File Screens to Monitor File Shares for Ransomware

File Screens will monitor your Windows file share and can notify you when certain files or file types are created. Many newer ransomwares are not adding ransom notes to file shares or changing file extensions.  This makes files screens ineffective for detecting new ransomware.

File Screens do not prevent ransomware.  See this article for prevention http://www.questiondriven.com/2016/03/07/how-to-prevent-ransomware-infections/.

I wanted to monitor the file shares for ransomware related files.  The sooner I catch a ransomware in action the fewer files it can encrypt.  The file owner of any files created by the virus tell me who is responsible on the network.  With that information I can get their computer shutdown and reimaged.  The email notification from File Screens give you the user that created the file.  This notification gives you ability to shutdown infected computers quickly.

The only caveat being that new ransomware are coming out daily and your File Screen will quickly become outdated.  However, maintaining a file screen to get early notification of ransomware is very helpful in stopping ransomware before extensive damage has been done to all of your file shares. If you want to detect any future ransomware I created a program to do just that http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/. This program will also help you audit your file shares and give you lists of new files, changed files, and corrupt files.

How to Setup File Screens on a Windows File Server:

  • Open Control Panel -> Administrative Tools -> File Server Resource Manager
  • Click on “File Server Resource Manager (Local)” on the left in the tree view.
  • Click on “Configure Options” on the right

FileServerResourceManagerConfigureEmailOptionsButton

  •  Configure your desired email options
  • Click on “Send Test Email” to confirm email options are working. (You might have to add permissions on your email server to accept emails from your file server’s ip address.)

FileServerResouceManagerEmailOptions

  •  Click on “File Groups” on the left tree view
  • Click on “Create File Group” on the right.

FileScreen CreateFileGroup Button

  • Type in “Ransomware” as the name of the File Group.
  •  Add all file extensions and Specific Ransomware related files. (See the bottom of the article for a  list of ransomware related files and extensions)

File Group Add Extensionsand Specific File Filters

  • Click on “File Screen Templates” on the right in the tree view
  • Click on “Create File Screen Template”

Create File Screen Template Button

  • Type in the Name of the Template “Ransomware”
  • Click on Passive Screening Radio button
  • Check mark the Ransomware file group created earlier
  • Click on “Email Message” tab if you want to customize the email body.

Created File Screen Template

  • Click on “File Screens” on the left in the tree view.
  • Click on “Create File Screen” on the right.

Create File Screen Button

  • Browse or type in the local folder that is a file share to monitor for ransomware.
  • Select the “Ransomware” File Screen Template
  • Click on Create
  • Repeat these previous 4 steps to add more folders to monitor.

Create File Screen For Specified Path

 

I linked to several articles at the bottom that walk you through how to setup File Server Resource Monitor File Screens for additional help.  You can add the file screen file filters below to the file group you created earlier.  There will be more over time, but you can at least catch what is known. Make sure to use passive monitoring to allow the files to be created so you will find out who is responsible.

 

Specific Files Created by Many Ransomware (owner of these files tells you which user was infected):
-!recover!-!file!-.txt
-!RecOveR![several random characters].Html
-!RecOveR![several random characters].Png
-!RecOveR![several random characters].Txt
-!RecoveR![several random characters].HTML
-!RecoveR![several random characters].PNG
-!RecoveR![several random characters].TXT
desctop._ini
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt
_how_recover_.txt
_Locky_recover_instructions.txt
_RECoVERY_+[5_random].txt
_secret_code.txt
ABOUT FILES!.txt
AllFilesAreLocked_.bmp
ATTENTION.RTF
BLEEPEDFILES.TXT
Coin.Locker.txt
DECRYPT MY FILES#..txt
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTIONS.TXT
DECRYPT_ReadMe.TXT
DECRYPTION_HOWTO.Notepad
Encrypted_Files.Notepad
DecryptAllFiles.txt
DecryptAllFiles_.txt
encryptor_raas_readme_liesmich.txt
FILESAREGONE.TXT
HELLOTHERE.TXT
help recover files.txt
HELP_DECRYPT.TXT
Help_Decrypt.txt
help_decrypt_your_files.html
HELP_DECYPRT_YOUR_FILES.HTML
HELP_RECOVER_FILES.txt
help_recover_instructions+[random].txt
HELP_RESTORE_FILES.txt
HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_TO_SAVE_FILES.txt
HELP_TO_SAVE_FILES.txt
HELP_YOUR_FILES.TXT
HOW TO DECRYPT FILES.TXT
how_recover+[random].txt
HOW_TO_DECRYPT_FILES.TXT
How_To_Recover_Files.txt
How_To_Restore_Files.txt
howto_recover_file_.txt
Howto_Restore_FILES.TXT
Howto_RESTORE_FILES_.txt
IAMREADYTOPAY.TXT
IHAVEYOURSECRET.KEY
IMPORTANT READ ME.txt
INSTRUCCIONES_DESCIFRADO.TXT
Read.txt
Read_it.txt
READ_IF_YOU_WANT_YOUR_FILES.html
ReadDecryptFilesHere.txt
ReadMe.txt
README_DECRYPT_UMBRE_ID_[victim_id].txt
README_HOW_TO_UNLOCK.HTML
README_HOW_TO_UNLOCK.TXT
README1.txt...README10.txt
READTHISNOW!!!.TXT
recover_file_[random].txt
recover_files_[random].txt
recoveryfile*.txt 
recoverfile*.txt 
Recovery_[5_random].txt 
RECOVERY_FILE*.TXT
RECOVERY_FILE_[random].txt
recovery_file_[random].txt
RECOVERY_FILES.txt
RECOVERY_KEY.txt
Recovery+[5 random].txt
RECOVER[random].html
restore_files_.txt
SECRET.KEY
SECRETIDHERE.KEY
surprise.bat
WHAT IS SQ_.txt
!!!-WARNING-!!!.html
!!!-WARNING-!!!.txt
YOUR_FILES.HTML
YOUR_FILES.u+A27:A65
jbossass.jsp
jbossass_jsp.class
shellinvoker.jsp
shellinvoker_jsp.class
mela.jsp
mela_jsp.class
zecmd.jsp
zecmd_jsp.class
cmd.jsp
cmd_jsp.class
wstats.jsp
wstats_jsp.class
idssvc.jsp
idssvc_jsp.class
iesvc.jsp
iesvc_jsp.class
last_chance.*
readme_decrypt*
readme_for_decrypt*
restore_fi*
vault.hta
vault.key
vault.txt
install_tor*
instructions_xxxx.png
how%sto%sdecrypt*
helpdecrypt*
djqfu*
*want%syour%sfiles%sback*
*ukr.net*
*qq_com*
*keemail.me*
*@india.com*
*@gmail_com_*
*_UNLOCK.HTML
*_UNLOCK.TXT
EncryptedFileList.txt
READ_THIS_FILE.txt
READ_IT.txt

