Ransomware prevention

Availability for the Always-On Enterprise

Ransomware prevention

Veeam Logoby remko.de.koning » Mon Jun 13, 2016 9:02 am 4 people like this post

Hi guys,

This topic is not really Veeam related but I wanted to comment on the many topics and post about all the ransomware attacks.
Many of you (including Veeam) have provided many usefull tips on how to deal with the ransomware attacks.

I would like to add one to the list. Perhaps allready known but I did not see any references on the forum.
Also, I would like to emphasize that this solution is not 100% airtight as new ransomware is being develloped each day.

With the Windows FileServer research manager (FSRM) one can prevent for example .MP3 files being stored an the server so I figured this might be doable with KnownCryptolocker file extensions as well.
I did a search on Google and found a whole list of known file extensions and known ransomwarenotes out there.
The ransomwarenotes are the files that are being put there with instructions on how to pay the ransom.

In the fileserver resource manager two file groups were created in the "File Screening Management".
KnownRansomWareExtensions and KnownRansomNoteFiles

I have attached my two filegroups in this topic and these can be added by following this KB.
https://technet.microsoft.com/en-us/lib ... 27(v=ws.11).aspx

Then I created a File Screen Template which emails me when a filecreation is detected and will do Passive Screening.
It is important to do Passive Screen first to be absolutely sure none of these filetypes belong to any of your regular files!
I have seen for example that the extension .CCC is a known ransomware file extension but is also use in Windows Server 2012 DataDeduplicaton!
Can you imagine what would happen is this is activly blocked!!!

The last step is to set the File Screen itself on a volume or folder. I would highly recommend to use folders instead of volumes as for example Server 2012 stores it DataDeduplication in the "System Volume Information" folder!

Now with the passive screening in place, create a report that scans the volume/folders for these known "FileGroups". This will give you a good picture if any of your regular files will be blocked once you set the File Screen from passive to active.
Depening on the size of your volume, this report may take a while to complete.

Once you are absolutely sure that none of your regular files will be blocked by these filescreens you can switch from passive to active screening.

Again, this method is not 100% airtight. New file extensions may allready be out there but it might be an extra step in the protection of your files.

Note: I just realized that it is not possible to attach files.
Below you will find the .xml files in text

KnownRansomwareExtensions.xml
Code: Select all
<?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0' ></Header><QuotaTemplates ></QuotaTemplates><DatascreenTemplates ></DatascreenTemplates><FileGroups ><FileGroup Name = 'KnownRansomWareExtensions' Id = '{CFF0DB4F-1913-487E-A95B-1F7322B62383}' Description = '' ><Members ><Pattern PatternValue = '*.0x0' ></Pattern><Pattern PatternValue = '*.1999' ></Pattern><Pattern PatternValue = '*.CTB2' ></Pattern><Pattern PatternValue = '*.CTBL' ></Pattern><Pattern PatternValue = '*.EnCiPhErEd' ></Pattern><Pattern PatternValue = '*.HA3' ></Pattern><Pattern PatternValue = '*.LeChiffre' ></Pattern><Pattern PatternValue = '*.OMG!' ></Pattern><Pattern PatternValue = '*.R16M01D05' ></Pattern><Pattern PatternValue = '*.RDM' ></Pattern><Pattern PatternValue = '*.RRK' ></Pattern><Pattern PatternValue = '*.SUPERCRYPT' ></Pattern><Pattern PatternValue = '*.XRNT' ></Pattern><Pattern PatternValue = '*.XTBL' ></Pattern><Pattern PatternValue = '*._crypt' ></Pattern><Pattern PatternValue = '*.aaa' ></Pattern><Pattern PatternValue = '*.abc' ></Pattern><Pattern PatternValue = '*.bleep' ></Pattern><Pattern PatternValue = '*.ccc' ></Pattern><Pattern PatternValue = '*.crinf' ></Pattern><Pattern PatternValue = '*.crjoker' ></Pattern><Pattern PatternValue = '*.crypt' ></Pattern><Pattern PatternValue = '*.crypto' ></Pattern><Pattern PatternValue = '*.ecc' ></Pattern><Pattern PatternValue = '*.encrypted' ></Pattern><Pattern PatternValue = '*.encryptedRSA' ></Pattern><Pattern PatternValue = '*.exx' ></Pattern><Pattern PatternValue = '*.ezz' ></Pattern><Pattern PatternValue = '*.good' ></Pattern><Pattern PatternValue = '*.keybtc@inbox_com' ></Pattern><Pattern PatternValue = '*.locked' ></Pattern><Pattern PatternValue = '*.locky' ></Pattern><Pattern PatternValue = '*.lol' ></Pattern><Pattern PatternValue = '*.lol!' ></Pattern><Pattern PatternValue = '*.magic' ></Pattern><Pattern PatternValue = '*.micro' ></Pattern><Pattern PatternValue = '*.pzdc' ></Pattern><Pattern PatternValue = '*.r5a' ></Pattern><Pattern PatternValue = '*.toxcrypt' ></Pattern><Pattern PatternValue = '*.ttt' ></Pattern><Pattern PatternValue = '*.vault' ></Pattern><Pattern PatternValue = '*.vvv' ></Pattern><Pattern PatternValue = '*.xxx' ></Pattern><Pattern PatternValue = '*.xyz' ></Pattern><Pattern PatternValue = '*.zzz' ></Pattern></Members><NonMembers ></NonMembers></FileGroup></FileGroups></Root>


