Ransomware prevention

[remko.de.koning]

Hi guys,

This topic is not really Veeam related but I wanted to comment on the many topics and post about all the ransomware attacks.
Many of you (including Veeam) have provided many usefull tips on how to deal with the ransomware attacks.

I would like to add one to the list. Perhaps allready known but I did not see any references on the forum.
Also, I would like to emphasize that this solution is not 100% airtight as new ransomware is being develloped each day.

With the Windows FileServer research manager (FSRM) one can prevent for example .MP3 files being stored an the server so I figured this might be doable with KnownCryptolocker file extensions as well.
I did a search on Google and found a whole list of known file extensions and known ransomwarenotes out there.
The ransomwarenotes are the files that are being put there with instructions on how to pay the ransom.

In the fileserver resource manager two file groups were created in the "File Screening Management".
KnownRansomWareExtensions and KnownRansomNoteFiles

I have attached my two filegroups in this topic and these can be added by following this KB.
https://technet.microsoft.com/en-us/lib ... s.11).aspx

Then I created a File Screen Template which emails me when a filecreation is detected and will do Passive Screening.
It is important to do Passive Screen first to be absolutely sure none of these filetypes belong to any of your regular files!
I have seen for example that the extension .CCC is a known ransomware file extension but is also use in Windows Server 2012 DataDeduplicaton!
Can you imagine what would happen is this is activly blocked!!!

The last step is to set the File Screen itself on a volume or folder. I would highly recommend to use folders instead of volumes as for example Server 2012 stores it DataDeduplication in the "System Volume Information" folder!

Now with the passive screening in place, create a report that scans the volume/folders for these known "FileGroups". This will give you a good picture if any of your regular files will be blocked once you set the File Screen from passive to active.
Depening on the size of your volume, this report may take a while to complete.

Once you are absolutely sure that none of your regular files will be blocked by these filescreens you can switch from passive to active screening.

Again, this method is not 100% airtight. New file extensions may allready be out there but it might be an extra step in the protection of your files.

Note: I just realized that it is not possible to attach files.
Below you will find the .xml files in text

KnownRansomwareExtensions.xml

Code: Select all

<?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0' ></Header><QuotaTemplates ></QuotaTemplates><DatascreenTemplates ></DatascreenTemplates><FileGroups ><FileGroup Name = 'KnownRansomWareExtensions' Id = '{CFF0DB4F-1913-487E-A95B-1F7322B62383}' Description = '' ><Members ><Pattern PatternValue = '*.0x0' ></Pattern><Pattern PatternValue = '*.1999' ></Pattern><Pattern PatternValue = '*.CTB2' ></Pattern><Pattern PatternValue = '*.CTBL' ></Pattern><Pattern PatternValue = '*.EnCiPhErEd' ></Pattern><Pattern PatternValue = '*.HA3' ></Pattern><Pattern PatternValue = '*.LeChiffre' ></Pattern><Pattern PatternValue = '*.OMG!' ></Pattern><Pattern PatternValue = '*.R16M01D05' ></Pattern><Pattern PatternValue = '*.RDM' ></Pattern><Pattern PatternValue = '*.RRK' ></Pattern><Pattern PatternValue = '*.SUPERCRYPT' ></Pattern><Pattern PatternValue = '*.XRNT' ></Pattern><Pattern PatternValue = '*.XTBL' ></Pattern><Pattern PatternValue = '*._crypt' ></Pattern><Pattern PatternValue = '*.aaa' ></Pattern><Pattern PatternValue = '*.abc' ></Pattern><Pattern PatternValue = '*.bleep' ></Pattern><Pattern PatternValue = '*.ccc' ></Pattern><Pattern PatternValue = '*.crinf' ></Pattern><Pattern PatternValue = '*.crjoker' ></Pattern><Pattern PatternValue = '*.crypt' ></Pattern><Pattern PatternValue = '*.crypto' ></Pattern><Pattern PatternValue = '*.ecc' ></Pattern><Pattern PatternValue = '*.encrypted' ></Pattern><Pattern PatternValue = '*.encryptedRSA' ></Pattern><Pattern PatternValue = '*.exx' ></Pattern><Pattern PatternValue = '*.ezz' ></Pattern><Pattern PatternValue = '*.good' ></Pattern><Pattern PatternValue = '*.keybtc@inbox_com' ></Pattern><Pattern PatternValue = '*.locked' ></Pattern><Pattern PatternValue = '*.locky' ></Pattern><Pattern PatternValue = '*.lol' ></Pattern><Pattern PatternValue = '*.lol!' ></Pattern><Pattern PatternValue = '*.magic' ></Pattern><Pattern PatternValue = '*.micro' ></Pattern><Pattern PatternValue = '*.pzdc' ></Pattern><Pattern PatternValue = '*.r5a' ></Pattern><Pattern PatternValue = '*.toxcrypt' ></Pattern><Pattern PatternValue = '*.ttt' ></Pattern><Pattern PatternValue = '*.vault' ></Pattern><Pattern PatternValue = '*.vvv' ></Pattern><Pattern PatternValue = '*.xxx' ></Pattern><Pattern PatternValue = '*.xyz' ></Pattern><Pattern PatternValue = '*.zzz' ></Pattern></Members><NonMembers ></NonMembers></FileGroup></FileGroups></Root>

KnownRansomNoteFiles

Code: Select all

<?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0' ></Header><QuotaTemplates ></QuotaTemplates><DatascreenTemplates ></DatascreenTemplates><FileGroups ><FileGroup Name = 'KnownRansomNoteFiles' Id = '{22B1E888-EC0E-408A-80D9-DE4471569643}' Description = '' ><Members ><Pattern PatternValue = 'About_Files.txt' ></Pattern><Pattern PatternValue = 'Coin.Locker.txt' ></Pattern><Pattern PatternValue = 'DECRYPT_INSTRUCTION.TXT' ></Pattern><Pattern PatternValue = 'DECRYPT_INSTRUCTIONS.TXT' ></Pattern><Pattern PatternValue = 'DECRYPT_ReadMe.TXT' ></Pattern><Pattern PatternValue = 'DecryptAllFiles.txt' ></Pattern><Pattern PatternValue = 'FILESAREGONE.TXT' ></Pattern><Pattern PatternValue = 'HELLOTHERE.TXT' ></Pattern><Pattern PatternValue = 'HELPDECRYPT.TXT' ></Pattern><Pattern PatternValue = 'HELPDECYPRT_YOUR_FILES.HTML' ></Pattern><Pattern PatternValue = 'HELP_RECOVER_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_RESTORE_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_TO_DECRYPT_YOUR_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_TO_SAVE_FILES.txt' ></Pattern><Pattern PatternValue = 'HELP_YOUR_FILES.TXT' ></Pattern><Pattern PatternValue = 'HOW_TO_DECRYPT_FILES.TXT' ></Pattern><Pattern PatternValue = 'Help_Decrypt.txt' ></Pattern><Pattern PatternValue = 'How_To_Recover_Files.txt' ></Pattern><Pattern PatternValue = 'HowtoRESTORE_FILES.txt' ></Pattern><Pattern PatternValue = 'Howto_Restore_FILES.TXT' ></Pattern><Pattern PatternValue = 'IAMREADYTOPAY.TXT' ></Pattern><Pattern PatternValue = 'IHAVEYOURSECRET.KEY' ></Pattern><Pattern PatternValue = 'INSTRUCCIONES_DESCIFRADO.TXT' ></Pattern><Pattern PatternValue = 'READTHISNOW!!!.TXT' ></Pattern><Pattern PatternValue = 'RECOVERY_FILE*.txt' ></Pattern><Pattern PatternValue = 'RECOVERY_FILE.TXT' ></Pattern><Pattern PatternValue = 'RECOVERY_FILES.txt' ></Pattern><Pattern PatternValue = 'RECOVERY_KEY.txt' ></Pattern><Pattern PatternValue = 'ReadDecryptFilesHere.txt' ></Pattern><Pattern PatternValue = 'SECRET.KEY' ></Pattern><Pattern PatternValue = 'SECRETIDHERE.KEY' ></Pattern><Pattern PatternValue = 'YOUR_FILES.HTML' ></Pattern><Pattern PatternValue = 'YOUR_FILES.url' ></Pattern><Pattern PatternValue = '_Locky_recover_instructions.txt' ></Pattern><Pattern PatternValue = '_how_recover.txt' ></Pattern><Pattern PatternValue = '_secret_code.txt' ></Pattern><Pattern PatternValue = 'encryptor_raas_readme_liesmich.txt' ></Pattern><Pattern PatternValue = 'help_decrypt_your_files.html' ></Pattern><Pattern PatternValue = 'help_recover_instructions*.txt' ></Pattern><Pattern PatternValue = 'howrecover*.txt' ></Pattern><Pattern PatternValue = 'howto_recover_file.txt' ></Pattern><Pattern PatternValue = 'recoverfile*.txt' ></Pattern><Pattern PatternValue = 'recoveryfile*.txt' ></Pattern><Pattern PatternValue = 'restorefiles.txt' ></Pattern></Members><NonMembers ></NonMembers></FileGroup></FileGroups></Root>

