A script to deploy File Server Resource Manager and associated scripts to block infected users
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
BlockFileExtensionsGPO.ps1 Add software restriction GPO deployment script Jan 28, 2016
DeployCryptoBlocker.ps1
LICENSE.md
README.md Update README to reflect change of extensions to JSON API Jun 4, 2016
RemoveShareACLsForUser.ps1 Issue #6 - Removal of Deny Permissions on Shares Jun 27, 2016

README.md

CryptoBlocker

This is a solution to block users infected with different ransomware variants.

The script will install File Server Resource Manager (FSRM), and set up the relevant configuration.

Script Deployment Steps

  1. Checks for network shares
  2. Installs FSRM
  3. Create batch/PowerShell scripts used by FSRM
  4. Creates a File Group in FSRM containing malicious extensions and filenames (pulled from https://fsrm.experiant.ca/api/v1/get)
  5. Creates a File Screen in FSRM utilising this File Group, with an event notification and command notification
  6. Creates File Screens utilising this template for each drive containing network shares

How it Works

If the user writes a malicious file (as contained in the file group) to a network share, FSRM will run the deployed script which will add a Deny permission for that user against every share.

This has been tested fairly thoroughly, and I find that at most ransomware ends up encrypting one directory before the user is blocked.

The script has now been modified to pull the list of extensions from a JSON API. Credit to https://fsrm.experiant.ca/ for this list. Make sure you review the list (https://fsrm.experiant.ca/api/v1/get) before deploying, in case any false positives are listed (e.g. I have seen CAD software legitimately use *.encrypted before). When this list is updated, review it and simply run the script again to redeploy.

NOTE: This will NOT stop variants which use randomised file extensions, don't drop README files, etc

Usage

Just run the script. You can easily use this script to deploy the required FSRM install, configuration and needed blocking scripts across many file servers

An event will be logged by FSRM to the Event Viewer (Source = SRMSVC, Event ID = 8215), showing who tried to write a malicious file and where they tried to write it. Use your monitoring system of choice to raise alarms, tickets, etc for this event and respond accordingly.

Disclaimer

This script is provided as is. I can not be held liable if this does not thwart a ransomware infection, causes your server to spontaneously combust, results in job loss, etc.