IF-Blueprint Blog

Fight against Ransomware

At the moment a major risk is endangering businesses worldwide: Ransomware.

Most common types of ransomware encrypt all user’s data – wherether it’s stored on local computers or on network drives. Even unmounted network shares are not safe, as long as the user has access to it’s contents. This elevates ransomware to a high business risk.

In order to mitigate the risk in Microsoft Windows environments a couple of built in technologies help to achieve a safer Corporate-IT.

A couple of days ago I stumbled over a promising technique – published by Matt Hopton. But it involves some manually performed actions. Let’s add some PowerShell magic 🙂

This script will

  • add FSRM Windows-Feature, if required
  • configure FSRM mail settings
  • get currently known ransomware file pattern list from ThePhoton (GitHub)
  • add file screen for path given
  • create file group update script
  • create update task

Just set the settings according to your need. You can run this script several times for different $ScreenPaths, if necessary.

If $AutoUpdate is set to $true, the script Update-FsrmKnownRansomware.ps1 will be run every day at 7am to update the FSRM file group with newest ransom ware file patterns.

Once a ransomware tries to save a file matching the known file group patterns all shares are set to block the originating user.

After cleaning the user’s computer, unblocking can be done by PowerShell, too:

For details see Matt Hopton’s blog post.

Please remember: You have to apply this on every file server and user accessible directory. It does not prevent the encryption of a user’s client computer, nor does it eliminate the risk of infection/loss of data. Script is given without any warranty.