Mar 30

File Screens Defeat Ransomware – Part 3

File screens have successfully stopped Locky.

150

I ran a curious file today that gave me the picture above…but my file server is just fine.

For a test, I created multiple file shares.

One share did not have a screen enabled.

The other share had the screen configured as detailed in my previous two posts.

Use File Screen to Stop Ransomware – Part 1

File Screens Don’t Stop Ransomware – Part 2

After running the email attachment, I observed this netstat and task information.

Locky_ActiveAttack

Here is what what is left of the share without the screen.

Locky_EncryptedShare2

This is the share that had the screen enabled.  I like this one better!

Locky_NotEncrypted

 

At 2:18, an event was logged in response to the .locky files.  The path in this event is the path shown in the picture above.  It is sorted by modified date to show that not even a single file was changed.

Locky_EventLog

Here is the firewall creation event.  This rule was created 37 seconds after the alert was triggered.

Locky_FirewallRuleCreation

Locky_Stop

This may not work forever but it is proof enough for me to justify implementing in production.  I hope this helps you too!

You could even take this another step further to protect PC data.  If you configure your PCs with Desktop and Documents redirection on a screened share, even the PC data should be protected.

Time to revert my lab!

Locky_Aftermath

 

 

 

 

2 comments

1 ping

  1. File screens work but this article over at Question Driven is very comprehensive. Check it out!

  1. […] user.  It is possible to use a file screen to disable files sharing of a windows file server, http://dconsec.com/2016/03/30/file-screens-defeat-ransomware/.   However, I don’t want to stop sharing folders on my entire file server because one user […]

Leave a Reply

Your email address will not be published.