Mar 24

Use File Screens to Stop Ransomware – Part 1

Ransomware has become the hot-topic for 2016.  It is bad enough that this crypto malware can encrypt workstations but the risk of one infected user locking down the file server is especially scary.

36

This article details how you can use Server 2012 file screens to prevent crypto locker from taking over your file server.  There are a lot of good articles out there using file screens for this purpose but they all have one flaw; they are blacklisting every known ransomware extension.  As long as you are blacklisting, you leave yourself exposed to changed tactics.  The steps below detail how to create a file screen whitelist and block everything else that you don’t explicitly allow.  Whether the latest extension is .zzz or .xxx or .AYBABTU, this technique will keep you protected.

The Ransomware file screen is created in three steps:

  1. Add the File Server Resource Manager (FSRM) role
  2. Create an exception list of the extensions you want to allow on your file server
  3. Create a screen that blocks everything else

Install File Server Resource Manager

Open Server Manager and click Add roles and features.

01

Ensure Role-based installation is selected and click Next.

Select your server from the list and click Next.

Select the File Server Resource Manager role.

05

A popup window will appear showing the required features for this role.  Click Add Features.

06

File Server Resource Manager is now selected for installation, click Next.

07

No changes are required on the Features page, click Next.

Review the installation selections and click Install.

09

When the installation is complete, click Close.

10

Create the Exceptions (explicit allow)

Go back to Server Manager and open FSRM by clicking Tools, then click File Server Resource Manager.

12

Expand the File Screening Management section and click on File Screens.

Right click on File Screens and click Create File Screen Exceptions.

22

For the Exception Path, browse to the path of the file share that you want to protect.

Under File Groups, select all the categories you want to allow on your file server, then click OK.

25

You now have an exception list in place but everything is still allowed so it isn’t doing anything yet.  It is important to create the exception before adding the implicit deny.  If you add the deny rules first, your server won’t allow any files until you create the exceptions.

35

Create the Whitelist (implicit deny)

Go back to Server Manager and open FSRM by clicking Tools, then click File Server Resource Manager.

12

Expand the File Screening Management section and click on File Groups.  There are a lot of built-in groups of files.  But you don’t need any of them for this step.

14

Right click on File Groups and click Create File Group.

15

Name your file group.  For Files to include, type *.* and click Add.  Then click OK.

15_2

Next, create a file screen to apply the group to your share.

Right click File Screens and click Create File Screen.

16

For the File Screen Path, browse to the path of the file share that you want to protect.

Click Define custom file screen properties, then click Custom Properties.

19

On the custom properties screen select Active Screening.

Under the File Groups, select the group that you created in the previous step, then click OK.

20

A file screen blocking all file types has now been implemented on your share.  The file types in the exceptions list you created are now the only types of files allowed.

Copying a .txt file was allowed successfully.  Copying a .locky file returns Access Denied.  Renaming an existing file from .txt to .locky or anything else unauthorized also returns an Access Denied.

30

Other Options

There are some other options you can enable on the file screen to provide notifications or even more advanced options like stopping the attack.

Right click on the file screen you created, click Edit File Screen Properties and view each of the additional tabs across the top of the window.

  • Email notifications can be sent to IT staff the moment an unauthorized file copy is attempted.
  • Event logs can be generated.  I highly recommend this option at a minimum.  You can take logging a step farther by using windows event forwarding into a SIEM, System Center Operations Manager (SCOM) or any other log collection and alerting tool.
  • Commands can run when an unauthorized file copy is attempted.  I saw some other posts where administrators ran a script to disable the share if an unauthorized file copy was attempted.  This is a great idea but a little too extreme for my personal taste, especially when whitelisting increases the likelihood of false positives. [Update March/29/2016]:  I now believe this step is required for protection.  See File Screens Don’t Stop Ransomware
  • Reports can be generated for File Screening Audit so you can see the activity of your file screen.

Full Disclosure

I haven’t tested this against a real copy of ransomware.  If anybody can add that detail, I would love the information.  I cannot say with certainty that a failed attempt to place the encrypted files won’t result in the malware falling back to just deleting everything.  I assume that if the encrypt fails, the code stops but without validating it I cannot say for sure.  It is also possible that the malware could start using valid file extensions so this is just one layer of protection, not a guarantee.

[Update March/29/2016]:  You may not be protected.  See my follow up article:  File Screens Don’t Stop Ransomware

References

File Server Resource Manager – Technet

https://technet.microsoft.com/en-us/library/cc732431.aspx

Locky Ransomware Information

https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know

Reddit Post for File Screening to prevent Cryptolocker or Cryptowall

https://www.reddit.com/r/sysadmin/comments/3gm9ji/cryptolockercryptowall_prevention_file_screening/

KrebsOnSecurity Article about ransomware infection

http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/

 

Leave a Reply

Your email address will not be published.