Ransomware such as Crypto Locker or Locky and the like are becoming more and more of a plague. Only in a few cases is it possible to restore the encrypted data. Without a backup, the damage can quickly become very serious.
As Trojans usually start encrypting data from a client and do not even stop at network drives, the best virus protection is usually of little use on the file server itself.
Es gibt aber für Windows Fileserver aber die Möglichkeit den Schaden möglichst gering zu halten, denn ich glaube niemand will morgens in die Firma kommen und komplett verschlüsselte Netzlaufwerke vorfinden wollen. Helfen kann dabei der „Resourcen-Manager für Dateiserver“.
If not already done, the Resource Manager must first be installed:
After installation, the resource manager can be configured. An SMTP server for e-mail notifications can be entered in the options:
A new file group can now be created that contains all the file extensions used by the Trojans. As there are quite a few extensions involved, the easiest way to do this is via PowerShell, here as an example for Server 2012 R2:
New-FsrmFileGroup -Name "Ransomware" –IncludePattern @("*.k","*.encoderpass","*.locky","*.key","*.ecc","*.ezz","*.exx","*.zzz","*.xyz","*.aaa","*.abc","*.ccc","*.vvv","*.xxx","*.ttt","*.micro","*.encrypted","*.locked","*.crypto","_crypt","*.crinf","*.r5a","*.xrtn","*.XTBL","*.crypt","*.R16M01D05","*.pzdc","*.good","*.LOL!","*.OMG!","*.RDM","*.RRK","*.encryptedRSA","*.crjoker","*.EnCiPhErEd","*.LeChiffre","*.keybtc@inbox_com","*.0x0","*.bleep","*.1999","*.vault","*.HA3","*.toxcrypt","*.magic","*.SUPERCRYPT","*.CTBL","*.CTB2","*.locky","HELPDECRYPT.TXT","HELP_YOUR_FILES.TXT","HELP_TO_DECRYPT_YOUR_FILES.txt","RECOVERY_KEY.txt","HELP_RESTORE_FILES.txt","HELP_RECOVER_FILES.txt","HELP_TO_SAVE_FILES.txt","DecryptAllFiles.txt","DECRYPT_INSTRUCTIONS.TXT","INSTRUCCIONES_DESCIFRADO.TXT","How_To_Recover_Files.txt","YOUR_FILES.HTML","YOUR_FILES.url","encryptor_raas_readme_liesmich.txt","Help_Decrypt.txt","DECRYPT_INSTRUCTION.TXT","HOW_TO_DECRYPT_FILES.TXT","ReadDecryptFilesHere.txt","Coin.Locker.txt","_secret_code.txt","About_Files.txt","Read.txt","ReadMe.txt","DECRYPT_ReadMe.TXT","DecryptAllFiles.txt","FILESAREGONE.TXT","IAMREADYTOPAY.TXT","HELLOTHERE.TXT","READTHISNOW!!!.TXT","SECRETIDHERE.KEY","IHAVEYOURSECRET.KEY","SECRET.KEY","HELPDECYPRT_YOUR_FILES.HTML","help_decrypt_your_files.html","HELP_TO_SAVE_FILES.txt","RECOVERY_FILES.txt","RECOVERY_FILE.TXT","RECOVERY_FILE*.txt","HowtoRESTORE_FILES.txt","HowtoRestore_FILES.txt","howto_recover_file.txt","restorefiles.txt","howrecover+*.txt","_how_recover.txt","recoveryfile*.txt","recoverfile*.txt","recoveryfile*.txt","Howto_Restore_FILES.TXT","help_recover_instructions+*.txt","_Locky_recover_instructions.txt")
Server 2008 does not yet have the CMDLet New-FsrmFileGroup, so you have to do it manually:
Therefore, here is the list of potential file extensions used by ransomware:
