Crypto Ransomware Prevention – File Server Resource Manager – PowerShell

After spending the last five hours coding like crazy, I’ve got a deployable, reliable, persistent solution. This is one of many Crypto Ransomware prevention strategies. Others are locking down the AppData folder, which could easily break some programs, using AppLocker (Windows Enterprise only), or in this case, protecting file-shares. This strategy — is the file-share canary.

Most Crypto Malware like CryptoLocker, Locky, Cryptowall, and WannaCrypt all search out for file shares containing common content like .TXT, .DOCX, .PDF, and either encrypting the entire file, or just the first 64-128 Bytes of the file, enough to make it unusable. They also drop a notifier, such as “You’ve_Been_Hacked.TXT” with links for paying by BitCoin in the hopes of getting a decryptor program that might work.

The best resolution to being hit by crypto is a backup restore, but this post is for a preventative measure — aiming to stop the need for the backup. Still create hourly, or at worst, daily backups — don’t rely only on this single script!

We are going to use the Microsoft Windows Server 2012 R2 File Server Resource Manager File Screens method to detect any changes made to certain directories, and upon any change, block that user’s access to all file-shares (SMB) immediately. In reality, it takes about 2-3 seconds to lock the user out of everything. Another common method is to disable the Server service, “LanManServer + NetLogon”, which breaks all shares, a bit too extreme in my opinion.

 

Below is the code, enjoy, good luck, and hoping it helps you out.

There are two scripts:

  1. Crypto_Malware_Prevention.ps1, which installs File Resource Server Manager, creates the folders, creates SMB Shares (“_Honey”, and “zzHoney”, for ascending and descending), sets permissions, and configures the File Screens.
  2. Crypto_Malware_Prevention_User_Disable.ps1, which is called upon as a command/action by FRSM, to ban the user upon touching any of the files.

It is up to you to populate the _Honey folder with content, this part is not scripted, you’ll need to unload a ZIP full of .DOCX or .PDF files inside.

Crypto_Malware_Prevention.ps1

###################
#Server Settings  
#dankrusework (at) gmail (dot) com
#itimagination.com
###################

#Install File Resource Manager 2012 and 2012 R2
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools

#Change the interval between how often the action can be taken.
Set-FsrmSetting -EventNotificationLimit 1 -CommandNotificationLimit 1

#Path to Protect.
#Simpler to map two SMB Shares to one folder for management.
$path1 = "C:\Shares\_Honey"
New-Item $path1 -type Directory
New-SMBShare -Name "_Honey" -Path $path1 -FullAccess Everyone
New-SMBShare -Name "zzHoney" -Path $path1 -FullAccess Everyone

#Assign Everyone Full Control NTFS Permissions for the path
CACLS $path1 /E /T /G Everyone:F

########
#Script#
########
#Create the Action Command to be implemented (Block User, Stop Service, etc)
$Command = New-FSRMAction Command -Command "%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -CommandParameters "C:\CryptoBlockUser.ps1" -SecurityLevel LocalSystem -RunLimitInterval 1 -KillTimeOut 1

#Create the Warning Event to record the source
$WarningMessage = "User [Source Io Owner] attempted to modify [Source File Path] to [File Screen Path] on server [Server]. This file is in the [Violated File Group] group, and may possibly indicate a Ransomware infection. Your account has been blocked from accessing the server. After the computer has been cleaned, run the following command `"Get-SmbShare -Special `$false | Unblock-SmbShareAccess -AccountName `"USERNAME`" -force`" to remove their block from all shares on that server."

$Warning = New-FSRMAction Event -EventType Warning -Body $WarningMessage -RunLimitInterval 1

#Create a File Group - desktop.ini and thumbs.db may be created automatically by simply browsing but not editing.
New-FsrmFileGroup -Name "Crypto_HoneyPot_Detection" -IncludePattern @("*.*") -ExcludePattern @("*.ini","*.db*")

#Create a File Template using the existing FileScreens
New-FsrmFileScreenTemplate "Crypto_Honeypot" -IncludeGroup "Crypto_HoneyPot_Detection" -Active:$False -Notification $Command,$Warning

#Assign the template to the path of the share
New-FsrmFileScreen -Path $path1 -Template "Crypto_Honeypot" -Active:$false

 Crypto_Malware_Prevention_User_Disable.ps1

#############################################
#Save this script to C:\CryptoBlockUser.ps1
#dankrusework (at) gmail (dot) com
#itimagination.com
#############################################
#.PS1 Script to ban user running Crypto Malware
#One second delay to give script enough time to grab newest event logs
sleep -Seconds 1

#Looks in event log for the custom event message generated by the file screen audit. Input's username of the offender into a variable.
$RansomwareEvents = Get-WinEvent -FilterHashtable @{ logName = 'Application'; ID = 8215 } -MaxEvents 1 -Ea 0
$username = ($RansomwareEvents.message).split()[1]
$username = $username -replace ".*\\"

#Blocks SMB share access for user
Get-SmbShare -Special $false | Block-SmbShareAccess -AccountName $username -force

Results

Attempting to create any file in either of the shares will result in Event ID 8215, followed by the loading of the User_Disable Powershell Script.

Reversing the Block

Once you have successfully wiped and reloaded the computer, or purged the crypto malware, it’s time to clear the user’s block. Run the following code, replacing the USERNAME entry.

Get-SmbShare -Special $false | Unblock-SmbShareAccess -AccountName "USERNAME" -force

 

Monitor

FRSM has a built in e-mail functionality, which is a Notification action. I personally choose to use our RMM tool, Kaseya, to simply send our team an alert upon detection of Event ID 8215, something I find more reliable than an externally hosted email server, Office 365. It just takes one password change for the alert to not go through.

 

Hoping you found this helpful, let me know if you have anything to add, thanks 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *