Skip to content
master
Go to file
Code
This branch is 35 commits ahead of Kittzus:master.

Latest commit

* Extended functionality and polished ouput

- added the notification options to the template
- removed notification options from the file screen
- added active/passiv screen type configuration
- added german translation to the notification messages
- output polished a bit ;-)
- added a few more comments

* changed default language to english

* changed default type to active

* Changed SkipList from relative Path to automatic detected Path of the Script

* Changed relative path to $PSScriptRoot Variable

  * Always use correct path for included files
  * Ignore working directory
  * works with task scheduler (does not write to Windows System root!)
  * Included files are always in the directory of the script
  * existing files in relative path will be moved to the script path if
  they exist

* fixed bug in skiplist moveing

* Change relative path of ExcludePath.txt to $PSScriptRoot and added ExcludePath to .gitignore
3596f7c

Git stats

Files

Permalink
Failed to load latest commit information.

README.md

CryptoBlocker

This is a solution to block users infected with different ransomware variants.

The script will install File Server Resource Manager (FSRM), and set up the relevant configuration.

Script Deployment Steps

NOTE: Before running, please add any known good file extensions used in your environment to SkipList.txt, one per line. This will ensure that if a filescreen is added to the list in the future that blocks that specific file extension, your environment won't be affected as they will be automatically removed. If SkipList.txt does not exist, it will be created automatically.

  1. Checks for network shares
  2. Installs FSRM
  3. Create batch/PowerShell scripts used by FSRM
  4. Creates a File Group in FSRM containing malicious extensions and filenames (pulled from https://fsrm.experiant.ca/api/v1/get)
  5. Creates a File Screen in FSRM utilising this File Group, with an event notification and command notification
  6. Creates File Screens utilising this template for each drive containing network shares

How it Works

If the user attempts to write a malicious file (as described in the filescreen) to a protected network share, FSRM will prevent the file from being written and send an email to the configured administrators notifying them of the user and file location where the attempted file write occured.

NOTE: This will NOT stop variants which use randomised file extensions, don't drop README files, etc

Usage

Just run the script. You can easily use this script to deploy the required FSRM install, configuration and needed blocking scripts across many file servers

An event will be logged by FSRM to the Event Viewer (Source = SRMSVC, Event ID = 8215), showing who tried to write a malicious file and where they tried to write it. Use your monitoring system of choice to raise alarms, tickets, etc for this event and respond accordingly.

ProtectList.txt

By default, this script will enumarate all the shares running on the server and add protections for them. If you would like to override this, you can create a ProtectList.txt file in the script's running directory. The contents of this file should be the folders you would like to protect, one per line. If this file exists, only the folders listed in it will be protected. If the file is empty or only has invalid entries, there will be no protected folders.

IncludeList.txt

Sometimes you have file screens that you want to add that are not included in the download from Experiant. In this case, you can simply create a file named IncludeList.txt and put the screens you would like to add, one per line. If this file does not exist, only the screens from Experiant are included.

Disclaimer

This script is provided as is. I can not be held liable if this does not thwart a ransomware infection, causes your server to spontaneously combust, results in job loss, etc.

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.