Ransomware File Extensions to Monitor:

*.ecc
*.ezz
*.exx
*.zzz
*.xyz
*.aaa
*.abc
*.ccc
*.vvv
*.xxx
*.ttt
*.micro
*.mp3
*.encrypted
*.locked
*.crypto
*_crypt
*.crypt
*.crinf
*.coverton
*.enigma
*.czvxce
*.fun
*.pzdc
*.good
*.R16M01D05
*.cerber
*.73i87A
*.p5tkjw
*.r5a
*.XTBL
*.YTBL
*.LOL!
*.OMG!
*.RDM
*.RRK
*.encryptedRSA
*.crjoker
*.EnCiPhErEd
*.LeChiffre
*.keybtc@inbox_com
*.0x0
*.bleep
*.1999
*.vault
*.HA3
*.frtrss
*.toxcrypt
*.magic
*.ENC
*.locky
_sq.*
*.k2p
*.rokku
*.Sanction
*.krypted
*.SPORT
*.surprise
*.cwgoqia
*.trun
*.crysis
*.xrtn
*.SUPERCRYPT
*.CTBL
*.CTB2
*.nochance
*.kraken
*.kb15
*.hydracrypt*
*obleep
*.PoAr2w
*.btc
*.gws
*.kkk
*.porno
*.777
*.0JELvV
*.6FKR8d
*.UslJ6m
*.n1wLp0
*.5vypSa
*.YNhlv1
*.8lock8
*.da_vinci_code
*.Z81928819
*.RSNSlocked
*.payransom
*.odcodc
*.zcrypt
*.Zyklon

 

 

Resources:

https://technet.microsoft.com/en-us/library/cc755013(v=ws.10).aspx

https://redmondmag.com/articles/2014/10/08/file-server-resource-manager.aspx

https://github.com/m-dwyer/CryptoBlocker

List of Ransomware related files:  https://fsrm.experiant.ca/  https://fsrm.experiant.ca/installation 

https://mizitechinfo.wordpress.com/2013/08/20/step-by-step-manage-file-server-using-fsrm-file-screening-in-windows-server-2012-r2/

http://blogs.msmvps.com/bradley/2013/10/15/cryptolocker-prevention-kit/

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-229

 

9 thoughts on “File Screens to Monitor File Shares for Ransomware

  1. Pingback: Beta Testing for Ransomware Detection in File Share | Question Driven

  2. Pingback: How To Prevent Ransomware Infections | Question Driven

  3. Bill

    if we choose to use “active screen” setting, could this stop ransomware write encrypted file to share folders? if it fail to do so, will the file encryption keep working or stopped? If it stops encryption, we could possible use this way to protect file server shared files, please correct me if I am wong.

    Bill

  4. dconsec

    I’ve been working on this same issue. I tested successfully and posted my results. The file screen can successfully prevent ransomware. Your “prevent ransomware” article is definitely the better option! But if all else fails, it will be nice to at least keep a client infection from spreading to the file server.

  5. Preston Post author

    I added command options to the ransomware detection service. I created some template powershell scripts to disable a computer account or user account based on who was infected with ransomware.

  6. Preston Post author

    Many ransomware are now only creating ransom notes on the desktop of the infected computer. This makes my Ransomware Detection Service more important.

Leave a Reply

%d bloggers like this: