File Screens will monitor your Windows file share and can notify you when certain files or file types are created. Many newer ransomwares are not adding ransom notes to file shares or changing file extensions. This makes files screens ineffective for detecting new ransomware.
File Screens do not prevent ransomware. See this article for prevention http://www.questiondriven.com/2016/03/07/how-to-prevent-ransomware-infections/.
I wanted to monitor the file shares for ransomware related files. The sooner I catch a ransomware in action the fewer files it can encrypt. The file owner of any files created by the virus tell me who is responsible on the network. With that information I can get their computer shutdown and reimaged. The email notification from File Screens give you the user that created the file. This notification gives you ability to shutdown infected computers quickly.
The only caveat being that new ransomware are coming out daily and your File Screen will quickly become outdated. However, maintaining a file screen to get early notification of ransomware is very helpful in stopping ransomware before extensive damage has been done to all of your file shares. If you want to detect any future ransomware I created a program to do just that http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/. This program will also help you audit your file shares and give you lists of new files, changed files, and corrupt files.
How to Setup File Screens on a Windows File Server:
- Open Control Panel -> Administrative Tools -> File Server Resource Manager
- Click on “File Server Resource Manager (Local)” on the left in the tree view.
- Click on “Configure Options” on the right
- Configure your desired email options
- Click on “Send Test Email” to confirm email options are working. (You might have to add permissions on your email server to accept emails from your file server’s ip address.)
- Click on “File Groups” on the left tree view
- Click on “Create File Group” on the right.
- Type in “Ransomware” as the name of the File Group.
- Add all file extensions and Specific Ransomware related files. (See the bottom of the article for a list of ransomware related files and extensions)
- Click on “File Screen Templates” on the right in the tree view
- Click on “Create File Screen Template”
- Type in the Name of the Template “Ransomware”
- Click on Passive Screening Radio button
- Check mark the Ransomware file group created earlier
- Click on “Email Message” tab if you want to customize the email body.
- Click on “File Screens” on the left in the tree view.
- Click on “Create File Screen” on the right.
- Browse or type in the local folder that is a file share to monitor for ransomware.
- Select the “Ransomware” File Screen Template
- Click on Create
- Repeat these previous 4 steps to add more folders to monitor.
I linked to several articles at the bottom that walk you through how to setup File Server Resource Monitor File Screens for additional help. You can add the file screen file filters below to the file group you created earlier. There will be more over time, but you can at least catch what is known. Make sure to use passive monitoring to allow the files to be created so you will find out who is responsible.
Specific Files Created by Many Ransomware (owner of these files tells you which user was infected): -!recover!-!file!-.txt -!RecOveR![several random characters].Html -!RecOveR![several random characters].Png -!RecOveR![several random characters].Txt -!RecoveR![several random characters].HTML -!RecoveR![several random characters].PNG -!RecoveR![several random characters].TXT desctop._ini _H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt _how_recover_.txt _Locky_recover_instructions.txt _RECoVERY_+[5_random].txt _secret_code.txt ABOUT FILES!.txt AllFilesAreLocked_.bmp ATTENTION.RTF BLEEPEDFILES.TXT Coin.Locker.txt DECRYPT MY FILES#..txt DECRYPT_INSTRUCTION.TXT DECRYPT_INSTRUCTIONS.TXT DECRYPT_ReadMe.TXT DECRYPTION_HOWTO.Notepad Encrypted_Files.Notepad DecryptAllFiles.txt DecryptAllFiles_.txt encryptor_raas_readme_liesmich.txt FILESAREGONE.TXT HELLOTHERE.TXT help recover files.txt HELP_DECRYPT.TXT Help_Decrypt.txt help_decrypt_your_files.html HELP_DECYPRT_YOUR_FILES.HTML HELP_RECOVER_FILES.txt help_recover_instructions+[random].txt HELP_RESTORE_FILES.txt HELP_TO_DECRYPT_YOUR_FILES.txt HELP_TO_SAVE_FILES.txt HELP_TO_SAVE_FILES.txt HELP_YOUR_FILES.TXT HOW TO DECRYPT FILES.TXT how_recover+[random].txt HOW_TO_DECRYPT_FILES.TXT How_To_Recover_Files.txt How_To_Restore_Files.txt howto_recover_file_.txt Howto_Restore_FILES.TXT Howto_RESTORE_FILES_.txt IAMREADYTOPAY.TXT IHAVEYOURSECRET.KEY IMPORTANT READ ME.txt INSTRUCCIONES_DESCIFRADO.TXT Read.txt Read_it.txt READ_IF_YOU_WANT_YOUR_FILES.html ReadDecryptFilesHere.txt ReadMe.txt README_DECRYPT_UMBRE_ID_[victim_id].txt README_HOW_TO_UNLOCK.HTML README_HOW_TO_UNLOCK.TXT README1.txt...README10.txt READTHISNOW!!!.TXT recover_file_[random].txt recover_files_[random].txt recoveryfile*.txt recoverfile*.txt Recovery_[5_random].txt RECOVERY_FILE*.TXT RECOVERY_FILE_[random].txt recovery_file_[random].txt RECOVERY_FILES.txt RECOVERY_KEY.txt Recovery+[5 random].txt RECOVER[random].html restore_files_.txt SECRET.KEY SECRETIDHERE.KEY surprise.bat WHAT IS SQ_.txt !!!-WARNING-!!!.html !!!-WARNING-!!!.txt YOUR_FILES.HTML YOUR_FILES.u+A27:A65 jbossass.jsp jbossass_jsp.class shellinvoker.jsp shellinvoker_jsp.class mela.jsp mela_jsp.class zecmd.jsp zecmd_jsp.class cmd.jsp cmd_jsp.class wstats.jsp wstats_jsp.class idssvc.jsp idssvc_jsp.class iesvc.jsp iesvc_jsp.class last_chance.* readme_decrypt* readme_for_decrypt* restore_fi* vault.hta vault.key vault.txt install_tor* instructions_xxxx.png how%sto%sdecrypt* helpdecrypt* djqfu* *want%syour%sfiles%sback* *ukr.net* *qq_com* *keemail.me* *@india.com* *@gmail_com_* *_UNLOCK.HTML *_UNLOCK.TXT EncryptedFileList.txt READ_THIS_FILE.txt READ_IT.txt Ransomware File Extensions to Monitor: *.ecc *.ezz *.exx *.zzz *.xyz *.aaa *.abc *.ccc *.vvv *.xxx *.ttt *.micro *.mp3 *.encrypted *.locked *.crypto *_crypt *.crypt *.crinf *.coverton *.enigma *.czvxce *.fun *.pzdc *.good *.R16M01D05 *.cerber *.73i87A *.p5tkjw *.r5a *.XTBL *.YTBL *.LOL! *.OMG! *.RDM *.RRK *.encryptedRSA *.crjoker *.EnCiPhErEd *.LeChiffre *.keybtc@inbox_com *.0x0 *.bleep *.1999 *.vault *.HA3 *.frtrss *.toxcrypt *.magic *.ENC *.locky _sq.* *.k2p *.rokku *.Sanction *.krypted *.SPORT *.surprise *.cwgoqia *.trun *.crysis *.xrtn *.SUPERCRYPT *.CTBL *.CTB2 *.nochance *.kraken *.kb15 *.hydracrypt* *obleep *.PoAr2w *.btc *.gws *.kkk *.porno *.777 *.0JELvV *.6FKR8d *.UslJ6m *.n1wLp0 *.5vypSa *.YNhlv1 *.8lock8 *.da_vinci_code *.Z81928819 *.RSNSlocked *.payransom *.odcodc *.zcrypt *.Zyklon