This repository has been archived by the owner on Dec 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathFSRM-Anti-ransomware.ps1
603 lines (531 loc) · 103 KB
/
FSRM-Anti-ransomware.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
#Requires -Version 4 -RunAsAdministrator
<#
.Notes
Name: FSRM-Anti-ransomware.ps1
-> Important: This file must be Unicode UTF-8 encoded for the embedded ransomware file names to render properly. Also, save this with a BOM so that Windows will "guess" the format correctly.
Compare the two lines just below. One is Unicode and the other ASCII. The two lines should be legible and look very similar to each other. If not then you've lost Unicode encoding. Note: the PowerShell Get-Help cmdlet doesn't know how to render Unicode. Use a text editor or the PowerShell ISE to read the file.
Α-Uиịϲоԁḙ-Ω (Unicode with mix of Greek, Cyrillic, and Latin characters, and begins with Greek alpha and ends with Greek omega)
A-Unicode-O (ASCII, plain text)
(A BOM should never be necessary with UTF-8 Unicode, but the PowerShell ISE still needs it to correctly detect Unicode encoding. Be sure this file has a BOM.)
-> Important: You must leave the FSRM global setting Notification Limits -> Command notification (minutes): set to 0 (zero). It will be reset each time this script runs.
If you must have this set to something else then you'll need to reset the FSRM service in the triggered scripts each time they run.
You "should" also have the event notification set to 0 so that each event goes to the Windows event log
The reason for this is because we're using a mechanism (FSRM file screens) that were originally intended only for notification messages. We are re-purposing it for security actions. Be strict!
-> Important: This script assumes that you DO NOT already have file screens applied to drives/shares that will be captured by this script.
Only one screen is allowed per resource (share,drive,directory). If other screens have been applied to the same shares / drive points then this script will fail at creating new file screens in those places.
-> Important: When you run this script be sure you read and remediate all errors and warnings shown on the screen and shown in the Windows Application event log.
When this script runs correctly there will be no warnings or errors.
exception:
There may be warnings (but not errors) about the email configuration when you run this the first time.
The warnings will clear when you rerun this script a second time, after which the warnings will stay cleared.
Edit the variables in the param section or in a custom pre-load script to match your SMTP setup and admin email. Use the included script "NameHere-Custom-PreLoad-FSRM-Anti-ransomware.ps1" as a template.
If FSRM is already installed you should still run this script. It will take care of the mandatory settings that we need for ransomware detection.
Special note for installing FSRM on Windows 2012 and 2012r2
After installing FSRM you will probably need to reboot the OS manually. Take note of the message on the screen telling you to do so.
When you run this script the second time to install all the file screens you may still see quite a few errors. Just stop and then restart the FSRM service.
You can avoid all this trouble by either installing WMF 5.1 or manually installing FSRM and rebooting first. This is for Windows 2012 versions only.
requires .NET 4.5.2 or higher, will install with lower versions without error but functionality will be impacted
if you are fully patched then you will be running at least v4.8.x even on W2012r1
check version installed here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
PowerShell version 3 workaround - Yes, it's possible to run this script under PowerShell 3 but you must be certain you're running it as administrator. Here's what to do in two simple steps:
1. remove the "# Requires -Version 4" line from the top of this script
2. change the test "If ($PSVersionTable.PSVersion.Major -lt 4)" to "If ($PSVersionTable.PSVersion.Major -lt 3)"
3. You should really consider installing WMF 5.1. I've never seen any negative effects from doing so.
If the global settings in the FSRM management console look empty right after you've run this script then just restart the management console to make them show.
The settings are there, you just can't see them because there's no refresh option at the top level of the FSRM manager.
The option to download a filters list from https://fsrm.experiant.ca assumes that you have initialized your Internet Explorer.
The Invoke-WebRequest command uses the Internet Explorer engine. Internet Explorer must be setup and your settings must allow the download. Don't know Edge impact.
.Synopsis
This script installs and configures FSRM upon the first run, and configures and refreshes Anti-ransomware file screens on all subsequent runs.
Use "Get-Help -Detailed" to see detailed paramter descriptions.
.Description
Requirements:
Windows Server 2012 (r1, a.k.a. Windows 6.2) or above with all updates applied
PowerShell 4 or above strongly recommended, but PowerShell 3 can be made to work (see version 3 workaround information in the script notes).
This script will perform an initial installation of the File Server Resource Manager (FSRM) if it's not already installed. On subsequent runs this script will reconfigure FSRM as needed including setting the CommandNotificationLimit to the mandatory value of 0, create file groups, create templates for file matching and honey pot screens, and create file screens for all specified shares and drives. Because this is a complex security configuration you need to understand all the parameters used in this script then set the YesAllTheVariablesAreSetHowIWant parameter to $True.
It is essential that this file is always encoded in UTF-8-BOM. To verify Unicode encoding just open this script in a text editor and read the verifcation text near the top.
.Link
https://github.com/SparkyzCodez/FSRM-Anti-ransomware
#>
param(
# This is the SMTP you will use for FSRM. You must set this variable manually. The default value is just a place holder. Only supports unauthenticated, unencrypted email at this time.
[string]$SMTPServer = "127.0.0.1",
# This is the "from" email address that will be used in every FSRM triggered email. By default we'll build a string using the computer name and the domain name. This especially suitable for servers that are domain joined. You may replace this with any email address string you choose. For stand-alone or custom configurations use something like -EmailFrom "[email protected]".
[string]$EmailFrom = "FSRM-"+(Get-CIMInstance -Class CIM_ComputerSystem).Name+"@"+(Get-CIMInstance -Class CIM_ComputerSystem).Domain,
# These are the email addresses that notifications will be sent to. Notification emails may be sent to more than one recipient; seperate multiple recipients with a semicolon (eg. "[email protected];[email protected]")
[string]$AdminEmailTo = "[email protected]",
# This enables legacy mode direct downloading of the filters filespecs in JSON format. While it is possible to download filters directly, it is better to use the included "AntiransomwareFiltersMerge.py" Python script that generates JSON input data and carries all your additional options forward. The legacy download will download a "combined.json" file containing filters AND modify the filter list based on your local legacy IncludeList.txt and SkipList.txt files which must be in the same directory as this script. (This script will not relocate the text files like other legacy scripts did.) Default: $false
[bool]$LegacyDownloadFiltersJson = $false,
# This is the URL used my the legacy download mode. This data is kindly provided by Experiant.
[string]$LegacyDownloadFiltersJsonURL = "https://fsrm.experiant.ca/api/v1/combined", # they do a great job keeping their filters up to date
# This is a substring used in the input JSON file's name. It allows you to use customized versions of the files. The default is "extended" and the file name will be similar to combined-extended-20191123_090937.json. For example, you could use a substring variation to make file names like combined-accountingserver-20191123_090937.json or combined-DetroitHQ-20191123_090937.json. Do not add any dashes to this text because they are used for substring parsing!
[string]$JSONfnamesubstring = "extended",
# Be sure you understand what "passive" and "active" mean in the context of FSRM before overriding this setting. Active sends email alerts and actively blocks access to files (good for production files, prevents any ransomware files from being created, may still allow encryption of existing files). Passive sends email alerts but does not block access to files (good for honey pots so you can do forensics on encrypted files and ransom requests). Default: $true
[bool]$RansomwareTemplateIsActive = $true,
# This is the name template you'll use for your honey pot directories. Since the bad guys can read this too, you must customize this. Do not use this default; it's just a place holder. Keep the '?' to match the leading sorting characters in the included sample zip file. These directories must be read/write and easily accessible. Instruct your users to avoid accessing these honey pot directories. Hiding these directories from your users would defeat the whole purpose.
[string]$HoneyPotDirectoryNamePattern = "?ITDept_DoNotTamperWithContents",
# This allows the Honey Pot directory name template to wildcard match a leading dot. A Windows "?" wildcard will not match a leading dot. This is a work around to address this behavior. Especially useful if your shares are accessed by Linux or Mac/Unix clients. Default: $false
[bool]$HoneyPotDirectoryNameWildcardMatchesLeadingDot = $false,
# These are the email address FSRM variables used for notifications when a file screen is triggered. Note: You DO NOT enter email addresses here; you use specific FSRM variables. See the included "FSRM email form variables.txt" or the FSRM online help for the definitions of these FSRM variables. You may not want to notify the owner. If not then do this instead: $TriggeredScriptEmailTo = "[Admin Email]"
[string]$TriggeredScriptEmailTo = "[Admin Email];[Source Io Owner Email]",
# This causes ransomware file screens to be applied to the roots of all drives except C:. (It could adversely affect OS performance to screen the entire OS drive. Instead we will screen any shares found on the OS drive.) Default: $true
[bool]$ApplyRansomewareScreenToDrives = $true,
# This causes the ransomware file screens to screen all "non-special" file shares except those any under the OS drive\Windows directories. Default: $true
[bool]$ApplyRansomewareScreenToShares = $true,
# This causes the existing file screens to be deleted and then be reapplied. This insures that all new shares are added to screening. Default: $true
[bool]$RefreshRansomewareScreens = $true,
# This causes the Ransomware screens to rapidly disconnect the user's SMB session when triggered. General use shares should probably be disconnected quickly. Default: $true
[bool]$RansomewareScreenRapidSMBdisconnect = $true,
# This causes the honey pot file screens to be applied to all shared directories that match the HoneyPotDirectoryNamePattern filespec. Default: $true
[bool]$ApplyHoneyPots = $true,
# This causes the existing honey pot file screens to be deleted and then be reapplied. This insures that all new honey pot shares are added to screening. Default: $true
[bool]$RefreshHoneyPots = $true,
# This causes the Honey Pots screens to rapidly disconnect the user's SMB session when triggered. Honey pot shares should probably NOT be disconnected quickly. This will allow you to capture more compromised files for forensic purposes. Default: $false
[bool]$HoneyPotsScreenRapidSMBdisconnect = $false,
# The configuration of this script covers a lot of critically important security issues. Setting the following variable to $true is your acknowledgement that you understand all the settings in both the param() block at the top of this script and the additional variables at the top of the begin{} section of this script. (two locations) Default: $false
# !!! The SMTP server and the EmailTo variables must be set to insure prompt notifications.
# !!! The CommandNotificationLimit must be set to 0, the EventNotificationLimit should be set to 0, and both are hard coded in this script.
# !!! script editing note: Do not make this variable mandatory/required as that would bypass event logging and information display.
[bool]$YesAllTheVariablesAreSetHowIWant = $false
)
function InstallUpdate-FSRMRansomwareScreening
{
Begin
{
# BEGIN - ADDITIONAL VARIABLES THAT NEED TO BE SET AND VALIDATED #
$CurrentVersion = "2.5.0"
# Leave these two event log variables just as they are unless you are quite sure you want the logging handled differently.
$EventLog = "Application"
# couldn't use two dashes in this source name, Window event loggin kept truncating the source name, no idea why
$EventLoggingSource = "FSRM Anti-ransomware Suite"
# These are default values from fsrm.experiant.ca. These are static and not updated too often. You can get started with these but you need to get the "AntiransomwareFiltersMerge.py" running in your task schedule to stay up to date.
$RansomeWareFileGroupName = "RansomwareFnamesAndExt"
$RansomewareRapidSMBdisconnectFlagholder = "" # will be populated later based on command line boolean
# double check that this file is UTF-8, this embedded filters list contains names in Cyrillic, Portuguese, Spanish, Chinese, etc. see the top of this script
# filters refresh date: 2019-12-30
$FnameExtFilters = @("! ПРОЧТИ МЕНЯ !.html","!! RETURN FILES !!.txt","!!! HOW TO DECRYPT FILES !!!.txt","!!! READ THIS - IMPORTANT !!!.txt","!!!!!ATENÇÃO!!!!!.html","!!!!!SAVE YOUR FILES!!!!.txt","!!!!RESTORE_FILES!!!.txt","!!!-WARNING-!!!.html","!!!-WARNING-!!!.txt","!!!GetBackData!!!.txt","!!!INSTRUCTION_RNSMW!!!.txt","!!!README!!!*.rtf","!!!READ_IT!!!.txt","!!!READ_TO_UNLOCK!!!.TXT","!!!ReadMeToDecrypt.txt","!!!Readme!!!Help!!!.txt","!!!SAVE YOUR FILES!.bmp","!## DECRYPT FILES ##!.txt","!#_DECRYPT_#!.inf","!#_How_to_decrypt_files_#!","!#_How_to_decrypt_files_$!.txt","!-GET_MY_FILES-!.*","!=How_to_decrypt_files=!.txt","!DMALOCK3.0*","!Decrypt-All-Files-*.txt","!ENC","!GBLOCK_INFO.rtf","!INSTRUCTI0NS!.TXT","!OoopsYourFilesLocked!.rtf","!PEDANt_INFO!.rtf","!Please Read Me!.txt","!QH24_INFO!.rtf","!READ.htm","!README_GMAN!.rtf","!README_GRHAN!.rtf","!Recovery_*.html","!Recovery_*.txt","!SBLOCK_INFO!.rtf","!WannaDecryptor!.exe.lnk","!Where_are_my_files!.html","!_!email__ [email protected] __!..PAYMAN","!_HOW_RECOVERY_FILES_!.txt","!_HOW_TO_RESTORE_*.txt","!_Notice_!.txt","!_RECOVERY_HELP_!.txt","[email protected]________.rar","!_ИНСТРУКЦИЯ_!.txt","!back_files!.html","!how_to_unlock_your_file.txt","!readme.*","!satana!.txt","# DECRYPT MY FILES #.html","# DECRYPT MY FILES #.txt","# DECRYPT MY FILES #.vbs","# How to Decrypt Files.txt","# README.hta","###-READ-FOR-HELLPP.html","#DECP_README#.rtf","#HELP-DECRYPT-FCRYPT1.1#.txt","#HOW_DECRYPT_FILES#.html","#HOW_TO_UNRIP#.txt","#NEWRAR_README#.rtf","#README_GMAN#.rtf","#RECOVERY-PC#.*","#RECOVERY_FILES#.*","#RECOVERY_FILES#.txt","#_#ReadMe#_#.rtf","#_#WhatWrongWithMyFiles#_#.rtf","#_DECRYPT_ASSISTANCE_#.txt","#_RESTORING_FILES_#.TXT","$%%! NOTE ABOUT FILES -=!-.html","$RECYCLE.BIN.{*-*-*-*}","(encrypted)","(encrypted)*","* .tdelf","* .vCrypt1","*!DMAlock*","*!recover!*.*","*+recover+*.*","*-DECRYPT.html","*-DECRYPT.txt","*-Lock.onion","*-PLIIKI.txt","*-filesencrypted.html","*-recover-*.*","*[email protected][email protected]","*.!emc","*.#","*.##ENCRYPTED_BY_pablukl0cker##","*.##___POLICJA!!!___TEN_PLIK_ZOSTA","*.#Locky","*.#__EnCrYpTED_BY_dzikusssT3AM_ransomware!__#","*.*.[[email protected]].angus","*.*.[[email protected]].com","*.*.[[email protected]].deal","*.*.[[email protected]].deuce","*.*.sell","*.*GEFEST","*.*cry","*.*crypto","*.*darkness","*.*exx","*.*kb15","*.*kraken","*.*locked","*.*locker*","*.*nochance","*.*obleep","*[email protected]","*...Files-Frozen-NEED-TO-MAKE-PAYMENT…","*..txt","*.0000","*.010001","*.0402","*.08kJA","*.0day","*.0riz0n","*.0wn3dyou","*.0x0","*.0x004867","*.0x009d8a","*.101","*.1500dollars","*.1999","*.1btc","*.1txt","*.1ywsmbo4","*.2048","*.24H","*.2cXpCihgsVxB3","*.2du1mj8","*.2k19","*.2k19sys","*.2lwnPp2B","*.2xx9","*.31342E30362E32303136*","*.31392E30362E32303136_*","*.3301","*.3674AD9F-5958-4F2A-5CB7-F0F56A8885EA","*.3P7m","*.3RNu","*.3nCRY","*.3ncrypt3d","*.3v3r1s","*.449o43","*.46d7k","*.490","*.491","*.492","*.4k","*.4rwcry4w","*.4x82N","*.509a49","*.59d49","*.619-300-6500","*.61yhi","*.63vc4","*.666","*.666decrypt666","*.686l0tek69","*.6FKR8d","*.6db8","*.707","*.725","*.726","*.73i87A","*.777","*.7h9r","*.7jo22z5m","*.7z.encrypted","*.7zipper","*.8637","*.888","*.8lock8","*.911","*.96e2","*.@decrypt2017","*.@decrypt_2017","*.A604AF9070","*[email protected]","*.A9V9AHU4","*.ABAT","*.ABCDEF","*.ACTUM","*[email protected]","*.ADR","*.AES","*.AES-NI","*.AES256","*.AFD","*.ANNABELLE","*.ARTEMY","*.ATLAS","*.AUDIT","*.AUF","*.AVco3","*.AYE","*.AZER","*.Acton","*.Acton.id[1AE26935-1085].[[email protected]].Acton","*.Acuf2","*.Adame","*.AdolfHitler","*.Alcatraz","*.AlfaBlock","*.Alkohol","*.Amigo","*.AngleWare","*.Angus","*.Annabelle2","*.Apollon865","*.AreYouLoveMyRansFile","*.Armage","*.Artemis","*.Athena865","*.Atom","*.Aurora","*.B10CKED","*.BANKS","*.BARRACUDA","*.BAWSUOOXE","*.BB4-230-*","*.BD.Recovery","*.BDKR","*.BELGIAN_COCOA","*.BIG1","*.BIG4+","*.BMCODE","*.BONUM","*.BORISHORSE","*.BORISHORSE…","*.BRT92","*.BUGWARE","*.BUSH","*.BaLoZiN","*.BadNews","*.BarRax","*.Barak","*.Bear","*.BeethoveN","*.Bill_Clinton@derpymailorg","*.Bitconnect","*.BlackHat","*.BlackPink","*.BlackRouter","*.Blocked2","*[email protected]","*.BtcKING","*.C0rp0r@c@0Xr@","*.CAGO","*.CASH","*.CCCRRRPPP","*.CEBER3","*.CHAK","*.CHE808","*.CHIP","*.CHRISTMAS","*.CIFGKSAFFSFYGHD","*.CIOP","*.CK","*.COCKROACH","*.COLORIT","*.CONFICKER","*.CONTACTUS","*[email protected]","*.COPAN","*.CQQUH","*.CQXGPMKNR","*.CRABSLKT","*.CRADLE","*.CROWN","*.CROWN!?","*.CRPTXXX","*.CRRRT","*.CRYPTED000007","*.CRYPTOBOSS","*.CRYPTOBYTE","*.CRYPTOSHIEL","*.CRYPTOSHIELD","*.CRYPTR","*.CRYZP","*.CTB2","*.CTBL2","*.CYBERGOD","*.CYRON","*.Caley","*.Calum","*.CerBerSysLocked0009881","*[email protected]","*.Chartogy","*.Clop","*.CommonRansom","*.Contact_Here_To_Recover_Your_Files.txt","*.Crab","*.Cry128","*.Cry36","*.Cry9","*.CrySiS","*.CryptWalker","*.CryptedOpps","*.CryptoTorLocker2015!","*.Crypton","*.CyberSCCP","*.CyberSoldiersST","*.Cyclone","*.D00mEd","*.D2550A49BF52DFC23F2C013C5","*.DALE","*.DARKCRY","*.DATASTOP","*.DATAWAIT","*.DATA_IS_SAFE_YOU_NEED_TO_MAKE_THE_PAYMENT_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_LOST_FOREVER_PLEASE_BE_REZONABLE_IS_NOT_A_JOKE_TIME_IS_LIMITED","*.DECP","*.DESYNC","*.DEUSCRYPT","*.DEXTER","*.DG","*.DHDR4","*.DIABLO6","*.DMR64","*.DOCM!Sample","*.DQXOO","*.DREAM","*.DS335","*.DeLpHiMoRiX!@@@@_@@_@_2018_@@@_@_@_@@@","*.DeLpHiMoRiX*","*.Deniz_Kızı","*.DiskDoctor","*.Djvuu","*.Do_not_change_the_file_name.cryp","*.Doxes","*.EGG","*.EMAN","*.EMAN50","*.EMPTY","*.ENCR","*.ERIS","*.ERIS!","*.ERROR","*.EV","*.EXTE","*.EZDZ","*.Elder","*.Email=[[email protected]]ID=[*].KRONOS","*.Email=[[email protected]]ID=[*].odveta","*.EnCiPhErEd","*.EncrypTile","*.Encrypted","*.Encrypted5","*.Encrypted[[email protected]].XiaBa","*.Encrypted_By_VMola.com","*.Enter","*.EnyBenied","*.Epoblockl","*.Erenahen","*.ExpBoot","*.ExpBoot!","*.FASTBOB","*.FCrypt","*.FEROSUS","*.FFF","*.FIXT","*.FJ7QvaR9VUmi","*[email protected]","*.FREDD","*.FRS","*.FTCODE","*.FUNNY","*.Facebook","*.FailedAccess","*.FilGZmsp","*.File","*.FileSlack","*.Flux","*.Freezing","*.Frendi","*.Frivolity","*.Fuck_You","*.FuckedByGhost","*.G8xB","*.GBLOCK","*.GDCB","*.GEFEST","*.GETREKT","*.GG","*.GGGHJMNGFD","*.GILLETTE","*.GMAN","*.GMBN","*.GMPF","*.GORILLA","*.GOTHAM","*.GOTYA","*.GRANIT","*.GRHAN","*.GSupport3","*.Gefest3","*.GodLock","*.GrAnoSinSa","*.GrujaRS","*.HAPP","*.HCY!!","*.HELLO","*[email protected]","*.HHFEHIOL","*.HILDA","*.HRM","*[email protected]","*.HYENA","*.H_F_D_locked","*.Hades666","*.Hades666!","*.HakunaMatata","*.Harzhuangzi","*.Hermes","*.Hermes666","*.HeroesOftheStorm","*.Horriblemorning","*.Horros","*.Horse4444","*.Horsuke","*.How_To_Decrypt.txt","*.How_To_Get_Back.txt","*.I'WANT MONEY","*.ID-7ES642406.CRY","*.ILLNEST","*.INCANTO","*.INDRIK","*.INFOWAIT","*.ITLOCK","*.IWANT","*.Infinite","*.Ipcrestore","*.JAMES","*.JEEPERS","*.JFCWF","*.JKOUOGVG","*.JLCW2","*.JayTHL","*.JezRoz","*.Jumper","*.K8VfiZ","*.KARLS","*.KAxoAgY","*.KEYH0LES","*.KEYHOLES","*.KEYPASS","*.KEYZ","*.KEYZ.KEYH0LES","*.KICK","*.KK","*.KOK08","*.KOK8","*.KRAB","*.KRONOS","*.KUAJW","*.Kg9EX","*.Kiratos","*.L0CKED","*.L1LL","*.LAMBDA.LOCKED","*.LCKD","*.LDPR","*.LEGO","*.LGAWPULM","*.LIGHTNING","*.LIN","*.LOCK75","*.LOCKED.txt","*.LOCKED_BY_pablukl0cker","*.LOCKED_PAY","*.LOCKOUT","*.LOL!","*.LOLI","*.LOVE","*.LTML","*.LanRan*","*.LanRan2.0.5","*.Lazarus","*.Lazarus+!","*.LeChiffre","*.Locked-by-Mafia","*.Locked_file","*.Lockify","*.LolSec","*.LonleyEncryptedFile","*.Losers","*.Lost_Files_Encrypt","*.LoveYou","*.MATRIX","*.MAYA","*.MDEN","*.MDRL","*.MERRY","*.MIKOYAN","*.MMM","*.MMTeam","*.MOLE","*.MOLE00","*.MOLE01","*.MOLE02","*.MOLE03","*.MOLE04","*.MOLE66","*.MRCR1","*.MTC","*.MTXLOCK","*.MZ173801","*.MZ434376","*.MaMo434376","*.Malki","*.Marozka","*.Mcafee","*.Mercury","*.Mira","*.MyChemicalRomance4EVER","*.NEMTY_*","*.NEMTY_VFFXXXX","*.NEMTY_VFRLXV9","*.NEWRAR","*.NGSC","*.NHCR","*.NIGGA","*.NM4","*.NMCRYPT","*.NOBAD","*.NOLOST","*.NOOB","*.NOT","*.NOT_OPEN","*.NUMBERDOT","*.Nano","*.Navi","*.Neptune","*.Node0","*.Novosof","*.Nutella","*.O67NG","*.OBLIVION","*.OGONIA","*.OMG!","*.ONION","*.ONYC","*.ONYX","*.OOFNIK","*.OOOKJYHCTVDF","*.OQn1B","*.OTR","*.OXR","*.ObcKIn","*.OhNo!","*.Ordinal","*.Ox4444","*.PA-SIEM","*.PANDA","*.PAUSA","*.PAY","*.PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_to_make_the_payment","*.PC-FunHACKED*","*.PEDANT","*.PEDO","*.PEGS1","*.PERSONAL_ID*","*.PHOBOS","*.PICO","*.PIRATE","*.PLANETARY","*.PLANT","*.PLIN","*.PLUT","*.PO1HG","*.POHU","*.POSHKODER","*.PRCP","*.PRIVAT66","*.PTGEPVEKM","*.PUMAX","*.PayDay","*.Persephone666!","*.Petya","*.Pig4444","*.PoAr2w","*.Pox","*.PrOtOnIs","*.PrOtOnIs.VaNdElIs","*.Prandel","*.Prodecryptor","*.Prt6aV9","*.Puma","*.QH24","*.Qtyu8vH5wDXf6OSWAm5NuA==ObcK","*.R.i.P","*.R16M01D05","*.R3K7M9","*.R4A","*.R4bb0l0ck","*.R5A","*.RAD","*.RADAMANT","*.RANSOM","*.RARE1","*.RASTAKHIZ","*.RDM","*.RDWF","*.REBL","*.REBUS","*.RECOVERYOURFILES","*.RENSENWARE","*.REVENGE","*.RJZUNA","*.RMCM1","*.ROGER","*.RRK","*.RSNSlocked","*.RSplited","*.RaaS","*.Ransed","*.RansomAES","*.RansomMine","*.ReadTheInstructions","*.Read_Me.Txt","*.RedEye","*.Reyptson","*.Rooster865qq","*.Rooster865qqZ","*.Ryuk","*.SALSA222","*.SANTANA","*.SATANA","*.SAVEYOURDATA","*.SAVEfiles","*.SBLOCK","*.SDEN","*.SENRUS17","*.SEPSIS","*.SERP","*.SEVENDAYS","*.SF","*.SHARK","*.SHRUG","*.SHRUG2","*.SKJDTHGHH","*.SKYSTARS","*.SLAV","*.SOLO","*.SONIC","*.SPCT","*.STOP","*.STOPDATA","*.SUPERCRYPT","*.SUSPENDED","*.SYMMYWARE","*.SaMsUnG","*.SaherBlueEagleRansomware","*.Satyr","*.SaveTheQueen","*.SaveTheQueenING","*.Scorpion","*.SecureCrypte","*.SecureCrypted","*.Server","*.ShutUpAndDance","*.Sifrelendi","*.Sil3nt5pring","*.Silent","*.SpartCript","*.Srpx","*.Stinger","*.SySS","*.TABGH","*.TEST","*.TGIF","*.THANATOS","*.THDA","*.TMS5","*.TR","*.TRMT","*.TROLL","*.TROLL,","*.TRUE","*.TaRoNiS","*.Tesla","*.Tfudeq","*.TheTrumpLockerf","*.TheTrumpLockerp","*.Tiger4444","*.Timestamp","*.Tor+","*.Tornado","*.TraNs","*.UIK1J","*.UIWIX","*.UKCZA","*.UNIT09","*.UNLIS","*.UselessFiles","*.VBRANSOM","*.VENDETTA","*.VIRUS","*.VIVAL","*.Vapor","*.Venusf","*.VforVendetta","*.VisionCrypt","*.W0YR8","*.WAITING","*.WALAN","*.WALAN,","*.WAND","*.WAmarlocked","*.WCRYT","*.WHY","*.WHY…","*.WINDOWS","*.WORMCRYPT0R","*[email protected]","*.WRNY","*.WWW","*.Wana Decrypt0r Trojan-Syria Editi0n","*.Where_my_files.txt","*.Whereisyourfiles","*.Work","*.Wx7A6","*.XBTL","*.XERO","*.XRNT","*.XVNAW","*.XY6LR","*.XZZX","*.Xcri","*.XiaoBa","*.XiaoBa1","*.XiaoBa34","*.XmdXtazX","*.XmdXtazX.","*.YAYA","*.YDHM","*.YIAQDG","*.YOLO","*.YOU-ARE-FUCKED-BY-BALILUWARE-(CODED-BY-HEROPOINT)","*.YOUR_LAST_CHANCE","*.YTBL","*.YYTO","*.YYYYBJQOQDU","*.Yakes","*.Z81928819","*.ZABLOKOWANE","*.ZAYKA","*.ZINO","*.ZW","*.Zeropadypt","*.Zimbra","*.Zzzz","*.[[email protected]].ETH","*.[[email protected]].BRAINCRYPT","*.[[email protected]].china","*.[[email protected]].java","*.[[email protected]].arena","*.[[email protected]].bat","*.[[email protected]].ETH","*.[[email protected]].mails","*.[[email protected]].lock","*.[[email protected]],CRP","*.[[email protected]].java","*.[[email protected]].java","*.[[email protected]].java","*.[ID-][].JSWRM","*.[ID62133703]","*.[ID=*2uJ][[email protected]].Lazarus","*.[ID=*][[email protected]].Lazar","*.[ID]*[ID]","*.[ID]*[ID]Look","*.[[email protected]]","*.[[email protected]].CRIPTOGRAFADO","*.[[email protected]].ETH","*.[[email protected]].WALLET","*.[[email protected]]","*.[[email protected]].*.WALLET","*.[SSSDKVNSDFITD]","*.[[email protected]].SEPSIS","*.[[email protected]]","*.[[email protected]].combo","*.[[email protected]].omerta","*.[[email protected]].phoenix","*.[[email protected]].onion","*.[[email protected]].*.WALLET","*.[[email protected]].ETH","*.[[email protected]].wallet","*.[[email protected]].amber","*.[[email protected]].nuclear","*.[[email protected]].blocking","*.[[email protected]].adobe","*.[[email protected]].CreamPie","*.[[email protected]].adobe","*.[[email protected]].java","*.[[email protected]].arena","*.[[email protected]].com","*.[[email protected]].nuclear","*.[[email protected]].bkc","*.[[email protected]].blind","*.[[email protected]].meduza","*.[[email protected]].btc","*.[[email protected]].ETH","*.[[email protected]]","*.[[email protected]]","*.[[email protected]]","*.[[email protected]].COCKROACH","*.[[email protected]].phoenix","*.[[email protected]].crab","*.[[email protected]].MERS","*.[[email protected]].aqva","*.[[email protected]].crypto","*.[[email protected]].*.WALLET","*.[[email protected]].war","*.[[email protected]]","*.[[email protected]].java","*.[[email protected]].java","*.[[email protected]].phobos","*.[[email protected]].ETH","*.[[email protected]].ETH","*.[[email protected]].888","*.[[email protected]]","*.[[email protected]].eV3rbe","*.[[email protected]].embrace","*.[[email protected]]","*.[[email protected]],","*.[[email protected]].everbe","*.[[email protected]].EVEREST","*.[[email protected]].EVIL","*.[[email protected]]","*.[[email protected]]","*.[[email protected]].eth.hv88g2","*.[[email protected]]","*.[[email protected]].ad","*.[[email protected]","*.[[email protected]]","*.[[email protected]].ETH","*.[[email protected]].insane","*.[[email protected]].gate","*.[[email protected]].maxicrypt","*.[[email protected]].adobe","*.[[email protected]]","*.[[email protected]].gamma","*.[[email protected]].yoba","*.[[email protected]].bin","*.[[email protected]].GFS","*.[[email protected]].NOT_OPEN","*.[[email protected]].dharma","*.[[email protected]].pain","*.[[email protected]].java","*.[papillon9275]","*.[[email protected]].arena","*.[[email protected]].adobe","*.[[email protected]].omerta","*.[[email protected]].brrr","*.[[email protected]].adobe","*.[[email protected]].plomb","*.[[email protected]]","*.[[email protected]].help","*.[[email protected]].b00m","*.[[email protected]].ETH","*.[[email protected]].scarab","*.[[email protected]].java","*.[[email protected]].java","*.[[email protected]].skeleton","*.[[email protected]]*.wallet","*.[[email protected]].omerta","*.[[email protected]].adobe","*.[[email protected]].java","*.[[email protected]].napoleon","*.[[email protected]].scarab","*.[[email protected]][email protected]","*.[[email protected]].ETH","*.[[email protected]].thunder","*.[[email protected]].костя","*.[[email protected]]","*.[[email protected]].volcano","*.[[email protected]].zq","*.[[email protected]].ws","*.[[email protected]].btc","*.[[email protected]].btc","*.[[email protected]][email protected]","*.[[email protected]].zoro","*._AiraCropEncrypted!","*._Crypted","*._NEMTY*","*._NEMTY_*_","*._NEMTY_BTKid9H_","*.__dilmaV1","*[email protected]_.btc","*._ryp","*.a19","*.a5zfn","*.a800","*.a990","*.aRpt","*.aa1","*.aaa","*.aajf","*.abc","*.abcd","*.acc","*.actin","*.actor","*.acuna","*.acute","*.adage","*.adam","*[email protected]","*.adk","*.adobe","*.adobee","*.aes!","*.aes128ctr","*.aes_ni","*.aes_ni_0day","*.aescrypt","*.aesir","*.aga","*.airacropencrypted!","*.akaibvn","*.akira","*[email protected]","*[email protected]","*.aleta","*.alien","*.alilibat","*.allcry","*.alosia","*[email protected]","*.am","*.amba","*.amber","*.amnesia","*.anami","*.andonio","*.android","*.andymarvin","*.angelamerkel","*.animus","*.anon","*[email protected]","*.anonymous","*.antihacker2017","*.anubi","*.ap19","*.aqva","*.area","*.arena","*.areyoulovemyrans","*.armadilo1","*.arrow","*[email protected]","*.asasin","*.asdasdasd","*.au1crypt","*.auw2w2g0","*.axx","*.azero","*.b00m","*.b0ff","*.b29","*.b5c6","*.b78vi7v6ri66b","*.b89b","*.bRcrypT","*.backup","*.badday","*.badutclowns","*.bagi","*.bam!","*.bananaCrypt","*.banjo","*.banta","*.bart","*.bart.zip","*.basilisque@protonmail_com","*.basslock","*.bbqb","*.beef","*.beep","*.beer","*.beets!Ransom","*.berost","*.berosuce","*.besub","*.betta","*.better_call_saul","*.bgCIb","*.bgtx","*.bguu","*.billingsupp","*.bip","*.birbb","*.bit","*.bitkangoroo","*.bitstak","*.biz","*.bizer","*.bk666","*.bkc","*.bkp","*.black007","*.blackruby","*.blank","*.bleep","*.bleepYourFiles","*.blind","*.blind2","*.bliun","*.bloc","*.blocatto","*.bloccato","*.block","*.block_file12","*.blocked","*.bloked","*.blower","*.bmn63","*[email protected]","*.bobelectron","*.bomber","*.booknish","*.boooam@cock_li","*.boost","*.bopador","*.bora","*.boris","*.boroff","*.boston","*.bot","*.bot!","*.braincrypt","*.breaking bad","*.breaking_bad","*.breakingbad","*.breeding123","*.brickr","*.bript","*.browec","*.brrr","*.brusaf","*.btc","*.btc -help-you","*.btc-help-you","*.btc.kkk.fun.gws","*.btcbtcbtc","*[email protected]","*.btcware","*.btix","*.budak","*.bufas","*.bunny","*.burn","*.bvjznsjlo","*.bwall","*.c300","*.cRh8","*.calix","*.cammora","*.canihelpyou","*.cap","*.carcn","*.carote","*.cassetto","*.cawwcca","*.cbf","*.cbs0z","*.cbu1","*.ccc","*.cccmn","*.ccryptor","*.cdrpt","*.cekisan","*.cerber","*.cerber2","*.cerber3","*.cerber6","*.cesar","*.cetori","*.cezar","*.cezor","*.cfk","*.cfm","*.charck","*.charcl","*.charm","*.charmant","*.chch","*.chech","*.checkdiskenced","*.cheetah","*.chekyshka","*.chifrator@qq_com","*.choda","*.ciphered","*.cizer","*.ckey(RandomID).email([email protected]).pack14","*.ckey(oK5WFfTq).email([email protected]).pack14","*.clean","*.clf","*.clinTON","*.cloud","*.cmb","*.cmsnwned","*.cnc","*.cobain","*.cobra","*.cock.email","*.cock.li","*.cockista","*.code","*.coded","*[email protected]","*.codnat","*.codnat1","*.codnet","*.codnet1","*[email protected]","*.coharos","*.coin","*[email protected]","*.com2","*.combo","*.comrade","*.condat","*[email protected]","*.coot","*.corrupted","*.cosakos","*.country82000","*.coverton","*.cr020801","*.cr1","*.crabs","*.craftul","*.crash","*.crashed","*.crazy","*.creeper","*.crime","*.crinf","*.cripted","*.criptiko","*.criptokod","*.cripton","*.cripttt","*.crjocker","*.crjoker","*.croc","*.crptd","*.crptrgr","*.cry","*.crybrazil","*.crying","*.cryp1","*.crypt","*.crypt1","*.crypt12","*.crypt2019","*.crypt38","*.crypt888","*.crypte","*.crypted","*.crypted!Sample","*.crypted034","*.crypted_bizarrio@pay4me_in","*.crypted_file","*.crypted_marztoneb@tutanota_de","*.crypted_pony_test_build*","*.crypted_pony_test_build_xxx_xxx_xxx_xxx_xxx","*.cryptes","*.cryptfile","*.cryptgh0st","*.crypto","*.cryptoNar","*.cryptoid","*.cryptojoker","*.cryptolocker","*.cryptotorlocker*","*.cryptowall","*.cryptowin","*.crypttt","*.cryptx*","*.cryptz","*.crypz","*.cs16","*.cspider","*.ctbl","*[email protected]","*.cube","*.cxk_nmsl","*.cxkdata","*.cyberdrill","*.cypher","*.czvxce","*.d3g1d5","*.d4nk","*.dCrypt","*.da_vinci_code","*.dalle","*.damage","*.damoclis","*.danger","*.daris","*.darkness","*.darus","*.datun","*.david","*[email protected]","*.dbger","*.dcom","*.dcry","*.ddos","*.ddpcbi","*.deal","*.decodeme666@tutanota_com","*.decodeme666tutanota_com","*.decrypme","*.decrypt2017","*[email protected]","*.decryptgarranty","*.decryptional","*.ded","*.dedo","*.deep","*.defender","*.demonslay335_you_cannot_decrypt_me!","*.deria","*.derp","*.desu","*.dfjhsalfhsakljfhsljkahfdjklashfdjklh","*.dharma","*.dian","*.die","*[email protected]","*.diller13","*.disposed2017","*.divine","*.djuvq","*.djvup","*.djvuq","*.djvur","*.djvus","*.djvut","*.dlenggrl","*.dmo","*.dodger","*.dodoc","*.dolphin","*.dom","*.domino","*.domn","*[email protected]","*.donut","*.doomed","*.doples","*.dotmap","*.doubleoffset","*.dqb","*.dragnea","*.drume","*.drweb","*.ducueyuav","*.duhust","*.dutan","*.dviide","*.dwbiwty","*.dxjay","*.dxxd","*.dy8wud","*.dyaaghemy","*.dyatel@qq_com","*.e4m","*.eQTz","*.eTeRnItY","*.ebay","*.ecc","*.eclr","*.eddldzor","*.edgel","*.eky","*.elpvd","*.embrace","*.emilysupp","*.emsisosisoft","*.enc","*.enc_robbinhood","*.encedRSA","*.encencenc","*.encmywork","*.encoderpass","*.encrptd","*.encrypt","*.encryptd","*.encrypted.locked","*.encryptedAES","*.encryptedALL","*.encryptedRSA","*.encrypted[[email protected]]","*.encrypted_backup","*.encryptedped","*.encryptedyourfiles","*.enigma","*.enjey","*.eoeo","*.epic","*.etols","*.euclid","*.evil","*.evillock","*.evolution","*.evopro","*[email protected]","*.excuses","*.executioner","*.exotic","*.exploit","*.explorer","*.extension.srpx","*.exx","*.ezz","*.ezzyl","*.f*cked","*.fairytail","*.fake","*.fantom","*.fartplz","*.fast","*.fastrecovery.xmpp.jp","*[email protected]","*[email protected]","*.fat32","*.fbuvkngy","*.fedasot","*.ferosas","*.file0locked","*.filegofprencrp","*.fileiscryptedhard","*.filesfucked","*.filock","*.fire","*.firecrypt","*.firmabilgileri","*.fix","*.flat","*.flyper","*.fmoon","*.forasom","*.fordan","*.format","*.fox","*.freefoam","*.frend","*.frmvrlr2017","*.frtrss","*.fsdfsdfsdfsdfsdfsfdsfs","*.fuXcF","*.fuchsia","*.fuck","*.fuck_you_av_we_are_not_globe_fake","*.fucked","*.fucku","*.fuckyourdata","*.fun","*.g0h8iwj","*.g^od","*.game","*.gamma","*.gangbang","*.gankLocked","*.garcewa","*.garrantydecrypt","*.gate","*.gdb","*.ge010gic","*.ge0l0gic","*.ge0l0gic_readme.txt","*.gefickt","*.gehad","*.gembok","*.geno","*.gerber5","*.gero","*.gerosan","*.gesd","*.ghost","*.gigahertz","*.globe","*.gocr","*.godes","*.godra","*.goforhelp","*.gommemode","*.good","*.gore","*.gotcha","*.gr3g","*.granny","*[email protected]","*.grod","*.gropas","*.group","*.grovas","*.grovat","*.grt","*.grupothermot3k","*.grux","*.gruzin@qq_com","*.gryphon","*.guarded","*.guesswho","*.gui","*.gusau","*.guvara","*.gws","*.gws.porno","*.gоod","*.h3ll","*.hNcrypt","*.ha3","*.hac","*.hackdoor","*.hacked","*.hacked.by.Snaiparul","*.haka","*.hannah","*.happenencedfiles","*.happy","*.happydayzz","*.happyness","*.harma","*.hasp","*.haters","*.hb15","*.hccapx","*.hceem","*.hcked","*.hdeaf","*.hdmr","*.heets","*.heisenberg","*.help.Ransom","*[email protected]","*.help_restore*.*","*[email protected]","*.helpdecrypt@ukr*.net","*[email protected]","*.helpdecrypt@ukr_net","*.helpmeencedfiles","*[email protected].*","*.herad","*.herbst","*.hermes837","*.heroset","*.hese","*.hets","*.hilegofprencrp","*.hitler","*.hjgdl","*.hncdumn","*.hnumkhotep","*[email protected]","*.hnyear","*.hofos","*.honor","*.horon","*[email protected]","*.how_to_recover*.*","*.howcanihelpusir","*.hrosas","*.htrs","*.hush","*.hydracrypt_ID*","*.hydracrypt_ID_*","*.iGotYou","*.iaufhhhfiles_BACK_PLS_READ.html","*.iaufhhhhfiles_BACK_PLS_READ.html","*.iaufkakfhsaraf","*.id-*.[*@*].*","*.id-*.[[email protected]].pdf","*.id-*.[[email protected]].harma","*.id-*.[[email protected]].harma","*.id-*.[adm15@pr…","*.id-*.[[email protected]].money","*.id-*.[[email protected]].bot","*.id-*.[[email protected]].ROGER","*.id-*.[[email protected]].asd","*.id-*.[[email protected]].ROGER","*.id-*.[[email protected]].html","*.id-*.[[email protected]].harma","*.id-*.[[email protected]","*.id-*.[[email protected]].dqb","*.id-*.[[email protected]].KARLS","*.id-*.[[email protected]].redrum","*.id-*.[[email protected]].USA","*.id-*.[[email protected]].com","*.id-*.[[email protected]].html","*.id-*.[[email protected]].kharma","*.id-*.[[email protected]].adobe","*.id-*.[[email protected]].html","*.id-*.cmb","*.id-*6.[[email protected]].pdf","*.id-*E6.[[email protected]].pdf","*.id-.[[email protected]].nvram","*.id-.[[email protected]].harma","*.id-.[[email protected]].harma","*.id-02B52D6C.[[email protected]].java","*.id-3044989498_x3m","*.id-502F1F51.[[email protected]].KICK","*.id-C4BA3647.[[email protected]].cmd","*.id.*.crazy","*.id[********-1161].[[email protected]].actin","*.id[*-*].[[email protected]].deal","*.id[*-*].[[email protected]].acute","*.id[*-*].[[email protected]].adage","*.id[*-1075].[[email protected]].help","*.id[*-1135].[[email protected]].actin","*.id[*-1161].[[email protected]].actin","*.id[*-2242].[Ke…","*.id[*-2252].[[email protected]].adage","*.id[*-2266].[[email protected]].Adair","*.id[*-2275","*.id[*-2275].[[email protected]].Adame","*.id[*-2275].[[email protected]].Adame","*.id[*-2275].[[email protected]].Adame","*.id[*-2275].[supportcrypt2019@cock…","*.id[*-2299].[[email protected]].phoenix","*.id[*-2300].[[email protected]].banjo","*.id[*-2315].[[email protected]].Banks","*.id[*-2325].[[email protected]].Banta","*.id[*-2345].[[email protected]].Banta","*.id[*-2387].[[email protected]].Barak","*.id[*-2394].[[email protected]].Caleb","*.id[*-2416].[[email protected]].Caley","*.id[*-2423].[[email protected]].dealemail","*.id[*-2425].[*n*@cock.li].Caley","*.id[*-2465].[[email protected]].Calum","*.id[*-2495].[[email protected]].age","*.id[*-2497].[[email protected]].octopus","*.id[*-2542].[[email protected]].Dever","*.id[*].[[email protected]].Calum","*.id[6AB8ABF5-2346].[limboshuran@cock].banta","*.id[C4BA3647-2250].[[email protected]].adage","*.id[C4BA3647-2271].[[email protected]].BORISHORSE","*.id[C4BA3647-2299].[[email protected]].phoenix","*.id[C4BA3647-2301].[[email protected]].banjo","*.id[RandomIP].[[email protected]].help","*.id_*********_.WECANHELP","*.id_*_.YOUR_LAST_CHANCE!","*.ifuckedyou","*.igza4c","*.ihsdj","*.iloveworld","*.impect","*.improved","*.imsorry","*.incpas","*.infected","*.infileshop@gmail_com_ID44","*.info","*.info@mymail9[dot]com","*.info@sharebyy[dot]com","*[email protected]","*.insane","*.insta","*.invaded","*.ipygh","*.ironhead","*.isis","*.isolated","*.ispfv","*.israbye","*.iudgkwv","*.iwanthelpuuu","*.jack","*.jaff","*.jamper","*.jbptlio","*.jc","*.jcry","*[email protected]","*.jes","*.jewsomware","*.jey","*.jimm","*.jodis","*.josep","*.jse","*.jsworm","*[email protected]*","*.jungle@anonymousspechcom","*.junior","*.junked","*.jupstb","*.justbtcwillhelpyou","*.justice","*.jzphmsfs","*.k0stya","*.kali","*.karl","*.karne","*.katipuneros","*.katyusha","*.kci0n","*.kcwenc","*.ke3q","*.kee","*.keepcalm","*.kencf","*.kernel_complete","*.kernel_pid","*.kernel_time","*.kes$","*.keybtc@inbox","*.keybtc@inbox_com","*.kezoz","*.kgpvwnr","*.kilit","*.kill","*.killedXXX","*.kimchenyn","*.kimcilware","*.kimcilware.locked","*.king_ouroboros*","*.kirked","*.kiss","*.kitty","*.kjh","*.kkk","*.klope","*.kodg","*.kok","*.korea","*.koreaGame","*.korrektor","*.kostya","*.kovasoh","*.kr","*.kr3","*.kraken","*.kratos","*.kraussmfz","*.kropun","*.kroput","*.kroput1","*.krusop","*.krypted","*.kryptonite","*.krzffw","*.ktuhzxpi","*.kuntzware","*.kuub","*.kvag","*.kvllyatprotonmaildotch","*.kwaaklocked","*.kyra","*.lalabitch","*.lalabitch,","*.lambda.l0cked","*.lambda_l0cked","*.lamo","*.langolier","*.lanset","*.lapoi","*.lbiaf6c8","*.lbkut","*.lcked","*.lcphr","*.lcphr!Ransom","*.leen","*.leenapidx","*[email protected]","*.legacy","*.legion","*.leon","*.les#","*.lesli","*.letmetrydecfiles","*.leto","*.lfk","*.lfv77az","*[email protected]","*.like","*.lilocked","*.limbo","*.lime","*.litar","*.litra","*.litra!Sample","*.lock93","*.lockd","*.locked","*.locked-*","*.locked.zip","*.locked3","*.locked_by_mR_Anonymous(TZ_HACKERS)","*.lockedfile","*.lockedgood","*.locker","*[email protected]","*.locklock","*.lockme","*.locky","*.lockymap","*.lokas","*.lokf","*.lokitus","*.lol","*.lolita","*.londec","*.loptr","*.lordofshadow","*.lost","*.lotej","*.lotep","*.loveransisgood","*.lovewindows","*.loveyouisreal","*.luboversova148","*.luceq","*.luces","*.lucky","*.lukitus","*.lukitus-tiedostopäätettä","*.lurk","*.m3g4c0rtx","*.m3ga","*.m3ga*","*.m3gac0rtx","*.madebyadam","*.madek","*.madekv120","*.mafee","*.magic","*.magic_software_syndicate","*.mailto[[email protected]].82a80","*.major","*.makkonahi","*.maktub","*.malwarehunterteam","*.mamasitaq","*.mamba","*.mammon","*.maniac","*.mapo","*.mariacbc","*.mars","*.masked","*.masodas","*.masok","*.master","*.maxicrypt","*.maysomware","*.mbed","*.mbrcodes","*.mdk4y","*.mecury","*.medal","*.medsv162","*.megac0rtx","*.megacortex","*.meka","*.mention9823","*.merl","*.mers","*.messenger-*","*.metan","*.mich","*.micro","*.middleman2020","*.mike","*.mind","*.mo7n","*.mockba","*.mogera","*.mogranos","*.moka","*.moments2900","*.money","*.monro","*.mordor","*.moresa","*.mosk","*.mouse","*.ms13","*.msj","*.msop","*.mtk118","*.mtogas","*.muhstik","*.muslat","*.mvp","*.myjob","*.myransext2017","*.myskle","*.n3xtpharma","*.n7ys81w","*.nWcrypt","*.nacro","*.nakw","*.nalog@qq_com","*.napoleon","*.nasoh","*.nazcrypt","*.nbes","*.ndarod","*.ndpyhss","*.needdecrypt","*.needkeys","*.neitrino","*.nelasod","*.nemesis","*.nemo-hacks.at.sigaint.org","*.nemty","*.neras","*.nesa","*.netn6","*.newlock","*.news","*.nhHtFWV","*.ninja","*.no_more_ransom","*.no_more_ransomware","*.noblis","*.nochance","*.nols","*.non","*.noos","*.nopasaran","*.noproblemwedecfiles","*.norvas","*.nosafe","*.nostro","*.notfoundrans","*.novasof","*.nozelesn","*.nsmf","*.ntu","*.ntuseg","*.nuclear","*.nuclear55","*.nuke55","*.nuksus","*.nusar","*.nvetud","*.nvram","*.nytom","*.o$l","*.obagarmrk","*.obfuscated","*.ocean","*.octopus","*.odcodc","*.odin","*.odveta","*.ogre","*.okean*","*.okokokokok","*.olduw","*.oled","*.omerta","*.omnisphere","*.one","*.one-we_can-help_you","*.oneway","*.oni","*[email protected]","*.onlinesupport","*.only-we_can-help_you","*.onx","*.onyon","*.oops","*.oor","*.open_readme.txt.ke3q","*[email protected]","*.oplata@qq_com","*.orion","*.oshit","*.osiris","*.osk","*.oslawcmme","*.otherinformation","*.owned","*.p3d374","*.p5tkjw","*.pablukCRYPT","*.pabluklocker","*.pack14","*.padcrypt","*.parad1gm","*.parrot","*.partially.cryptoNar","*.partially.cryptojoker","*.pay2me","*.paybtcs","*.paycoin","*.paycyka","*.payfordecrypt","*[email protected]","*.payforunlock","*.paym","*.paymds","*.paymrss","*.paymrts","*.payms","*.paymst","*.paymts","*.payransom","*.payrms","*.pays","*.paytounlock","*.pdcr","*.pdf.p3rf0rmr","*.pdf_Axffyq_{[email protected]}.p3rf0rm4","*.pdff","*.pedro","*.peet","*.pennywise","*.peosajwqfk","*.peta","*.petra","*.pfanz","*.phantom","*.phoenix","*.pidom","*.pidon","*.piny","*.pizda@qq_com","*.pizdec","*.pizdosik","*.pky","*.plauge17","*.pleaseCallQQ","*.pluto","*.pnr","*.poof","*.poolezoor","*.poop","*.popotic","*.popoticus","*.porno","*.porno.pornoransom","*.pornoransom","*.potato","*.powerfuldecrypt","*.powerfulldecrypt","*.powned","*.poyvonm","*.ppam","*.pr0tect","*.predator","*.proced","*.proden","*.promock","*.promoks","*.promorad","*.promorad2","*.promos","*.promoz","*.prosperous666","*.prus","*.pscrypt","*.psh","*.pulsar1","*.pumas","*.purge","*.pwned","*.pysa","*.pzdc","*.qbix","*.qbtex","*.qnbqw","*.qq_com*","*.qwerty","*.qweuirtksd","*.qwex","*.qwqd","*.r3store","*.radman","*.raid10","*.raldge","*.raldug","*.ram","*.ramen","*.rand","*.ranranranran","*.ranrans","*.ransomcrypt","*[email protected]","*.ransomwared","*.rapid","*.rat","*.razarac","*.razy","*.razy1337","*.rcrypted","*.rdmk","*.reaGAN","*.read_to_txt_file.yyto","*.readme_txt","*.realfs0ciety*","*[email protected]","*.recme","*.reco","*.recovery_email_[[email protected]]*.aes256","*[email protected]__*_.aes256.testE","*.recry1","*.rectot","*.redl","*.redmat","*.redrum","*.refols","*.rekt","*.relock@qq_com","*.remind","*.rencrypted","*.rent","*.restore_fi*.