Stop Cryptolocker from Hitting Windows File Shares with FSRM

Imagine this - you have thousands of users across dozens of departments, all having their own set of file shares that are set up as mapped drives, and all users have full read/write access to their drives. Now a user gets infected with whatever variant of Cryptolocker is currently going around and starts encrypting all mapped drives...and no one realizes anything is amiss until the next morning when you find hundreds of gigs worth of encrypted files.

It's a scenario that has played out too many times in the past year. Despite knowing best security practices and discouraging the use of mapped drives, user convenience always seems to take precedence. So what can you do to stop this from happening, or at the very least know that it's happening sooner?

Well in steps Windows File Server Resource Manager! There are several paid programs out there that claim to be able to watch and observe normal disk I/O and sense if something is going on - but I'd rather configure something free and without any "black box logic" going on.

In the instructions below, I will show you how to install and configure FSRM to watch shared folders and to take action if suspicious activity is detected. This will work on Windows Server 2008R2 and up. We will assume we have a folder located at C:\MySharedFolder and is shared as \\servername\share$

STEP 1 - Install FSRM
The first step is to get the File Server Resource Manager feature installed on the server. The quickest way to do this is to install it via command line.

For Windows Server 2012 and 2012R2:

Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools

For Windows Server 2008R2:

Add-WindowsFeature FS-FileServer,FS-Resource-Manager


STEP 2 - Configure Email
The first thing to configure is how the server will send email. Go to Control Panel -> Administrative Tools and launch the File Server Resource Manager tools. When loaded, right click at the top of the tree on the left pane and choose Configure Options.

Fill in your SMTP server, the default email address you want to send to, and the from address that the server will use.


NOTE: I ran into a big issue where I was not able to send via my Exchange server. It turns out the server AD account is used and must have "Send As" permissions. I wrote up a quick tip here showing how to configure if using Exchange.

STEP 3 - Create New File Group
Once email is configured, expand the File Screen Management tree and click on File Groups. Click Create File Group in the right pane.

We will create a file group called all files that will include (you guessed it...) all files EXCEPT a file called do_not_modify_or_delete.txt

STEP 4 - Create File Screen Template
In the left pane, select File Screen Template and create a new template. Choose a name for it (like "detectchanges"), select "Passive screening", and check the box next to the "all files" file group you created.


Go to the Email Message tab and enable email message alerts. This will send you an email the moment the folder we choose in the next step gets changed.

OPTIONALLY, you can have a program/command run by going to the command tab and entering it there. In my case, I'm going to fill in the values (see below image) to perform a net stop lanmanserver /y, which stops the service that is responsible for file sharing. This may be too extreme depending on your environment so that's up to you.


Click OK.

STEP 5 - Prepare Folder
Before we apply the file screen, navigate to the shared folder directory that you want to protect. Enter the directory and create a new folder called _do not delete - the underscore at the beginning will cause the folder to be sorted first alphabetically, so Cryptolocker will hit this folder first.


Inside the folder, create a text document called do_not_modify_or_delete.txt


STEP 6 - Apply the File Screen
In the left pane, select File Screens and create a new one. Select the _do not delete you just created and choose the detectchanges file screen template from the dropdown.


Then click Create.

At this point, you should now have everything set up. If this shared folder were to get hit by cryptolocker, the _do not delete folder will get hit first. Typically Cryptolocker will change the file extension to something different (like .ecc or .xyz) which will trigger the file screen. At the very least, it will send an email alerting you to the file change and you can investigate. If you added the command to shut down the file sharing service, the server shares will immediately be shut down to prevent any further encryption. Based on my experiences, the whole triggering process completes in about 5 seconds.

By utilizing FSRM, you will be able to significantly reduce the impact an infection has on your environment and hopefully eliminate the need to restore files from backup.

Got any other tips or suggestions? Leave them in the comments below!

comments powered by Disqus