Skip to content
This repository has been archived by the owner on Dec 19, 2024. It is now read-only.
Jason Kreisler edited this page Oct 21, 2019 · 5 revisions

The FSRM-Anti-ransomware wiki

Our goal here is to help people fight ransomware using readily available tools.

There are three components to this project:

  • FSRM-Anti-ransomware.ps1 - this install FSRM and sets up file screens, meant for daily use
  • AntiransomwareFiltersMerge.py - checks for filters updates, meant for daily use
  • EverythingSearchForRansomware.py - scans all local drives for ransomware fingerprints, use any time

Very Brief History:

I found a web page by Luke Orellana that explained how Microsoft's File Server Resource Manager could be used to combat ransomware. I downloaded the script and decided I needed to learn PowerShell. That was several months ago and I've been working on the FSRM-Anti-ransomware.ps1 script ever since, learning PowerShell as I go. Luke's script works with Windows 2008 but since I was starting over I decided to focus only on W2012 and above. I also found Experiant's excellent web site where they maintain an up-to-date ransomware filespecs list in the form of a JSON file. I went to work on a new script and never looked back. I want to take this moment to send huge thanks to both Luke Orellana and the very generous folks at Experiant. This script is built on the backs of those giants.

Goals:

  • Easy installation - only as complicated as it needs to be
  • Create a PowerShell script that uses only native FSRM cmdlets and uses calls that are current with W2019 but are backwards compatible with Windows 2012 (r1). We got close. W2012r1 users "should" upgrade to WMF 5.1, but there's an easy work around. Windows 2012r2 and above work as-is. Windows 2008 is simply not supported; there's no easy path to back-port.
  • Fight ransomware by using up-to-date filters and by using honey traps that have a better chance of catching zero-day ransomware threats. Ransomware is a fast moving threat and using known filters alone is always several days behind the black hats.

Now let's get started configuring and installing.


reference links:

Using File Server Resource Manager to Screen for Ransomware

Anti-Ransomware File System Resource Manager Lists

Clone this wiki locally