*","*.resurrection","*.revolution","*[email protected]","*.rezuc","*.righ","*.rip","*.risk","*.rjzR8","*.rnsmwr","*.rnsmwre","*.robbinhood","*.robinhood","*.rokku","*.roland","*.roldat","*.rontok","*.rose","*.rpd","*.rsalive","*.rsucozxze","*.rtyrtyrty","*.rumba","*.rumblegoodboy","*.ryk","*.ryp","*.ryx","*.s1crypt","*.sVn","*.safe","*.sage","*.sambo","*.sambo,","*.same","*.sanction","*.sanders4!","*.sapphire","*.sarut","*.satan","*.saturn","*.scarab","*.scl","*.scorpio","*.scrcrw","*.sdk","*.sdwwbrb","*.sea","*.secure","*.securityP","*.seed","*.serpent","*[email protected]","*.sexy","*.sfs","*.sgood","*.sguard","*.shade8","*.shadi","*.shadow","*.shariz","*.shelbyboom","*.shifr","*.shinigami","*.shino","*.shit","*.shutdown57","*.sifreli","*.sigrun","*.sinopal","*.sinta","*.si…","*.sjjpu","*.skunk","*.skvtb","*.sky","*.skymap","*.skynet","*.skype","*.slvpawned","*.snake","*.snake4444","*.snatch","*.son","*.sophos","*.sorry","*.sorryforthis","*.spaß","*.spectre","*.spider","*.spora","*.sport","*.spyhunter","*.sr0yz","*[email protected]","*.sshxkej","*[email protected]","*.stare","*[email protected]","*.stn","*.stone","*.stroman","*.stun","*.styver","*.styx","*.suffer","*.sun","*[email protected]?Unusual","*.supported2017","*[email protected]","*.suppose666","*.surprise","*.sux","*.sux.AES128","*.switch","*.symbiom_ransomware_locked","*.syrk","*.sysdown","*.szesnl","*.szf","*.tabufa","*.tanos","*.tastylock","*.tater","*.tax","*.technicy","*.tedcrypt","*.telebak","*.tfude","*.tfudet","*.tgmn","*.theva","*.theworldisyours","*.thor","*.thunder","*.tmp.exe","*[email protected]","*.todar","*.todarius","*.toec","*.tokog","*.toxcrypt","*[email protected]","*.triple_m","*.tro","*.tron","*.tronas","*.trosak","*.troyancoder@qq_com","*.truke","*.trump","*.trun","*.try","*.tsv","*.ttt","*[email protected]","*.tunca","*.twist","*.tzu","*.uDz2j8mv","*.ucftz*","*.udjvu","*[email protected]","*.ukr.net*","*.ukrain","*.unavailable","*.unbrecrypt_ID_*","*.upd9ykc65v","*.usr0","*.uudjvu","*.vCrypt1","*.vaca","*.vally","*.vanss","*.vault","*.vdul","*.velikasrbija","*.velso","*.vendetta2","*.venusp","*.veracrypt","*.verasto","*.verschlüsselt","*.vesad","*.vesrato","*.via","*.viiper","*.viki","*.vindows","*.volcano","*.vpgvlkb","*.vrmrkz","*.vscrypt","*.vulston","*.vusad","*.vvv","*.vxLock","*.wal","*.wallet","*.wannacash","*.wannacryv2","*.warn_wallet","*.wasted","*.wav_list","*.wcry","*.wctc","*.wdie","*.weapologize","*.weareyourfriends","*.weencedufiles","*.werd","*[email protected]","*.wflx","*.whatthefuck","*.whycry","*.wiki","*.wincry","*.windows10","*.wlu","*.wmfxdqz","*.wncry","*.wncrypt","*.wncryt","*.wndie","*.wnry","*.wooly","*.wowreadfordecry","*.wowreadfordecryp","*.wowwhereismyfiles","*.write","*.write_on_email","*.write_us_on_email","*.wsmile","*.wtdi","*.wtf","*.wuciwug","*.wvtr0","*.wxdrJbgSDa","*.wyvern","*.x0lzs3c","*.x1881","*.x3m","*.x3mpro","*.xcry7684","*.xcrypt","*.xdata","*.xfile","*.xhspythxn","*.xiaoba10","*.xiaoba11","*.xiaoba12","*.xiaoba13","*.xiaoba14","*.xiaoba15","*.xiaoba16","*.xiaoba17","*.xiaoba18","*.xiaoba19","*.xiaoba2","*.xiaoba20","*.xiaoba21","*.xiaoba22","*.xiaoba23","*.xiaoba24","*.xiaoba25","*.xiaoba26","*.xiaoba27","*.xiaoba28","*.xiaoba29","*.xiaoba3","*.xiaoba30","*.xiaoba31","*.xiaoba32","*.xiaoba33","*.xiaoba4","*.xiaoba5","*.xiaoba6","*.xiaoba7","*.xiaoba8","*.xiaoba9","*.xncrypt","*.xolzsec","*.xorist","*.xort","*.xoza","*.xrtn","*.xtbl","*.xuy","*.xwz","*.xxx","*.xxxxx","*.xyz","*.xz","*.yG","*.yarraq","*.yatron","*.ykcol","*.yl","*.yoewy","*.youransom","*.yourransom","*.yq75w627","*.yum","*.z3r0","*.zXz","*.zatrov","*.zbt","*.zc3791","*.zcrypt","*.zendr4","*.zeppelin","*.zepto","*.zilla","*.ziqzqzdi","*.zlpzdel","*.zobm","*.zoh","*.zorin","*.zoro","*.zorro","*.ztsysjz","*.zuzya","*.zycrypt","*.zyklon","*.zypto*","*.zzz","*.zzz12","*.zzzzz","*.zzzzzzzz","*.{25BF1879-A2DC-B66A-3CCC-XXXXXXXXXXXX}","*.{[email protected]}CMG","*.{CRYPTENDBLACKDC}","*.{[email protected]}.exe","*.{[email protected]}KBK","*.{XXXXX-EFEE-6C04-D2DC-A9EFA812DD11}!","*.{XXXXXXX-588E-7D5B-AED1-2CD51808DE12}","*.{[email protected]}.ARA","*.{[email protected]}.BRT92","*.{[email protected]}","*.{[email protected]}MTP","*.{[email protected]}.BRT92","*.~HL*","*.~xdata~","*.Защищено","*.инструкция по оплате.txt","*.кибер разветвитель","*.已加密","*.干物妹!","*.암호화됨","*0nl1ne*","*@*.blocking","*@LOCKED","*@adsoleware.com*","*@cock.email","*@cock.lu*","*@cumallover.me*","*@files.mn*","*@gmail_com_*","*@india.com*","*@sectex*net*","*@tfwno.gf*","*@tuta.io]","*@tutanota.com]","*ABAT*INFO*.*","*BlockBax*","*[email protected]","*ENCx45cR*","*EdgeLocker*.exe","*HERMES","*How to Decrypt Files-*.html","*Instraction*","*RANSOMED*","*RT4BLOCK","*ReadMe_Decryptor.txt","*SIMMYWARE*","*[[email protected]].bip","*[[email protected]]","*[[email protected]]*","*[[email protected]].*","*[[email protected]].rar","*[[email protected]].write","*[[email protected]].phobos","*[[email protected]].java","*[java2018@tuta io].arrow","*[[email protected]].wallet","*[[email protected]].com","*[[email protected]].HRM","*[[email protected]].HRM","*[[email protected]].JSWORM","*[[email protected]].pip","*].block","*_.rmd","*_HELP_instructions.html","*_HOWDO_text.bmp","*_HOWDO_text.html","*_READ_THIS_FILE_*_*","*_WHAT_is.html","*_[[email protected]][JINNYG@TUTANOTA","*__{}.VACv2","*_crypt","*_help_instruct*.*","*_luck","*_nullbyte*","*_recover_*.*","*_ryp","*[email protected]_","*adobe.gefest","*aes_ni_gov","*[email protected]","*cerber2","*decipher*","*decrypt my file*.*","*decrypt your file*.*","*decryptmyfiles*.*","*djvuu","*[email protected]*","*files_are_encrypted.*","*[email protected]*","*[email protected]","*gmail*.crypt","*help_restore*.*","*how_to_recover*.*","*id-*.BI_ID","*id-*_[*@*.*].*","*id-.LyaS","*[email protected][email protected]","*install_tor*.*","*keemail.me*","*king_ouroboros*","*[email protected]","*[email protected]","*msptermthemes*","*[email protected]","*qibfmkeM5*","*qq_com*","*qweasd*","*rec0ver*.*","*recover_instruction*.*","*recover}-*.*","*restore_fi*.*","*snowpicnic*","*structsstructs*","*tflower*","*ukr.net*","*wall.i","*want your files back.*","*warning-!!*.*","*[email protected]","*zn2016","*{[email protected]}.CORP","---README---.TXT",". vesrato","..g.",".0x0",".1999",".1txt",".31392E30362E32303136_[*]_LSBJ1",".6vr378txi",".73i87A",".777",".7h9r",".8lock8",".AES256",".AFD",".Alcatraz",".AngleWare",".BarRax",".CCCRRRPPP",".CHIP",".CONTACTUS",".CRRRT",".CRYPTOSHIEL",".CRYPTOSHIELD",".CTB2",".CTBL",".CrySiS",".CryptoTorLocker2015!",".DALE",".DATASTOP",".DATAWAIT",".DHARMA",".DIABLO6",".Do_not_change_the_filename",".ENC",".ENCR",".ENCRYPTED",".ENCRYPTED_BY_LLTP",".ENCRYPTED_BY_LLTPp",".EnCiPhErEd",".EnCrYpTeD",".Encrypted",".FenixIloveyou!!",".FuckYourData",".H3LL",".HA3",".INFOWAIT",".KARLOS",".KEYH0LES",".KEYPASS",".KEYZ",".KRAB",".Kirked",".L0CKED",".L0cked",".LOL!",".LeChiffre",".Licked",".Locked",".Locked-by-Mafia",".MERRY",".MKJL",".MRCR1",".OMG!",".OMG*",".PAUSA",".PEGS1",".PLAUGE17",".PLUT",".PoAr2w",".PzZs",".R.i.P",".R16M01D05",".R4A",".R5A",".RAD",".RADAMANT",".RARE1",".RDM",".REVENGE",".RMCM1",".RRK",".RSNSlocked",".RSplited",".SAVEfiles",".STOP",".STOPDATA",".SUPERCRYPT",".SUSPENDED",".SecureCrypted",".Silent",".TheTrumpLockerf",".TheTrumpLockerfp",".VBRANSOM",".Venusf",".Venusp",".VforVendetta",".WAITING",".WCRY",".WHY",".WNCRY",".Where_my_files.txt",".Whereisyourfiles",".XRNT",".XTBL",".XXX",".Z81928819",".ZINO",".[*].blt",".[*].encrypted",".[*].globe",".[*].raid10",".[*]_luck",".[[email protected]].dcrtr",".[[email protected]]",".[[email protected]].help",".[[email protected]].*","._AiraCropEncrypted",".__AiraCropEncrypted!",".