Stop Cryptolocker & Ransomware Damage with Automatic File Server Shutdown

 File Screening Setup


Some quick and dirty notes to prevent the spread of Crptolocker, Locky and other variants of ransomware or virus related file extensions. The method used here stops the Windows Server File Service during a ransomware file detection using the Windows FSRM - File Server Resource Manager.

Veeam Scheduled Restore Powershell Script

Open File Server Resource Manager
File Screening Management > File Groups > Create File Group
File group name: _Ransomware
Files to include:

*.0x0
*.1999
*.aaa
*.abc
*.bleep
*.ccc
*.crinf
*.crjoker
*.crypt
*.crypto
*.CTB2
*.CTBL
*.ecc
*.EnCiPhErEd
*.encrypted
*.encryptedRSA
*.exx
*.ezz
*.good
*.HA3
*.keybtc@inbox_com
*.LeChiffre
*.locked
*.locky
*.LOL!
*.magic
*.micro
*.OMG!
*.pzdc
*.R16M01D05
*.r5a
*.RDM
*.RRK
*.SUPERCRYPT
*.toxcrypt
*.ttt
*.vault
*.vvv
*.XRNT
*.XTBL
*.xxx
*.xyz
*.zzz
_crypt
_how_recover.txt
_Locky_recover_instructions.txt
_secret_code.txt
About_Files.txt
Coin.Locker.txt
DECRYPT_INSTRUCT*
DECRYPT_ReadMe.TXT
DecryptAllFiles.txt
DecryptAllFiles.txt
FILESAREGONE.TXT
HELLOTHERE.TXT
Help_Decrypt.txt
help_decrypt_your_files.html
HELP_RECOVER_FILES.txt
help_recover_instructions+*.txt
HELP_RESTORE_FILES.txt
HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_TO_SAVE_FILES.txt
HELP_TO_SAVE_FILES.txt
HELP_YOUR_FILES.TXT
HELPDECRYPT.TXT
HELPDECYPRT_YOUR_FILES.HTML
HOW_TO_DECRYPT_FILES.TXT
How_To_Recover_Files.txt
howrecover+*.txt
howto_recover_file.txt
Howto_Restore_FILES.TXT
HowtoRESTORE_FILES.txt
HowtoRestore_FILES.txt
IAMREADYTOPAY.TXT
IHAVEYOURSECRET.KEY
Read.txt
ReadDecryptFilesHere.txt
ReadMe.txt
READTHISNOW!!!.TXT
recoverfile*.txt
RECOVERY_FILE*.txt
RECOVERY_FILE.TXT
RECOVERY_FILES.txt
RECOVERY_KEY.txt
recoveryfile*.txt
recoveryfile*.txt
restorefiles.txt
SECRET.KEY
SECRETIDHERE.KEY
YOUR_FILES.HTML
YOUR_FILES.url


File Screening Management > File Screen Templates > Create File Screen Template
Call it "Ransomware Guard"

Run a batch file command conataining:  NET STOP SERVER /Y

Make a FileScreen and select the Ransomware template

Allow your email server to accept email notifications coming from the file server