KnownRansomNoteFiles
Code: Select all
<?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0' ></Header><QuotaTemplates ></QuotaTemplates><DatascreenTemplates ></DatascreenTemplates><FileGroups ><FileGroup Name = 'KnownRansomNoteFiles' Id = '{22B1E888-EC0E-408A-80D9-DE4471569643}' Description = '' ><Members ><Pattern PatternValue = 'About_Files.txt' ></Pattern><Pattern PatternValue = 'Coin.Locker.txt' ></Pattern><Pattern PatternValue = 'DECRYPT_INSTRUCTION.TXT' ></Pattern><Pattern PatternValue = 'DECRYPT_INSTRUCTIONS.TXT' ></Pattern><Pattern PatternValue = 'DECRYPT_ReadMe.TXT' ></Pattern><Pattern PatternValue = 'DecryptAllFiles.txt' ></Pattern><Pattern PatternValue = 'FILESAREGONE.TXT' ></Pattern><Pattern PatternValue = 'HELLOTHERE.TXT' ></Pattern><Pattern PatternValue = 'HELPDECRYPT.TXT' ></Pattern><Pattern PatternValue = 'HELPDECYPRT_YOUR_FILES.HTML' ></Pattern><Pattern PatternValue = 'HELP_RECOVER_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_RESTORE_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_TO_DECRYPT_YOUR_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_TO_SAVE_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_YOUR_FILES.TXT' ></Pattern><Pattern PatternValue = 'HOW_TO_DECRYPT_FILES.TXT' ></Pattern><Pattern PatternValue = 'Help_Decrypt.txt' ></Pattern><Pattern PatternValue = 'How_To_Recover_Files.txt' ></Pattern><Pattern PatternValue = 'HowtoRESTORE_FILES.txt' ></Pattern><Pattern PatternValue = 'Howto_Restore_FILES.TXT' ></Pattern><Pattern PatternValue = 'IAMREADYTOPAY.TXT' ></Pattern><Pattern PatternValue = 'IHAVEYOURSECRET.KEY' ></Pattern><Pattern PatternValue = 'INSTRUCCIONES_DESCIFRADO.TXT' ></Pattern><Pattern PatternValue = 'READTHISNOW!!!.TXT' ></Pattern><Pattern PatternValue = 'RECOVERY_FILE*.txt' ></Pattern><Pattern PatternValue = 'RECOVERY_FILE.TXT' ></Pattern><Pattern PatternValue = 'RECOVERY_FILES.txt' ></Pattern><Pattern PatternValue = 'RECOVERY_KEY.txt' ></Pattern><Pattern PatternValue = 'ReadDecryptFilesHere.txt' ></Pattern><Pattern PatternValue = 'SECRET.KEY' ></Pattern><Pattern PatternValue = 'SECRETIDHERE.KEY' ></Pattern><Pattern PatternValue = 'YOUR_FILES.HTML' ></Pattern><Pattern PatternValue = 'YOUR_FILES.url' ></Pattern><Pattern PatternValue = '_Locky_recover_instructions.txt' ></Pattern><Pattern PatternValue = '_how_recover.txt' ></Pattern><Pattern PatternValue = '_secret_code.txt' ></Pattern><Pattern PatternValue = 'encryptor_raas_readme_liesmich.txt' ></Pattern><Pattern PatternValue = 'help_decrypt_your_files.html' ></Pattern><Pattern PatternValue = 'help_recover_instructions*.txt' ></Pattern><Pattern PatternValue = 'howrecover*.txt' ></Pattern><Pattern PatternValue = 'howto_recover_file.txt' ></Pattern><Pattern PatternValue = 'recoverfile*.txt' ></Pattern><Pattern PatternValue = 'recoveryfile*.txt' ></Pattern><Pattern PatternValue = 'restorefiles.txt' ></Pattern></Members><NonMembers ></NonMembers></FileGroup></FileGroups></Root>


