Comprehensive data protection for all workloads
Post Reply
remko.de.koning
Enthusiast
Posts: 92
Liked: 18 times
Joined: May 21, 2014 12:15 pm
Full Name: Remko de Koning
Contact:

Ransomware prevention

Post by remko.de.koning » 4 people like this post

Hi guys,

This topic is not really Veeam related but I wanted to comment on the many topics and post about all the ransomware attacks.
Many of you (including Veeam) have provided many usefull tips on how to deal with the ransomware attacks.

I would like to add one to the list. Perhaps allready known but I did not see any references on the forum.
Also, I would like to emphasize that this solution is not 100% airtight as new ransomware is being develloped each day.

With the Windows FileServer research manager (FSRM) one can prevent for example .MP3 files being stored an the server so I figured this might be doable with KnownCryptolocker file extensions as well.
I did a search on Google and found a whole list of known file extensions and known ransomwarenotes out there.
The ransomwarenotes are the files that are being put there with instructions on how to pay the ransom.

In the fileserver resource manager two file groups were created in the "File Screening Management".
KnownRansomWareExtensions and KnownRansomNoteFiles

I have attached my two filegroups in this topic and these can be added by following this KB.
https://technet.microsoft.com/en-us/lib ... s.11).aspx

Then I created a File Screen Template which emails me when a filecreation is detected and will do Passive Screening.
It is important to do Passive Screen first to be absolutely sure none of these filetypes belong to any of your regular files!
I have seen for example that the extension .CCC is a known ransomware file extension but is also use in Windows Server 2012 DataDeduplicaton!
Can you imagine what would happen is this is activly blocked!!!

The last step is to set the File Screen itself on a volume or folder. I would highly recommend to use folders instead of volumes as for example Server 2012 stores it DataDeduplication in the "System Volume Information" folder!

Now with the passive screening in place, create a report that scans the volume/folders for these known "FileGroups". This will give you a good picture if any of your regular files will be blocked once you set the File Screen from passive to active.
Depening on the size of your volume, this report may take a while to complete.

Once you are absolutely sure that none of your regular files will be blocked by these filescreens you can switch from passive to active screening.

Again, this method is not 100% airtight. New file extensions may allready be out there but it might be an extra step in the protection of your files.

Note: I just realized that it is not possible to attach files.
Below you will find the .xml files in text

