Ransomware Detect Guide for Windows Server 2012 R2

As I mentioned in this post I was going to create a guide how to setup ransomware / cryptolocker detection on a Windows fileserver. Turns out it was easier to setup than I though. Here is the complete guide:

  1. Open up File Server Resource Manager. If this is not installed on the server, add it through PowerShell:
    Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools3-30-2016 2-52-43 PM
  2. Right click on “File Server Resource Manager” and select “Configure Options”. Fill out the SMTP server information. To use an external SMTP server, such as gmail or outlook.com, see this guide.
    3-30-2016 3-05-58 PM
  3. Confirm functionality by using “Send Test E-mail”. Now that we have email notifications configured we need to create a File Screen. The easiest approach will be using PowerShell. This command can be used to create a new File Group named “Ransomware File Group”:  http://pastebin.com/Mp8Eqpeh
    Additional filters can be appended to the PowerShell command as needed, just follow the format (ex: “filter1″,”filter2″,”filter3”). To update the filter change the verb “New” to “Set” (ex: Set-FSRMFileGroup).
    Just the list of filters used in the above command can be found here: http://pastebin.com/4bPfaeWu (updated 10/12/2016).
  4. Run the above command in PowerShell to create the new File Group as such:
    3-31-2016 8-46-36 AM
  5. Switch back to the File Server Resource Manager and expand “File Screening Management”, select “File Screens” and right click and select “Create File Screen”:
    3-31-2016 7-50-46 AM
  6. Select the folder to monitor and create a custom file screen by clicking on “Custom Properties”:
    3-31-2016 7-52-07 AM
  7. Select “Passive Screening” and check the File Group we created earlier:
    3-31-2016 9-04-44 AM
  8. Inspect the other tabs and setup alerts as needed, for example email alerts:
    3-31-2016 9-00-53 AM
  9. We should now see the new file screen:
    3-31-2016 9-05-04 AM
  10. We can now test the filter by creating a screened file (*.locky in this case):
    3-31-2016 9-07-28 AM
  11. In this example Event Viewer logging was enabled, and the file creation shows up:3-31-2016 9-08-21 AM
  12. The ransomware alert setup is now complete. The list of filters was found in this reddit post. The filters can be updated manually using the File Server Resource Manager if desired. Just right click on the File Group we created earlier and select “Edit File Group Properties”:
    3-31-2016 9-20-15 AM
    PowerShell can of course also be used to update the filter, see steps 3-4.