___xratteamLucked",".a19",".aaa",".abc",".adk",".adobe",".adobee",".adr",".aes",".aesir",".aga",".amba",".angelamerkel",".antihacker2017",".ap19",".axx",".bart",".bart.zip",".berost",".besub",".better_call_saul",".bin",".bip",".bitstak",".bleep",".bleepYourFiles",".bloc",".blocatto",".blower",".boston",".braincrypt",".breaking_bad",".bript",".browec",".btc",".btc-help-you",".btcbtcbtc",".btcware",".bufas",".bxtyunh",".cbf",".ccc",".cerber",".cerber2",".cerber3",".cezor",".charck",".charcl",".chech",".chifrator@qq_com",".cifgksaffsfyghd",".clf",".code",".coded",".codnat",".codnat1",".comrade",".coverton",".cr1",".crashed",".crime",".crinf",".criptiko",".criptoko",".criptokod",".cripttt",".crjoker",".crptrgr",".crptxxx",".cry",".cry_",".cryp1",".crypt",".crypt*",".crypt38",".crypted",".crypted_file",".crypto",".cryptolocker",".crypttt",".cryptz*",".crypz",".css",".ctbl",".czvxce",".d4nk",".dCrypt",".da_vinci_code",".dalle",".damage",".darkness",".davda",".decrypt2017",".ded",".deria",".devil",".dglnl",".dharma",".disappeared",".djvu",".djvuq",".djvur",".djvus",".djvut",".djvuu",".domino",".doomed",".doples",".dotmap",".drume",".dutan",".dxxd",".dyatel@qq_com _ryp",".ecc",".edgel",".enc",".encedRSA",".encmywork",".encoderpass",".encrypt",".encrypted",".encryptedAES",".encryptedRSA",".encryptedyourfiles",".enigma",".epic",".eth",".etols",".evillock",".exotic",".exx",".ezz",".fantom",".fear",".fedasot",".ferosas",".file0locked",".fileiscryptedhard",".filock",".firecrypt",".forasom",".fordan",".frtrss",".fs0ciety",".fuck",".fucked",".fun",".gefickt",".gerosan",".good",".googl",".grovas",".grovat",".grt",".gruzin@qq_com",".guvara",".gws",".h3ll",".ha3",".hannah",".hb15","[email protected]",".helpmeencedfiles",".herbst",".heroset",".hets",".hnumkhotep",".hofos",".horon",".hrosas",".html",".hush",".iaufkakfhsaraf",".id-*.[*@*].air",".id-*.cry",".id-*[email protected]",".id-[*][email protected]","[email protected]_","[email protected]","[email protected]_",".id-_locked",".id-_locked_by_krec",".id-_locked_by_perfect","[email protected]_",".id-_r9oj","[email protected]_","[email protected]_",".id-_x3m",".iloveworld",".infected",".isis",".iwanthelpuuu",".jack",".justbtcwillhelpyou",".karma",".kencf",".keybtc@inbox_com",".killed*",".kimcilware",".kiratos",".kkk",".klope",".korrektor",".kostya",".kr3",".kraken",".kratos",".kropun",".kroput",".kroput1",".kuub",".lambda_l0cked",".lanset",".lesli",".letmetrydecfiles",".litar",".lock",".lock93",".locked",".locked-[*]",".locklock",".locky",".lokas",".lotep",".lovewindows",".luces",".lukitus",".madebyadam",".magic",".maktub",".megac0rtx",".micro",".mike!Ransom",".mogera",".mole",".mole02",".moresa",".muslat",".myskle",".nalog@qq_com",".nampohyu",".neitrino",".nemo-hacks.at.sigaint.org",".neras",".no_more_ransom",".nochance",".noproblemwedecfiles",".norvas",".notfoundrans",".nuclear55",".nusar",".odcodc",".odin",".ohwqg",".only-we_can-help_you",".oops","[email protected]",".oplata@qq_com",".oshit",".osiris",".otherinformation",".p5tkjw",".padcrypt",".paybtcs",".payms",".paymst",".payransom",".payrmts",".paytounlock",".pdff",".phobos",".pidon",".pizda@qq_com",".plomb",".poret",".porno",".potato",".powerfulldecrypt",".proden",".promock",".promok",".promoks",".promorad",".promorad2",".promos",".promoz",".protected",".pulsar1",".puma",".pumas",".pumax",".purge",".pzdc",".r5a",".radman",".raldug",".razy",".rdmk",".rectot",".redmat",".refols",".rekt",".relock@qq_com",".remind","[email protected]",".rezuc",".rip",".rmd",".rnsmwr",".rokku",".roland",".roldat",".rumba",".sage",".sanction",".sarut",".scarab",".scl",".serpent",".sexy",".shadow",".shino",".shit",".sifreli",".skymap",".sport",".stn",".stone",".surprise",".szf",".tfude",".tfudeq",".tfudet",".theworldisyours",".thor",".todarius",".toxcrypt",".tro",".tronas",".trosak",".troyancoder@qq_com",".truke",".trun",".ttt",".tzu",".udjvu","[email protected]",".unavailable","[email protected]",".uudjvu",".vault",".velikasrbija",".verasto",".versiegelt",".vindows",".vscrypt",".vvv",".vxLock",".wallet",".wcry",".weareyourfriends",".weencedufiles",".wflx",".windows10",".wncry",".wnx",".xcri",".xcrypt",".xort",".xrtn",".xtbl",".xxx",".xyz",".yourransom",".zXz",".zc3791",".zcrypt",".zepto",".zerofucks",".zorro",".zyklon",".zzz",".zzzzz",".{CRYPTENDBLACKDC}",".~",".~xdata~",".кибер разветвитель",".已加密","000-IF-YOU-WANT-DEC-FILES.html","000-No-PROBLEM-WE-DEC-FILES.html","000-PLEASE-READ-WE-HELP.html","0000-SORRY-FOR-FILES.html","001-READ-FOR-DECRYPT-FILES.html","005-DO-YOU-WANT-FILES.html","009-READ-FOR-DECCCC-FILESSS.html","027cc450ef5f8c5f653329641ec1fed9*.*","0_HELP_DECRYPT_FILES.HTM","170fb7438316.exe","4-14-2016-INFECTION.TXT","52036F92.tmp","686l0tek69-HOW-TO-DECRYPT.txt","@[email protected]","@WARNING_FILES_ARE_ENCRYPTED.*.txt","@WanaDecryptor@.*","@_RESTORE-FILES_@.*","@_USE_TO_FIX_*.txt","@decrypt_your_files.txt","AArI.jpg","ASSISTANCE_IN_RECOVERY.txt","ATLAS_FILES.txt","ATTENTION!!!.txt","ATTENTION.url","About_Files.txt","Aescrypt.exe","AllFilesAreLocked*.bmp","BTC_DECRYPT_FILES.txt","BUYUNLOCKCODE","BUYUNLOCKCODE.txt","BitCryptorFileList.txt","Blooper.exe","C-email-*-*.odcodc","COME_RIPRISTINARE_I_FILE.*","COMO_ABRIR_ARQUIVOS.txt","COMO_RESTAURAR_ARCHIVOS.html","COMO_RESTAURAR_ARCHIVOS.txt","CRYPTOID_*","CallOfCthulhu.exe","ClopReadMe.txt","Coin.Locker.txt","Comment débloquer mes fichiers.txt","Como descriptografar seus arquivos.txt","CryptoRansomware.exe","Crytp0l0cker.Upack.dll","Crytp0l0cker.dll","Crytp0l0cker.exe","Cversions.2.db","Cyber SpLiTTer Vbs.exe","DALE_FILES.TXT","DECRYPT-FILES.html","DECRYPTION INSTRUCTIONS.txt","DECRYPTION.TXT","DECRYPTION_HOWTO.Notepad","DECRYPT_INFO.txt","DECRYPT_INFORMATION.html","DECRYPT_INSTRUCTION.HTML","DECRYPT_INSTRUCTION.TXT","DECRYPT_INSTRUCTION.URL","DECRYPT_INSTRUCTIONS.TXT","DECRYPT_INSTRUCTIONS.html","DECRYPT_ReadMe.TXT","DECRYPT_ReadMe1.TXT","DECRYPT_Readme.TXT.ReadMe","DECRYPT_YOUR_FILES.HTML","DECRYPT_YOUR_FILES.txt","DESIFROVANI_POKYNY.html","DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html","Decoding help.hta","Decrypt All Files *.bmp","DecryptAllFiles*.txt","DecryptAllFiles.txt","DecryptFile.txt","[email protected]","DesktopOsiris.*","DesktopOsiris.htm","EMAIL_*_recipient.zip","ENCRYPTED.TXT","ENTSCHLUSSELN_HINWEISE.html","FACT. 8-9-1278104.doc","FA_HLEH3S83AO22WO.doc","FE04.tmp","FILES ENCRYPTED.txt","FILES.TXT","FILESAREGONE.TXT","FILES_BACK.txt","File Decrypt Help.html","File_Encryption_Notice.txt","Files encrypted.html","GJENOPPRETTING_AV_FILER.html","GJENOPPRETTING_AV_FILER.txt","GNNCRY_Readme.txt","Galaperidol.exe","GetYouFiles.txt","GoRansom.txt","HELLOTHERE.TXT","HELP-ME-ENCED-FILES.html","HELPDECRYPT.TXT","HELPDECYPRT_YOUR_FILES.HTML","HELP_BY_CROC.TXT","HELP_DECRYPT.HTML","HELP_DECRYPT.HTML*","HELP_DECRYPT.PNG","HELP_DECRYPT.URL","HELP_DECRYPT.lnk","HELP_ME_PLEASE.txt","HELP_RECOVER_FILES.txt","HELP_RESTORE_FILES.txt","HELP_RESTORE_FILES_*.*","HELP_RESTORE_FILES_*.TXT","HELP_TO_DECRYPT_YOUR_FILES.txt","HELP_TO_SAVE_FILES.bmp","HELP_TO_SAVE_FILES.txt","HELP_YOURFILES.HTML","HELP_YOUR_FILES.PNG","HELP_YOUR_FILES.TXT","HELP_YOUR_FILES.html","HILDACRYPTReadMe.html","HOW DECRIPT FILES.hta","HOW TO DECRYPT FILES.HTML","HOW TO DECRYPT FILES.txt","HOW TO DECRYPT[1T0tO].txt","HOW TO RECOVER ENCRYPTED [email protected]","HOW TO RECOVER ENCRYPTED FILES.TXT","HOW-TO-DECRYPT-FILES.HTM","HOW-TO-DECRYPT-FILES.HTML","HOW-TO-RESTORE-FILES.txt","HOWTO_RECOVER_FILES_*.*","HOWTO_RECOVER_FILES_*.TXT","HOW_CAN_I_DECRYPT_MY_FILES.txt","HOW_DECRYPT.HTML","HOW_DECRYPT.TXT","HOW_DECRYPT.URL","HOW_DECRYPT_FILES#.html","HOW_OPEN_FILES.hta","HOW_RETURN_FILES.TXT","HOW_TO_DECRYPT.HTML","HOW_TO_DECRYPT.txt","HOW_TO_DECRYPT_FILES.TXT","HOW_TO_DECRYPT_FILES.html","HOW_TO_DECRYPT_MY_FILES.txt","HOW_TO_FIX_!.TXT","HOW_TO_RESTORE_FILES.html","HOW_TO_RESTORE_FILES.txt","HOW_TO_RESTORE_YOUR_DATA.html","HOW_TO_UNLOCK_FILES_README_*.txt","HUR_DEKRYPTERA_FILER.html","HUR_DEKRYPTERA_FILER.txt","HVORDAN_DU_GENDANNER_FILER.html","HVORDAN_DU_GENDANNER_FILER.txt","HWID Lock.exe","Hacked_Read_me_to_decrypt_files.html","Hello There! Fellow @kee User!.txt","Help Decrypt.html","Help_Decrypt.txt","How Decrypt My Files.lnk","How To Decode Files.hta","How To Restore Files.txt","How decrypt files.hta","How to decrypt LeChiffre files.html","How to decrypt your data.txt","How to decrypt your files.jpg","How to decrypt your files.txt","How to decrypt.txt","How to get data back.txt","How to restore files.hta","HowDecrypt.gif","HowDecrypt.txt","HowToBackFiles.txt","HowToDecryptIMPORTANT!.txt","How_Decrypt_Files.hta","How_Decrypt_My_Files","How_To_Recover_Files.txt","How_to_decrypt_your_files.jpg","How_to_restore_files.hta","HowtoRESTORE_FILES.txt","Howto_RESTORE_FILES.html","Howto_Restore_FILES.TXT","IAMREADYTOPAY.TXT","IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT","IF_WANT_FILES_BACK_PLS_READ.html","IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT","IHAVEYOURSECRET.KEY","IMPORTANT READ ME.txt","IMPORTANT.README","INSTALL_TOR.URL","INSTRUCCIONES.txt","INSTRUCCIONES_DESCIFRADO.TXT","INSTRUCCIONES_DESCIFRADO.html","INSTRUCTION RESTORE FILE.TXT","INSTRUCTIONS_DE_DECRYPTAGE.html","INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt","ISTRUZIONI_DECRITTAZIONE.html","Important!.txt","Important_Read_Me.txt","Info.hta","Instruction for file recovery.txt","Instructionaga.txt","Instructions with your files.txt","JSWORM-DECRYPT.hta","KryptoLocker_README.txt","LEER_INMEDIATAMENTE.txt","LEIA_ME.txt","Lock.","Locked.