KnownRansomwareExtensions.xml

Code: Select all

<?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0' ></Header><QuotaTemplates ></QuotaTemplates><DatascreenTemplates ></DatascreenTemplates><FileGroups ><FileGroup Name = 'KnownRansomWareExtensions' Id = '{CFF0DB4F-1913-487E-A95B-1F7322B62383}' Description = '' ><Members ><Pattern PatternValue = '*.0x0' ></Pattern><Pattern PatternValue = '*.1999' ></Pattern><Pattern PatternValue = '*.CTB2' ></Pattern><Pattern PatternValue = '*.CTBL' ></Pattern><Pattern PatternValue = '*.EnCiPhErEd' ></Pattern><Pattern PatternValue = '*.HA3' ></Pattern><Pattern PatternValue = '*.LeChiffre' ></Pattern><Pattern PatternValue = '*.OMG!' ></Pattern><Pattern PatternValue = '*.R16M01D05' ></Pattern><Pattern PatternValue = '*.RDM' ></Pattern><Pattern PatternValue = '*.RRK' ></Pattern><Pattern PatternValue = '*.SUPERCRYPT' ></Pattern><Pattern PatternValue = '*.XRNT' ></Pattern><Pattern PatternValue = '*.XTBL' ></Pattern><Pattern PatternValue = '*._crypt' ></Pattern><Pattern PatternValue = '*.aaa' ></Pattern><Pattern PatternValue = '*.abc' ></Pattern><Pattern PatternValue = '*.bleep' ></Pattern><Pattern PatternValue = '*.ccc' ></Pattern><Pattern PatternValue = '*.crinf' ></Pattern><Pattern PatternValue = '*.crjoker' ></Pattern><Pattern PatternValue = '*.crypt' ></Pattern><Pattern PatternValue = '*.crypto' ></Pattern><Pattern PatternValue = '*.ecc' ></Pattern><Pattern PatternValue = '*.encrypted' ></Pattern><Pattern PatternValue = '*.encryptedRSA' ></Pattern><Pattern PatternValue = '*.exx' ></Pattern><Pattern PatternValue = '*.ezz' ></Pattern><Pattern PatternValue = '*.good' ></Pattern><Pattern PatternValue = '*.keybtc@inbox_com' ></Pattern><Pattern PatternValue = '*.locked' ></Pattern><Pattern PatternValue = '*.locky' ></Pattern><Pattern PatternValue = '*.lol' ></Pattern><Pattern PatternValue = '*.lol!' ></Pattern><Pattern PatternValue = '*.magic' ></Pattern><Pattern PatternValue = '*.micro' ></Pattern><Pattern PatternValue = '*.pzdc' ></Pattern><Pattern PatternValue = '*.r5a' ></Pattern><Pattern PatternValue = '*.toxcrypt' ></Pattern><Pattern PatternValue = '*.ttt' ></Pattern><Pattern PatternValue = '*.vault' ></Pattern><Pattern PatternValue = '*.vvv' ></Pattern><Pattern PatternValue = '*.xxx' ></Pattern><Pattern PatternValue = '*.xyz' ></Pattern><Pattern PatternValue = '*.zzz' ></Pattern></Members><NonMembers ></NonMembers></FileGroup></FileGroups></Root>
KnownRansomNoteFiles

Code: Select all

<?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0' ></Header><QuotaTemplates ></QuotaTemplates><DatascreenTemplates ></DatascreenTemplates><FileGroups ><FileGroup Name = 'KnownRansomNoteFiles' Id = '{22B1E888-EC0E-408A-80D9-DE4471569643}' Description = '' ><Members ><Pattern PatternValue = 'About_Files.txt' ></Pattern><Pattern PatternValue = 'Coin.Locker.txt' ></Pattern><Pattern PatternValue = 'DECRYPT_INSTRUCTION.TXT' ></Pattern><Pattern PatternValue = 'DECRYPT_INSTRUCTIONS.TXT' ></Pattern><Pattern PatternValue = 'DECRYPT_ReadMe.TXT' ></Pattern><Pattern PatternValue = 'DecryptAllFiles.txt' ></Pattern><Pattern PatternValue = 'FILESAREGONE.TXT' ></Pattern><Pattern PatternValue = 'HELLOTHERE.TXT' ></Pattern><Pattern PatternValue = 'HELPDECRYPT.TXT' ></Pattern><Pattern PatternValue = 'HELPDECYPRT_YOUR_FILES.HTML' ></Pattern><Pattern PatternValue = 'HELP_RECOVER_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_RESTORE_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_TO_DECRYPT_YOUR_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_TO_SAVE_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_YOUR_FILES.TXT' ></Pattern><Pattern PatternValue = 'HOW_TO_DECRYPT_FILES.TXT' ></Pattern><Pattern PatternValue = 'Help_Decrypt.txt' ></Pattern><Pattern PatternValue = 'How_To_Recover_Files.txt' ></Pattern><Pattern PatternValue = 'HowtoRESTORE_FILES.txt' ></Pattern><Pattern PatternValue = 'Howto_Restore_FILES.TXT' ></Pattern><Pattern PatternValue = 'IAMREADYTOPAY.TXT' ></Pattern><Pattern PatternValue = 'IHAVEYOURSECRET.KEY' ></Pattern><Pattern PatternValue = 'INSTRUCCIONES_DESCIFRADO.TXT' ></Pattern><Pattern PatternValue = 'READTHISNOW!!!.TXT' ></Pattern><Pattern PatternValue = 'RECOVERY_FILE*.txt' ></Pattern><Pattern PatternValue = 'RECOVERY_FILE.TXT' ></Pattern><Pattern PatternValue = 'RECOVERY_FILES.txt' ></Pattern><Pattern PatternValue = 'RECOVERY_KEY.txt' ></Pattern><Pattern PatternValue = 'ReadDecryptFilesHere.txt' ></Pattern><Pattern PatternValue = 'SECRET.KEY' ></Pattern><Pattern PatternValue = 'SECRETIDHERE.KEY' ></Pattern><Pattern PatternValue = 'YOUR_FILES.HTML' ></Pattern><Pattern PatternValue = 'YOUR_FILES.url' ></Pattern><Pattern PatternValue = '_Locky_recover_instructions.txt' ></Pattern><Pattern PatternValue = '_how_recover.txt' ></Pattern><Pattern PatternValue = '_secret_code.txt' ></Pattern><Pattern PatternValue = 'encryptor_raas_readme_liesmich.txt' ></Pattern><Pattern PatternValue = 'help_decrypt_your_files.html' ></Pattern><Pattern PatternValue = 'help_recover_instructions*.txt' ></Pattern><Pattern PatternValue = 'howrecover*.txt' ></Pattern><Pattern PatternValue = 'howto_recover_file.txt' ></Pattern><Pattern PatternValue = 'recoverfile*.txt' ></Pattern><Pattern PatternValue = 'recoveryfile*.txt' ></Pattern><Pattern PatternValue = 'restorefiles.txt' ></Pattern></Members><NonMembers ></NonMembers></FileGroup></FileGroups></Root>
Note2: @Veeam: I noticed that posting a new topic is almost impossible when using a cloud based Proxy server. Everytime I hit "submit" I need to logon again and loose the text I typed. I had to disable the proxy in order to get this posted.
jmmarton
Veeam Software
Posts: 2092
Liked: 309 times
Joined: Nov 17, 2015 2:38 am
Full Name: Joe Marton
Location: Chicago, IL
Contact:

