-Ransomware File Groups. This is the File Group that created with the Powershell in the Section Create the new File Group
- Go in Tab Email Notifications and check Send e-mail to the following Administrators and Send e-mail to the user that attempted to save and unauthorized file.
- Click OK to create the File Screen.
That's it. You have finish. Very simple and the most important is in the next Section.
Verify that the File Screen works
Now we have complete the configuration and suppose that when someone infected with Ransomware and start to encrypt files will be deny to change or create any file with extensions that use Ransomware until today. But it's better to do a test to check if working.
- Open the folder that you have enable the file screen and create a Word Document. Change the extension of .docx to .locky or any other extension which included in Template and check the results.
- If the configuration is correct you will not allow to change the file with a prompt window
- and you will receive an email notification like.
<<User ktzouvaras attempted to save E:\Users\Tzouvaras\Public\Test.locky to E:\ on the FS1 server. This file is in the "Ransomware_Extensions" file group, which is not permitted on the server.>>
Update File Group
No it's time to answer the question that i had ask in the article Protect File Servers from Ransomware
<<Some of you maybe ask and what about new types and extensions of Ransomware. How can protect? This is he disadvantage but at least you are protected from all the Ransomware attacks that already exists. It's very important and you will prevent the damage from lot of attacks if will happen.>>
After month or when you inform that new Ransomware file type created you can follow the steps to update the exisitng File Group in FSRM
- Open Powershell and type following command that you can find it also in https://fsrm.experiant.ca/
set-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined" -UseBasicParsing).content | convertfrom-json | % {$_.filters})
- After the command complete File Group will be updated with the latest file types of the if List in https://fsrm.experiant.ca/
The solution it is a second Layer of Protection and not a Complete Solution for a Company in case which Ransomware pass in internal network and start the infection.
Do you have another solution for the Servers which related with Ransomeware? Share it in our Commented System and discuss it with other IT Pro.