Note2: @Veeam: I noticed that posting a new topic is almost impossible when using a cloud based Proxy server. Everytime I hit "submit" I need to logon again and loose the text I typed. I had to disable the proxy in order to get this posted.

[jmmarton]

Note2: @Veeam: I noticed that posting a new topic is almost impossible when using a cloud based Proxy server. Everytime I hit "submit" I need to logon again and loose the text I typed. I had to disable the proxy in order to get this posted.

I don't know what's causing that, but here's one general tip I have from posting in forums over the years and having various posts lost due to issues like that. Whenever I type a long post, before hitting submit I copy the entire post to the clipboard. That way if I have to signin again and lose the post I can simply paste the entire post back in and quickly hit submit before running into any sort of timeout issue.

Joe

[DarrenToews]

This looks like a great idea that can give an extra layer of protection, without incurring additional costs since it's part of any Windows file server from 2008 and up.

One question. In an enterprise environment with multiple sites and many file servers, it would be ideal to centrally manage this. From what I understand, FSRM cannot be managed via group policy. Have you (or anyone else using this technique) found a way to implement this across multiple servers easily? Can updates to the known bad file types list be done via scripting or some other automated method?

Thanks for the great idea.

[alanbolte]

I don't know what's causing that, but here's one general tip I have from posting in forums over the years and having various posts lost due to issues like that. Whenever I type a long post, before hitting submit I copy the entire post to the clipboard. That way if I have to signin again and lose the post I can simply paste the entire post back in and quickly hit submit before running into any sort of timeout issue.

I use a Chrome extension called Lazarus.

[remko.de.koning]

This looks like a great idea that can give an extra layer of protection, without incurring additional costs since it's part of any Windows file server from 2008 and up.

One question. In an enterprise environment with multiple sites and many file servers, it would be ideal to centrally manage this. From what I understand, FSRM cannot be managed via group policy. Have you (or anyone else using this technique) found a way to implement this across multiple servers easily? Can updates to the known bad file types list be done via scripting or some other automated method?

Thanks for the great idea.

Thanks... You are welcome
You can import the .xml files using a commandline tool called filescrn. I guess with some scripting you could import this file on all your servers.
A centralized option (GPO) would be nice though.

[coreyfire]

Really awesome write up!

I will review this for implementation!

Thanks again!

[Vitaliy S.]

I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.

[Spex]

In our FSRM environment we use email notification and a cmd script that is triggered when FSRM finds a maleware extension.
The script gets the ip address for the reported user and stops all computer activity from this node by shutdown and disable the active directory object.
This way there is only a gap of seconds between start of activity and its detection.

[jjwbruin]

Thank you for this post.
After reading this post and google some more I found the following site:
https://fsrm.experiant.ca/
Here you can get the latest filegroups and an easy installation guide.
Keep in mind that the ccc file is added in this filegroup. You can manually delete this if you want.

[remko.de.koning]

Thanks Jeroen, using powershell to update these FileGroups is a very usefull addition. Much appreciated!

[DarrenToews]

I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.

This is great stuff! However we are using Veeam MP for SCOM ... does it have similar functionality?

[DarrenToews]

Thank you for this post.
After reading this post and google some more I found the following site:
https://fsrm.experiant.ca/
Here you can get the latest filegroups and an easy installation guide.
Keep in mind that the ccc file is added in this filegroup. You can manually delete this if you want.

Wow. Great find! Thanks for sharing.

[albertwt]

I can only agree with the comments, it is really a very useful tip.

My 2 cents: in Veeam ONE 9.5 we will have a predefined ransomware detection alarm. This new alarm will notify users if monitored VMs are experiencing abnormal CPU usage and high write rates on the datastore due to potential ransomware activity. If you're already using Veeam ONE, then it can be a good driver for updating.

Hi Vitaliy,

When is the VeeamONE 9.5 going to be released ?

[veremin]

Along with VB&R 9.5. Thanks.

[Gostev]

Available now!