Re: Ransomware prevention

Post by jmmarton » 1 person likes this post

remko.de.koning wrote: Note2: @Veeam: I noticed that posting a new topic is almost impossible when using a cloud based Proxy server. Everytime I hit "submit" I need to logon again and loose the text I typed. I had to disable the proxy in order to get this posted.
I don't know what's causing that, but here's one general tip I have from posting in forums over the years and having various posts lost due to issues like that. Whenever I type a long post, before hitting submit I copy the entire post to the clipboard. That way if I have to signin again and lose the post I can simply paste the entire post back in and quickly hit submit before running into any sort of timeout issue.

Joe
DarrenToews
Influencer
Posts: 23
Liked: 6 times
Joined: Jun 29, 2015 4:37 pm
Full Name: Darren Toews
Contact:

Re: Ransomware prevention

Post by DarrenToews » 1 person likes this post

This looks like a great idea that can give an extra layer of protection, without incurring additional costs since it's part of any Windows file server from 2008 and up.

One question. In an enterprise environment with multiple sites and many file servers, it would be ideal to centrally manage this. From what I understand, FSRM cannot be managed via group policy. Have you (or anyone else using this technique) found a way to implement this across multiple servers easily? Can updates to the known bad file types list be done via scripting or some other automated method?

Thanks for the great idea.
alanbolte
Veteran
Posts: 635
Liked: 174 times
Joined: Jun 18, 2012 8:58 pm
Full Name: Alan Bolte
Contact:

Re: Ransomware prevention

Post by alanbolte » 1 person likes this post

jmmarton wrote:I don't know what's causing that, but here's one general tip I have from posting in forums over the years and having various posts lost due to issues like that. Whenever I type a long post, before hitting submit I copy the entire post to the clipboard. That way if I have to signin again and lose the post I can simply paste the entire post back in and quickly hit submit before running into any sort of timeout issue.
I use a Chrome extension called Lazarus.
remko.de.koning
Enthusiast
Posts: 92
Liked: 18 times
Joined: May 21, 2014 12:15 pm
Full Name: Remko de Koning
Contact:

Re: Ransomware prevention

Post by remko.de.koning »

DarrenToews wrote:This looks like a great idea that can give an extra layer of protection, without incurring additional costs since it's part of any Windows file server from 2008 and up.

