Updated: How to use File Screening to help block CryptoLocker

Updated: How to use File Screening to help block CryptoLocker

The face of malware has changed over recent years and it’s safe to say that it’s become an industry like any other. Your data, and it’s importance to you, has a value and it’s one that people are only to keen to capitalise on. With ransomware such as CryptoLocker and Locky, this is something that’s become all too easy.

In your organisation you’ll have several tools in your arsenal which can be put to good use – mail filtering, gateway AV, web filtering, but one which you really should be making use of is the File Screening feature of your Windows servers. This allows you to build rulesets to report on, or block, files on your server.

Update

If you need a quick way to configure File Server Resource Manager then check out this awesome script I’ve found

Revisions

24th May 2016 – ESET have released a decrypter for TeslaCrypt which may help you out.
8th April 2016 – Updated to include Maktub files.
14th April 2016 – Update for Jigsaw ransomware.

I’m going to look at how to block many of the filetypes associated with CryptoLocker and Locky.

  1. First thing to do is to install the File Server Resource Manager Role on your Windows server, either 2008, 2008 R2, 2012 or 2012 R2. Do this from the Manage > Add Roles and Features menu in Server Manager.
    FSRM Role
  2.  You can now load the File Server Resource Manager from Administrative Tools.
  3.  Right click the File Server Resource Manager top level node on the left hand nav bar and choose Configure Options. This is where you’ll configure your email settings. Enter your email server information and hit the Test button to ensure you get a test email back, then click OK.
    FSRM Email
  4. Right click the File Groups nav node and choose Create File Group. Create a new group called Malware Files and add the files you want to exclude. In this case I’m using the following list which I’ll update as I find new file names. If you don’t want to paste all these in then you can use the handy powershell command at the bottom of this post to create the File Group and then skip this step.
     
  5.  Next up, right click the File Screen Templates node and choose Create File Screen Template. In my example I’ve called it Malware Files. Select the “Malware Files” group from the list of groups shown then click on the email tab. Here you want to enable email alerts – you really want to be told if you have some ransomware on your server – and click OK.
    2016-02-29 16_09_10-192.168.8.13 - Remote Desktop Connection 
    2016-02-29 16_08_42-192.168.8.13 - Remote Desktop Connection 
  6. Now we want to apply our template to our file locations. Right click the File Screens node and choose Create File Screen. Choose the folder to assign the file screening template to and choose the template that you create before. Click Ok.
    2016-02-29 16_19_10-192.168.8.13 - Remote Desktop Connection
  7. If you open a command prompt you can test what will happen. Pop in to your folder and try creating a malicious looking file. You should also receive an email if you’ve enabled email alerts.
    2016-02-29 16_29_51-192.168.8.13 - Remote Desktop Connection

Powershell

To help with adding the file names that need to be blocked, you can use this powershell command. Just paste it in to the powershell prompt on the server and the File Screen Group will be created for you. You will then just need to create a template and assign it to a folder.

Windows 2012

Windows 2008/R2

Author

Oliver Marshall
Oliver works as a Director at Oakson who provide absolutely awesome IT support in Brighton, UK. Out of hours he's a runner with a limp, has a board game addiction and a owns a dog that looks like a badger.
  • GB

    The PowerShell command only works on Windows 2012, not 2008 or 2008 R2. Here is how to perform this in 2008 version:

    filescrn Filegroup Add /Filegroup:”Ransomware Files” /Members:”_Locky_recover_instructions.txt|DECRYPT_INSTRUCTIONS.TXT|DECRYPT_INSTRUCTIONS.HTML|DECRYPT_INSTRUCTION.TXT|DECRYPT_INSTRUCTION.HTML|HELP_DECRYPT.TXT|HELP_DECRYPT.HTML|DecryptAllFiles.txt|enc_files.txt|HowDecrypt.txt|How_Decrypt.txt|How_Decrypt.html|HELP_TO_DECRYPT_YOUR_FILES.txt|HELP_RESTORE_FILES.txt|HELP_TO_SAVE_FILES.txt|restore_files*.txt|restore_files.txt|RECOVERY_KEY.TXT|how to decrypt aes files.lnk|HELP_DECRYPT.PNG|HELP_DECRYPT.lnk|DecryptAllFiles*.txt|Decrypt.exe|ATTENTION!!!.txt|AllFilesAreLocked*.bmp|MESSAGE.txt|*.locky|*.ezz|*.ecc|*.exx|*.7z.encrypted|*.ctbl|*.encrypted|*.aaa|*.xtbl|*.abc|*.JUST|*.EnCiPhErEd|*.cryptolocker|*.micro”

  • Thimo

    Hey Oliver,
    thanks for that! Do you give any message, when you update the list?
    Best regards
    Thimo

    • Hi Thimo

      If you sign up for my weekly or daily newsletter, in the top right of the page, then you should get an email when the page is updated.

      Olly

Show Buttons
Hide Buttons

Stay in touch

or
Subscribe to my weekly newsletter

If you are enjoying this article then why not like my page.

Stay in touch

or
Subscribe to my weekly newsletter

If you are enjoying this article then why not like my page.