Free, simple protection from Ransomware attacks? Sign me up!
Picture this, you wake up Monday morning — primed and ready for another week of work. You login, warm cup of coffee by your side and find that nothing is working. You can’t access your client database, or your website. Instead of being met with a productive day, you’re met with a popup telling you to fork over $10,000 in BTC or you can say goodbye to months, even years of work.
Enter Ransomware, this nasty little piece of software is commonly used to encrypt files with an indecipherable password. Unfortunately for you, once you’ve fallen victim to this attack, it’s too late. Unless you have a great backup strategy, get ready to dig deep into the company coffer like 70% of corporate victims do.
So how do we protect from ourselves from these attacks?
Fortunately for you, the solution is simple and free. That’s right, free! Better yet, I’ve scripted the entire setup for you. Since Windows Server 2008R2, the FSRM role has been available for us. Specifically, we want to look at the File Screening Management utility. Using PowerShell, I’ve created a script that flawlessly deploys a killswitch which will prevent would-be attackers from compromising your System.
File Server Resource Manager offers File Screening management which can be leveraged to create a “Killswitch” What my script does is offer up some directories to the attacker as a trap. When the attackers modify the file extensions (part of the encryption process) the trap slams shut. What does the trap do when it slams shut? Whatever you want it to.
You could do a number of things though, such as locking out the user for example. For the purpose of simplicity, I’ve opted against this. You don’t want to lock users out without telling anybody and my script does not setup the email notification / SMTP configuration in FSRM. At a minimum however, I’d recommend leveraging the Block-SMBShareAccess cmdlet to revoke a users access to shares on the vulnerable server. See below for example:
param( [string]$username = “” ) Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName “$username” -Force }The script, in it’s entirety can be found below, simply modify line 79 (the command action) to point to your script of choice and you’re good to go.