Note2: @Veeam: I noticed that posting a new topic is almost impossible when using a cloud based Proxy server. Everytime I hit "submit" I need to logon again and loose the text I typed. I had to disable the proxy in order to get this posted.
remko.de.koning
Enthusiast
 
Posts: 73
Liked: 13 times
Joined: Wed May 21, 2014 12:15 pm
Full Name: Remko de Koning

Re: Ransomware prevention

Veeam Logoby jmmarton » Mon Jun 13, 2016 1:52 pm 1 person likes this post

remko.de.koning wrote:Note2: @Veeam: I noticed that posting a new topic is almost impossible when using a cloud based Proxy server. Everytime I hit "submit" I need to logon again and loose the text I typed. I had to disable the proxy in order to get this posted.


I don't know what's causing that, but here's one general tip I have from posting in forums over the years and having various posts lost due to issues like that. Whenever I type a long post, before hitting submit I copy the entire post to the clipboard. That way if I have to signin again and lose the post I can simply paste the entire post back in and quickly hit submit before running into any sort of timeout issue.

Joe
jmmarton
Veeam Software
 
Posts: 943
Liked: 101 times
Joined: Tue Nov 17, 2015 2:38 am
Location: Chicago, IL
Full Name: Joe Marton

Re: Ransomware prevention

Veeam Logoby DarrenToews » Fri Oct 28, 2016 7:01 pm 1 person likes this post

This looks like a great idea that can give an extra layer of protection, without incurring additional costs since it's part of any Windows file server from 2008 and up.

One question. In an enterprise environment with multiple sites and many file servers, it would be ideal to centrally manage this. From what I understand, FSRM cannot be managed via group policy. Have you (or anyone else using this technique) found a way to implement this across multiple servers easily? Can updates to the known bad file types list be done via scripting or some other automated method?

Thanks for the great idea.
DarrenToews
Influencer
 
Posts: 10
Liked: 5 times
Joined: Mon Jun 29, 2015 4:37 pm
Full Name: Darren Toews

Re: Ransomware prevention

Veeam Logoby alanbolte » Fri Oct 28, 2016 7:50 pm 1 person likes this post

jmmarton wrote:I don't know what's causing that, but here's one general tip I have from posting in forums over the years and having various posts lost due to issues like that. Whenever I type a long post, before hitting submit I copy the entire post to the clipboard. That way if I have to signin again and lose the post I can simply paste the entire post back in and quickly hit submit before running into any sort of timeout issue.

I use a Chrome extension called Lazarus.
alanbolte
Expert
 
Posts: 635
Liked: 172 times
Joined: Mon Jun 18, 2012 8:58 pm
Full Name: Alan Bolte

Re: Ransomware prevention

Veeam Logoby remko.de.koning » Mon Oct 31, 2016 7:52 am

DarrenToews wrote:This looks like a great idea that can give an extra layer of protection, without incurring additional costs since it's part of any Windows file server from 2008 and up.

One question. In an enterprise environment with multiple sites and many file servers, it would be ideal to centrally manage this. From what I understand, FSRM cannot be managed via group policy. Have you (or anyone else using this technique) found a way to implement this across multiple servers easily? Can updates to the known bad file types list be done via scripting or some other automated method?

Thanks for the great idea.