*.k *.encoderpass *.locky *.key *.ecc *.ezz *.exx *.zzz *.xyz *.aaa *.abc *.ccc *.vvv *.xxx *.ttt *.micro *.encrypted *.locked *.crypto _crypt *.crinf *.r5a *.xrtn *.XTBL *.crypt *.R16M01D05 *.pzdc *.good *.LOL! *.OMG! *.RDM *.RRK *.encryptedRSA *.crjoker *.EnCiPhErEd *.LeChiffre *.keybtc@inbox_com *.0x0 *.bleep *.1999 *.vault *.HA3 *.toxcrypt *.magic *.SUPERCRYPT *.CTBL *.CTB2 *.locky HELPDECRYPT.TXT HELP_YOUR_FILES.TXT HELP_TO_DECRYPT_YOUR_FILES.txt RECOVERY_KEY.txt HELP_RESTORE_FILES.txt HELP_RECOVER_FILES.txt HELP_TO_SAVE_FILES.txt DecryptAllFiles.txt DECRYPT_INSTRUCTIONS.TXT INSTRUCCIONES_DESCIFRADO.TXT How_To_Recover_Files.txt YOUR_FILES.HTML YOUR_FILES.url encryptor_raas_readme_liesmich.txt Help_Decrypt.txt DECRYPT_INSTRUCTION.TXT HOW_TO_DECRYPT_FILES.TXT ReadDecryptFilesHere.txt Coin.Locker.txt _secret_code.txt About_Files.txt Read.txt ReadMe.txt DECRYPT_ReadMe.TXT DecryptAllFiles.txt FILESAREGONE.TXT IAMREADYTOPAY.TXT HELLOTHERE.TXT READTHISNOW!!!.TXT SECRETIDHERE.KEY IHAVEYOURSECRET.KEY SECRET.KEY HELPDECYPRT_YOUR_FILES.HTML help_decrypt_your_files.html HELP_TO_SAVE_FILES.txt RECOVERY_FILES.txt RECOVERY_FILE.TXT RECOVERY_FILE*.txt HowtoRESTORE_FILES.txt HowtoRestore_FILES.txt howto_recover_file.txt restorefiles.txt howrecover+*.txt _how_recover.txt recoveryfile*.txt recoverfile*.txt recoveryfile*.txt Howto_Restore_FILES.TXT help_recover_instructions+*.txt _Locky_recover_instructions.txt
Once the file group has been created, a file check can be created. Either the path to the share or, better still, simply the entire drive is specified as the file path:
In den „Benutzerdefinierten Eigenschaften“, kann dann die Dateigruppe „Ransomware“ ausgewählt werden, die zuvor erstellt wurde:
Am besten erst einmal „Passives Prüfen“ auswählen, um sicherzustellen das nicht auch legitime Dateiendungen von irgendwelchen Programmen in der Dateigruppe Ransomware enthalten sind. Ich stelle hier aber direkt auf „Aktives Prüfen“, somit wird verhindert, dass entsprechende Dateiendungen auf dem FileServer gespeichert werden:
The e-mail notification can now be activated under the E-mail message tab:
The file check can then be saved
Beim Versuch eine Datei mit einer der Endungen aus der Dateigruppe „Ransomware“ zu erstellen, wird jetzt eine „Zugriff verweigert“-Meldung angezeigt. Die Datei wird nicht erstellt:
The administrator and the user will receive a corresponding e-mail:
The problem with this, however, is that it prevents Document.docx, for example, from being saved as an encrypted file under the name Document.docx.locky, but it is impossible to predict how the Trojan will behave, as the file could simply be deleted.
Nobody wants to come into the company in the morning and find an empty file server...
To prevent empty file servers, the service providing the share can be stopped in the file check under the Command tab, for example:
Then the shares are not available in the morning, but that is still better than completely encrypted or empty file servers. It is probably safest to shut down the entire server:
This is a bit more drastic, but still better than this:
- http://www.heise.de/newsticker/meldung/Ransomware-Virus-legt-Krankenhaus-lahm-3100418.html
- http://www.heise.de/newsticker/meldung/Ransomware-Neben-deutschen-Krankenhaeusern-auch-US-Klinik-von-Virus-lahmgelegt-3103733.html
The list of file extensions must of course be constantly updated/adjusted. If you don't want to shut down the server with the first file, you can also create a small script with a counter, which only shuts down the server after a certain number of files.