File Screens Defeat Ransomware – Part 3

File screens have successfully stopped Locky.

150

I ran a curious file today that gave me the picture above…but my file server is just fine.

For a test, I created multiple file shares.

One share did not have a screen enabled.

The other share had the screen configured as detailed in my previous two posts.

Use File Screen to Stop Ransomware – Part 1

File Screens Don’t Stop Ransomware – Part 2

After running the email attachment, I observed this netstat and task information.

Locky_ActiveAttack

Here is what what is left of the share without the screen.

Locky_EncryptedShare2

This is the share that had the screen enabled.  I like this one better!

Locky_NotEncrypted

 

At 2:18, an event was logged in response to the .locky files.  The path in this event is the path shown in the picture above.  It is sorted by modified date to show that not even a single file was changed.

Locky_EventLog

Here is the firewall creation event.  This rule was created 37 seconds after the alert was triggered.

Locky_FirewallRuleCreation

Locky_Stop

This may not work forever but it is proof enough for me to justify implementing in production.  I hope this helps you too!

You could even take this another step further to protect PC data.  If you configure your PCs with Desktop and Documents redirection on a screened share, even the PC data should be protected.

Time to revert my lab!

Locky_Aftermath

 

 

 

 

Advertisements

3 thoughts on “File Screens Defeat Ransomware – Part 3

  1. Pingback: How To Prevent Ransomware Infections | Question Driven

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s