File Screens Don’t Stop Ransomware – Part 2

File screens don’t stop ransomware, but firewalls do.

Firewall4

In my last post, I suggested that disabling shares in response to an unauthorized file extension was a bit extreme.  After discussing this with other members of the community, I now believe that blocking access is the only real solution.

If ransomware created an encrypted copy of all files and deleted the original copy, a file screen should prevent it.  If the ransomware encrypts the existing file and then renames it, a file screen will prevent the rename but the file will still be encrypted.  This clearly does not solve the problem.

In order to make the file screen effective, it must respond to an unauthorized file extension by immediately blocking all file share activity until the event can be investigated.

The best response I can think of is to use netsh.exe to block file sharing on the firewall in order to halt the attack.  This is done on the Command tab of the file screen window.

Check Run this command or script

Enter the path for the command as shown below.

C:\Windows\System32\netsh.exe

Enter the arguments below to block the file sharing ports.

advfirewall firewall add rule name=”Locky Stop” dir=in action=block enable=yes localport=139,445 protocol = tcp remoteip=any

Change the Run the command as section to Local System.  The other accounts do not have rights to modify the firewall.

Firewall1

An attempt to rename a file with an unauthorized extension gives an access denied error.

Firewall3

Here you can see the new rule has been created after the failed rename attempt.

Firewall2

Any other file sharing rules you have in place are not affected.  This approach takes advantage of the fact that a Deny rule takes precedence over an Allow rule.

When your investigation (or false positive) is over, you can easily delete the Locky Stop rule and your server will return to normal.

References:

I borrowed and believe I have simplified and improved on the information created at JPElectron

http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/

TechNet AdvFirewall Commands

https://technet.microsoft.com/en-us/library/dd734783(v=ws.10).aspx

 

 

Advertisements

One thought on “File Screens Don’t Stop Ransomware – Part 2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s