One question. In an enterprise environment with multiple sites and many file servers, it would be ideal to centrally manage this. From what I understand, FSRM cannot be managed via group policy. Have you (or anyone else using this technique) found a way to implement this across multiple servers easily? Can updates to the known bad file types list be done via scripting or some other automated method?

Thanks for the great idea.
Thanks... You are welcome :D
You can import the .xml files using a commandline tool called filescrn. I guess with some scripting you could import this file on all your servers.
A centralized option (GPO) would be nice though.
coreyfire
Novice
Posts: 4
Liked: never
Joined: Sep 30, 2016 11:26 pm
Full Name: Corey Bussard
Contact:

Re: Ransomware prevention

Post by coreyfire »

Really awesome write up!

I will review this for implementation!

Thanks again!
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Ransomware prevention

Post by Vitaliy S. » 6 people like this post

I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.
Spex
Enthusiast
Posts: 51
Liked: 2 times
Joined: May 09, 2012 12:52 pm
Full Name: Stefan Holzwarth
Contact:

Re: Ransomware prevention

Post by Spex »

In our FSRM environment we use email notification and a cmd script that is triggered when FSRM finds a maleware extension.
The script gets the ip address for the reported user and stops all computer activity from this node by shutdown and disable the active directory object.
This way there is only a gap of seconds between start of activity and its detection.
jjwbruin
Novice
Posts: 3
Liked: 2 times
Joined: Oct 21, 2014 9:59 am
Full Name: Jeroen Bruin
Contact:

Re: Ransomware prevention

Post by jjwbruin » 1 person likes this post

Thank you for this post.
After reading this post and google some more I found the following site:
https://fsrm.experiant.ca/
Here you can get the latest filegroups and an easy installation guide.
Keep in mind that the ccc file is added in this filegroup. You can manually delete this if you want.
remko.de.koning
Enthusiast
Posts: 92
Liked: 18 times
Joined: May 21, 2014 12:15 pm
Full Name: Remko de Koning
Contact:

Re: Ransomware prevention

Post by remko.de.koning »

Thanks Jeroen, using powershell to update these FileGroups is a very usefull addition. Much appreciated!
DarrenToews
Influencer
Posts: 23
Liked: 6 times
Joined: Jun 29, 2015 4:37 pm
Full Name: Darren Toews
Contact:

Re: Ransomware prevention

Post by DarrenToews »

Vitaliy S. wrote:I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.
This is great stuff! However we are using Veeam MP for SCOM ... does it have similar functionality?
DarrenToews
Influencer
Posts: 23
Liked: 6 times
Joined: Jun 29, 2015 4:37 pm
Full Name: Darren Toews
Contact:

Re: Ransomware prevention

Post by DarrenToews »

jjwbruin wrote:Thank you for this post.
After reading this post and google some more I found the following site:
https://fsrm.experiant.ca/
Here you can get the latest filegroups and an easy installation guide.
Keep in mind that the ccc file is added in this filegroup. You can manually delete this if you want.
Wow. Great find! Thanks for sharing.
albertwt
Veeam Legend
Posts: 879
Liked: 46 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Ransomware prevention

Post by albertwt »

Vitaliy S. wrote:I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.
Hi Vitaliy,

When is the VeeamONE 9.5 going to be released ?
--
/* Veeam software enthusiast user & supporter ! */
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Ransomware prevention

Post by veremin »

Along with VB&R 9.5. Thanks.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Ransomware prevention

Post by Gostev » 1 person likes this post

Available now!
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 223 guests