TYPE: VBS Script
PRIMARY LANGUAGE: VBScript
AUTHOR: Justin Grimes
ORIGINAL VERSION DATE: 8/23/2019
CURRENT VERSION DATE: 8/28/2019
DESCRIPTION: An application for early warning about potential ransomware activity on a domain workstation. On first run, Ransomware_Defender creates "Perimiter Files" in strategic places on the local filesystem. On subsequent runs, Ransomware_Defender will check that the perimiter files still exist. If perimiter files are found we compare them to the original perimiter file. If perimiter files are missing they are searched for. If perimiterFiles have been tampered with the workstation will emit a Log, an email notification, & shut down to prevent further damage.
PURPOSE: To detect malicious file operations early enough that they do not cause widespread damage to company equipment.
- Install Ransomware_Defender into a subdirectory of your Network-wide scripts folder.
- Open Ransomware_Defender.vbs with a text editor and configure the variables at the start of the script to match your environment.
- Open sendmail.ini with a text editor and configure your email server settings.
- Run the script automatically on domain workstations at machine startup or user logon with a GPO. Or both!
- Run the script automatically with scheduled tasks at regular intervals.
- To add additional locations for monitoring, add the full absolute path to the "perimiterFiles" array.
- This script MUST be run with administrative rights.
- If this script is started in regular user mode, it will prompt for administrator elevation.
- "Fake Sendmail for Windows" is required for this application to send notification emails. Per the "Fake Sendmail" license, the required binaries are provided.
- To reinstall "Fake Sendmail for Windows" please visit https://www.glob.com.au/sendmail/
- Use absolute UNC paths for network addresses. DO NOT run this from a network drive letter. The restartAsAdmin() function will not work properly.
- If using as a startup/logon script it is advised to NOT use a conditional that checks for the prescence of the script prior to running it. Doing so could result in a false negative if ransomware damages Ransomware_Defender before it can be run. Errors produced by such a condition would alert users that something was wrong.