Ransomware: Detection when prevention has failed.


The scary truth

It's one of the biggest fears for an IT department. You have anti-malware agents on your desktops, you have scanning engines for incoming email, you have IPS/IDS systems, and you have even locke

d the permissions down on your file shares, but someone manages to get a ransomware infection on their workstation. You get a call and spend the next 40 hours testing how well your backup strategy works. In the worst case scenario, you are ransomed into paying thousands to bad actors.

Recently eWeek.com posted an article on the percentage of companies that have paid attackers to recover their data after a ransomware attack. The findings are pretty scary. The article states:

"The 23-page IBM Security study surveyed 600 business leaders and 1,021 consumers in the U.S. 46 percent of business respondents reported that they had experienced ransomware in their organizations. Of the 46 percent that have been impacted by ransomware, 70 percent admitted that their organization paid the ransom."

This is a troubling statistic. It shows that many companies are still not taking this threat seriously. The fact that so many people have paid this ransom points to holes in their data security plan. For these companies, it is vitally important they refocus on the basics. Ensuring better network security, writing better security policies, and improving backup and archiving strategies are a good start. There are many tools and partners out there who can help implement technology and develop strategies to prevent these attacks and ensure businesses can recover from them without paying a ransom.

They still got in

Even with the best technology and consistent end user training, attacks make their way onto the network. A new method of delivery is created, a user gets tricked, or even an exploit in a required piece of technology is leveraged. IT technicians then find themselves dealing with a ransomware attack. Many IT departments don't realize that the attack is happening until a user contacts them about their inability to access a file or a message on their screen. Once this has occurred it's often too late to do anything but restore everything. What many companies are missing is a strategy for detecting the attack quickly and limiting it's scope. So what can be done?

There are several ways to deal with this scenario:

  • Monitor for multiple file renames as a method of detection.
  • Create a large sacrificial share full of small files to slow down the infection.
  • Implement app-locker policies to try to limit attack vectors.
  • Look for processes that read/write too quickly or change the entropy of files.
  • Monitor for known ransomware extensions.

The focus of the remainder of this article will be on the last option. Monitoring for known ransomware extensions is simple to implement and effective. It can be accomplished with tools Microsoft provides right out of the gate. It's fast to detect and can be optimized to automate remediation tasks.

Using File Server Resource Manager to detect ransomeware

File Server Resource Manager (FSRM) is a role provided by Microsoft Windows servers that allows administrators to understand, control, and manage the type and quantity of data that is stored on servers. It can be used for quota enforcement, file screening, reporting, data classification, and file management tasks. For the purposes of this article, the focus will be on file screening.

The process is fairly simple, and consists of the following steps:

  1. Install the FSRM role on a Windows server.
  2. Configure basic options for FSRM.
  3. Create file groups.
  4. Create a file screen template.
  5. Create a file screen.

Once this has been completed, the system will automatically notify IT when it detects one of the configured extensions. This process can be taken further by automating the updating of file groups as well as taking an automated remediation step. There is, however, one strong weakness with this approach. This will not stop attacks that use randomized file extensions, or use extensions that are not listed in the file group.

Install FSRM role

Installing a Windows role should be within the abilities of an IT professional. Needless to say it can be found under File and Storage Services > File and iSCSI Services > File Server Resource Manager. Once this is done, FSRM can be opened by running the program called "File Server Resource Manager".

Configure basic options for FSRM

Before FSRM can be useful, some configuration needs to be done. The SMTP server setting, notification limits, and the default administrator email account all need to be configured. These settings can be found by right clicking on on File Server Resource Manager (local) in the FSRM console.

Create file groups


A file group is a list of files or extensions in which a technician would like to take action. In this case, a list of all known ransomware extensions needs to be created. To do this, expand "File Screening Management" in FSRM and right click on "File Groups" and select "Create File Group". Next, create a name for the file group and add at least one extension to include so the file group can be saved.

To automate this file group and keep it up to date, a script is required. https://fsrm.experiant.ca/ maintains a very up to date list as well as their own options for configuring FSRM. A scheduled task should be created to run the following PowerShell script:

set-FsrmFileGroup -name "Anti-Ransomware File Group" -IncludePattern 
@((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/
combined" -UseBasicParsing).content | convertfrom-json | % {$_.filters})

Create a File Screen Template


The next step is to build a template that uses this list. The process is similar to the file group. After expanding "File Screening Management" inside FSRM, right click on "File Screen Templates" and click "Create File Screen Template. Give the template a name and check the Anti-Ransomware file group created previously. There are now a few options to consider.

Active vs Passive Screening - Active Screen prevents files with these extensions from being created. Passive simply takes an action when the file is created. It is recommended to use passive screening. If active screening is used, any files that are encrypted will not be renamed and will make finding these files for restore difficult.

Email Message - Allows an email to be sent out if these extensions are discovered or created on screened file shares. It is highly recommended to configure this tab.

Event log - Configures an event log item to be created if these extensions are discovered or created on screened file shares. This is also recommended. This will be used later to automate remediation attempts.


Command - Allows execution of a script in response to detection. One potential option is to use this tab to run a PowerShell script to disable the share for the user who is infected. This prevents any further attacks. It could also be used to execute a script to turn off the file sharing service completely. Ensure the settings look like the screenshot to the right. The command arguments Should point to a PowerShell script. The script that follows is a slightly modified version of the script found at https://fsrm.experiant.ca/. It reads as follows:

#One second delay to give script enough time to grab newest event logs
sleep -Seconds 1
#Looks in event log for the custom event message generated by the file 
screen audit. Input's username of the offender into a variable.
$RansomwareEvents = get-eventlog -logname 
Application -message "*ransomware*" -newest 50 | where {$_.eventid -eq 8215}
$username = ($RansomwareEvents.message).split()[1]
$username = $username -replace ".*\\"
#Blocks SMB share access for user
Get-SmbShare -Special $false | Where-Object currentusers -gt 0 | 
Block-SmbShareAccess -AccountName $username -force
restart-service "File Server Resource Manager" -force

This command gets all shares on the server and for each share configures
share permissions to block the user account that is infected with the ransomware.
Once the infection has been removed, access can be restored for that user by removing
the share permission that blocks their access. This can be done with this script:

Get-SmbShare -Special $false | Unblock-SmbShareAccess -AccountName 
"username@domain.tld" –Force

Another option would be to disable the share service entirely like so:
stop-service lanmanserver -force

It is important to note that changes to the execution policy for PowerShell to
allow local scripts may be required.

Create File Screens

Now that the file screen template is created, the last step is to implement these templates by creating file screens. File screens are created on a share by share basis. This process is very simple. Right click on "File Screens" and select the path to screen (the path to the share). Next, under the second that says "Derive properties from file screen template" select the template you created and click OK. It is now possible to edit the properties of this file screen if customization is required.


There are many tools and techniques to deal with preventing, re-mediating, and detecting ransomware. Hopefully this overview of File Server Resource Monitor has exposed creative ways of detecting and reducing the impact of modern malware.

Post Author : Don Magee, Senior Cloud Engineer, Trek,Inc.

This post was initially posted here & has been reproduced with permission.


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)