Thanks... You are welcome :D
You can import the .xml files using a commandline tool called filescrn. I guess with some scripting you could import this file on all your servers.
A centralized option (GPO) would be nice though.
remko.de.koning
Enthusiast
 
Posts: 73
Liked: 13 times
Joined: Wed May 21, 2014 12:15 pm
Full Name: Remko de Koning

Re: Ransomware prevention

Veeam Logoby coreyfire » Mon Oct 31, 2016 1:11 pm

Really awesome write up!

I will review this for implementation!

Thanks again!
coreyfire
Novice
 
Posts: 4
Liked: never
Joined: Fri Sep 30, 2016 11:26 pm
Full Name: Corey Bussard

Re: Ransomware prevention

Veeam Logoby Vitaliy S. » Tue Nov 01, 2016 11:23 am 6 people like this post

I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.
Vitaliy S.
Veeam Software
 
Posts: 19966
Liked: 1145 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Ransomware prevention

Veeam Logoby Spex » Mon Nov 07, 2016 9:44 am

In our FSRM environment we use email notification and a cmd script that is triggered when FSRM finds a maleware extension.
The script gets the ip address for the reported user and stops all computer activity from this node by shutdown and disable the active directory object.
This way there is only a gap of seconds between start of activity and its detection.
Spex
Enthusiast
 
Posts: 28
Liked: 1 time
Joined: Wed May 09, 2012 12:52 pm
Full Name: Stefan Holzwarth

Re: Ransomware prevention

Veeam Logoby jjwbruin » Wed Nov 09, 2016 2:34 pm 1 person likes this post

Thank you for this post.
After reading this post and google some more I found the following site:
https://fsrm.experiant.ca/
Here you can get the latest filegroups and an easy installation guide.
Keep in mind that the ccc file is added in this filegroup. You can manually delete this if you want.
jjwbruin
Novice
 
Posts: 3
Liked: 2 times
Joined: Tue Oct 21, 2014 9:59 am
Full Name: Jeroen Bruin

Re: Ransomware prevention

Veeam Logoby remko.de.koning » Wed Nov 09, 2016 2:53 pm

Thanks Jeroen, using powershell to update these FileGroups is a very usefull addition. Much appreciated!
remko.de.koning
Enthusiast
 
Posts: 73
Liked: 13 times
Joined: Wed May 21, 2014 12:15 pm
Full Name: Remko de Koning

Re: Ransomware prevention

Veeam Logoby DarrenToews » Mon Nov 14, 2016 9:33 pm

Vitaliy S. wrote:I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.


This is great stuff! However we are using Veeam MP for SCOM ... does it have similar functionality?
DarrenToews
Influencer
 
Posts: 10
Liked: 5 times
Joined: Mon Jun 29, 2015 4:37 pm
Full Name: Darren Toews

Re: Ransomware prevention

Veeam Logoby DarrenToews » Mon Nov 14, 2016 9:37 pm

jjwbruin wrote:Thank you for this post.
After reading this post and google some more I found the following site:
https://fsrm.experiant.ca/
Here you can get the latest filegroups and an easy installation guide.
Keep in mind that the ccc file is added in this filegroup. You can manually delete this if you want.


Wow. Great find! Thanks for sharing.
DarrenToews
Influencer
 
Posts: 10
Liked: 5 times
Joined: Mon Jun 29, 2015 4:37 pm
Full Name: Darren Toews

Re: Ransomware prevention

Veeam Logoby albertwt » Tue Nov 15, 2016 12:30 am

Vitaliy S. wrote:I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.


Hi Vitaliy,

When is the VeeamONE 9.5 going to be released ?
--
/* Veeam software enthusiast user & supporter ! */
albertwt
Expert
 
Posts: 621
Liked: 20 times
Joined: Thu Nov 05, 2009 12:24 pm
Location: Sydney, NSW

Re: Ransomware prevention

Veeam Logoby v.Eremin » Tue Nov 15, 2016 8:31 am

Along with VB&R 9.5. Thanks.
v.Eremin
Veeam Software
 
Posts: 13728
Liked: 1027 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Ransomware prevention

Veeam Logoby Gostev » Wed Nov 16, 2016 2:15 pm 1 person likes this post

Available now!
Gostev
Veeam Software
 
Posts: 21621
Liked: 2411 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: No registered users and 1 guest