File screens have successfully stopped Locky.
I ran a curious file today that gave me the picture above…but my file server is just fine.
For a test, I created multiple file shares.
One share did not have a screen enabled.
The other share had the screen configured as detailed in my previous two posts.
Use File Screen to Stop Ransomware – Part 1
File Screens Don’t Stop Ransomware – Part 2
After running the email attachment, I observed this netstat and task information.
Here is what what is left of the share without the screen.
This is the share that had the screen enabled. I like this one better!
File screens don’t stop ransomware, but firewalls do.
In my last post, I suggested that disabling shares in response to an unauthorized file extension was a bit extreme. After discussing this with other members of the community, I now believe that blocking access is the only real solution.
If ransomware created an encrypted copy of all files and deleted the original copy, a file screen should prevent it. If the ransomware encrypts the existing file and then renames it, a file screen will prevent the rename but the file will still be encrypted. This clearly does not solve the problem.
In order to make the file screen effective, it must respond to an unauthorized file extension by immediately blocking all file share activity until the event can be investigated.
The best response I can think of is to use netsh.exe to block file sharing on the firewall in order to halt the attack. This is done on the Command tab of the file screen window.
Ransomware has become the hot-topic for 2016. It is bad enough that this crypto malware can encrypt workstations but the risk of one infected user locking down the file server is especially scary.
This article details how you can use Server 2012 file screens to prevent crypto locker from taking over your file server. There are a lot of good articles out there using file screens for this purpose but they all have one flaw; they are blacklisting every known ransomware extension. As long as you are blacklisting, you leave yourself exposed to changed tactics. The steps below detail how to create a file screen whitelist and block everything else that you don’t explicitly allow. Whether the latest extension is .zzz or .xxx or .AYBABTU, this technique will keep you protected.
The Ransomware file screen is created in three steps:
- Add the File Server Resource Manager (FSRM) role
- Create an exception list of the extensions you want to allow on your file server
- Create a screen that blocks everything else
This is a short speech I gave on the topic of phishing using a composite of real customers. I briefly explain what it looks like and the potential consequences.