File screens don’t stop ransomware, but firewalls do.
In my last post, I suggested that disabling shares in response to an unauthorized file extension was a bit extreme. After discussing this with other members of the community, I now believe that blocking access is the only real solution.
If ransomware created an encrypted copy of all files and deleted the original copy, a file screen should prevent it. If the ransomware encrypts the existing file and then renames it, a file screen will prevent the rename but the file will still be encrypted. This clearly does not solve the problem.
In order to make the file screen effective, it must respond to an unauthorized file extension by immediately blocking all file share activity until the event can be investigated.
The best response I can think of is to use netsh.exe to block file sharing on the firewall in order to halt the attack. This is done on the Command tab of the file screen window.
Check Run this command or script
Enter the path for the command as shown below.
Enter the arguments below to block the file sharing ports.
advfirewall firewall add rule name=”Locky Stop” dir=in action=block enable=yes localport=139,445 protocol = tcp remoteip=any
Change the Run the command as section to Local System. The other accounts do not have rights to modify the firewall.
An attempt to rename a file with an unauthorized extension gives an access denied error.
Here you can see the new rule has been created after the failed rename attempt.
Any other file sharing rules you have in place are not affected. This approach takes advantage of the fact that a Deny rule takes precedence over an Allow rule.
When your investigation (or false positive) is over, you can easily delete the Locky Stop rule and your server will return to normal.
I borrowed and believe I have simplified and improved on the information created at JPElectron
TechNet AdvFirewall Commands