*","MENSAGEM.txt","MERRY_I_LOVE_YOU_BRUCE.hta","NEWS_INGiBiToR.txt","NFS-e*1025-7152.exe","NOTE;!!!-ODZYSKAJ-PLIKI-!!!.TXT","OKSOWATHAPPENDTOYOURFILES.TXT","OKU.TXT","ONTSLEUTELINGS_INSTRUCTIES.html","OSIRIS-*.*","OSIRIS-*.htm","OkuBeni.txt","PAYMENT-INSTRUCTIONS.TXT","PLEASE-READIT-IF_YOU-WANT.html","PadCrypt.exe","Paxynok.html","Payment_Advice.mht","Payment_Instructions.jpg","Perfect.sys","READ IF YOU WANT YOUR FILES BACK.html","READ ME ABOUT DECRYPTION.txt","READ ME FOR DECRYPT.txt","READ TO UNLOCK FILES.salsa.*.html","READ-READ-READ.html","[email protected]","README HOW TO DECRYPT YOUR FILES.HTML","README!!!.txt","README-NOW.txt","README_DECRYPT_HYDRA_ID_*.txt","README_DECRYPT_HYRDA_ID_*.txt","README_DECRYPT_UMBRE_ID_*.jpg","README_DECRYPT_UMBRE_ID_*.txt","README_FOR_DECRYPT.txt","README_HOW_TO_UNLOCK.HTML","README_HOW_TO_UNLOCK.TXT","README_LOCKED.txt","README_RECOVER_FILES_*.html","README_RECOVER_FILES_*.png","README_RECOVER_FILES_*.txt","README_TO_RECURE_YOUR_FILES.txt","READTHISNOW!!!.TXT","READ_DECRYPT_FILES.txt","READ_IT.txt","READ_IT_FOR_GET_YOUR_FILE.txt","READ_ME.cube","READ_ME.html","READ_ME.mars","READ_ME_!.txt","READ_ME_ASAP.txt","READ_ME_FOR_DECRYPT_*.txt","READ_ME_HELP.png","READ_ME_HELP.txt","READ_ME_TO_DECRYPT_YOU_INFORMA.jjj","READ_THIS_FILE_1.TXT","READ_THIS_TO_DECRYPT.html","READ_TO_DECRYPT.html","READ__IT.txt","RECOVER-FILES.html","RECOVERY_FILE*.txt","RECOVERY_FILES.txt","RESTORE-.-FILES.txt","RESTORE-12345-FILES.TXT","RESTORE-SIGRUN.*","RESTORE_CORUPTED_FILES.HTML","RESTORE_FILES.HTML","RESTORE_FILES_*.*","RESTORE_FILES_*.txt","RESTORE_HCEEM_DATA.txt","RESTORE_INFO-*.txt","Rans0m_N0te_Read_ME.txt","Ransom.rtf","Read Me (How Decrypt) !!!!.txt","Read me for help thanks.txt","Read.txt","ReadDecryptFilesHere.txt","[email protected]","ReadME_Decrypt_Help_*.html","ReadMe_Decryptor.txt","ReadMe_Important.txt","Read_this_file.txt","Readme-Matrix.rtf","Readme_Restore_Files.txt","Receipt.exe","Recovery+*.html","Recovery+*.txt","Recupere seus arquivos aqui.txt","Restore Files.TxT","Restore_ICPICP_Files.txt","Restore_maysomware_files.html","Restore_your_files.txt","Runsome.exe","SECRET.KEY","SECRETIDHERE.KEY","SECURITY-ISSUE-INFO.txt","SGUARD-README.TXT","SHTODELATVAM.txt","SIFRE_COZME_TALIMATI.html","[email protected]___","[email protected]___*","ScreenLocker_x86.dll","Sifre_Coz_Talimat.html","SintaLocker.exe","SintaRun.py","Spreader_x86.dll","SsExecutor_x86.exe","StrutterGear.exe","Survey Locker.exe","TOTALLYLEGIT.EXE","TRY-READ-ME-TO-DEC.html","TUTORIEL.bmp","Tempimage.jpg","ThxForYurTyme.txt","TrumpHead.exe","UNLOCK_FILES_INSTRUCTIONS.html","UNLOCK_FILES_INSTRUCTIONS.txt","USPS_Delivery.doc","UnblockFiles.vbs","UselessDisk.exe","VIP72.exe","Vape Launcher.exe","VictemKey_*_*","WE-MUST-DEC-FILES.html","WHERE-YOUR-FILES.html","WannaCry.TXT","WannaCrypt 4.0.exe","Wannacry.exe","What happen to my files.txt","WhatHappenedWithFiles.rtf","WhatHappenedWithMyFiles.rtf","WindowsApplication1.exe","Wo_sind_meine_Dateien.htm*","YOUGOTHACKED.TXT","YOUR_FILES.HTML","YOUR_FILES.url","YOUR_FILES_ARE_DEAD.hta","YOUR_FILES_ARE_ENCRYPTED.HTML","YOUR_FILES_ARE_ENCRYPTED.TXT","YOUR_FILES_ARE_LOCKED.txt","YOU_MUST_READ_ME.rtf","Your files are locked !!!!.txt","Your files are locked !!!.txt","Your files are locked !!.txt","Your files are locked !.txt","Your files are now encrypted.txt","Your files encrypted by our friends !!! txt","Your files encrypted by our friends !!!.txt","YourID.txt","ZINO_NOTE.TXT","Zenis-*.*","Zenis-Instructions.html","[*]-HOW-TO-DECRYPT.txt","[KASISKI]","[KASISKI]*","[[email protected]].Gate","[[email protected]].wallet","_!!!_README_!!!_*","_!!!_README_!!!_*_ .txt","_!!!_README_!!!_*_.hta","_*_HOWDO_text.html","_*_README.hta","_*_README.jpg","_Adatok_visszaallitasahoz_utasitasok.txt","_CRYPTED_README.html","_DECRYPT_INFO_*.html","_DECRYPT_INFO_szesnl.html","_HELP_HELP_HELP_*","_HELP_HELP_HELP_*.hta","_HELP_HELP_HELP_*.jpg","_HELP_INSTRUCTION.TXT","_HELP_INSTRUCTIONS_.TXT","_HELP_Recover_Files_.html","_HELP_instructions.bmp","_HELP_instructions.txt","_HOWDO_text.html","_HOW_TO_Decrypt.bmp","_H_e_l_p_RECOVER_INSTRUCTIONS*.html","_H_e_l_p_RECOVER_INSTRUCTIONS*.png","_H_e_l_p_RECOVER_INSTRUCTIONS*.txt","_H_e_l_p_RECOVER_INSTRUCTIONS+*.html","_H_e_l_p_RECOVER_INSTRUCTIONS+*.png","_H_e_l_p_RECOVER_INSTRUCTIONS+*.txt","_How to restore files.*","_How_To_Decrypt_My_File_.*","_INTERESTING_INFORMACION_FOR_DECRYPT.TXT","_Locky_recover_instructions.bmp","_Locky_recover_instructions.txt","_README_*.hta","_README_.hta","_READ_ME_FOR_DECRYPT.txt","_READ_THI$_FILE_*","_RECOVER_INSTRUCTIONS.ini","_RECoVERY_+*.*","_RESTORE FILES_.txt","_WHAT_is.html","_XiaoBa_Info_.hta","_crypt","_help_instruct*.*","_how_recover*.html","_how_recover*.txt","_how_recover+*.html","_how_recover+*.txt","_how_recover.txt","_iWasHere.txt","_nullbyte","_ryp","_secret_code.txt","_如何解密我的文件_.txt","aboutYourFiles.*","allcry_upx.exe","anatova.exe","anatova.txt","[email protected]","chilli.exe","cmdRansomware.*","confirmation.key","crjoker.html","cryptinfo.txt","cryptolocker.*","cscc.dat","[email protected]*","de_crypt_readme.*","de_crypt_readme.bmp","de_crypt_readme.html","de_crypt_readme.txt","[email protected]*","decoder.hta","decrypt all files*.bmp*","decrypt explanations.html","decrypt-instruct*.*","decrypt_Globe*.exe","decrypt_instruct*.*","decrypted_files.dat","decypt_your_files.html","default32643264.bmp","default432643264.jpg","delog.bat","diablo6-*.htm","dispci.exe","dllhost.dat","dummy_file.encrypted","ebay-msg.html","ebay_was_here","[email protected]*.id-*-*.randomname-*","[email protected]*","enc_files.txt","encryptor_raas_readme_liesmich.txt","enigma.hta","enigma_encr.txt","exit.hhr.obleep","fattura_*.js","file0locked.js","filesinfo.txt","firstransomware.exe","hacked.txt","help-file-decrypt.enc","help_decrypt*.*","help_decrypt_your_files.html","help_file_*.*","help_instructions.*","help_recover*.*","help_recover_instructions*.bmp","help_recover_instructions*.html","help_recover_instructions*.txt","help_recover_instructions+*.BMP","help_recover_instructions+*.html","help_recover_instructions+*.txt","help_restore*.*","help_to_decrypt.txt","help_your_file*.*","how to decrypt aes files.lnk","how to decrypt*.*","how to get back you files.txt","how to get data.txt","how_decrypt.gif","how_recover*.*","how_to_back_files.html","how_to_decrypt*.*","how_to_recover*.*","how_to_recver_files.txt","how_to_unlock*.*","howrecover+*.txt","howto_recover_file.txt","howto_restore*.*","howtodecrypt*.*","howtodecryptaesfiles.txt","infpub.dat","install_tor*.*","keybtc@inbox_com","last_chance.txt","lblBitcoinInfoMain.txt","lblFinallyText.txt","lblMain.txt","les#.TXT","locked.bmp","loptr-*.htm","lukitus.html","matrix-readme.rtf","maxcrypt.bmp","message.txt","mood-ravishing-hd-wallpaper-142943312215.jpg","msptermthemes.exe","oor.","oor.*","ownertrust.txt","padcryptUninstaller.exe","paycrypt.bmp","payload.dll","petwrap.exe","popcorn_time.exe","pronk.txt","qwer.html","qwer2.html","qwerty-pub.key","random","ransomed.html","readme.hta","readme_decrypt*.*","readme_for_decrypt*.*","readme_liesmich_encryptor_raas.txt","recover.bmp","recover.txt","recoverfile*.txt","recovery+*.*","recovery_file.txt","recovery_key.txt","recoveryfile*.txt","redchip2.exe","restore_files.txt","restorefiles.txt","rtext.txt","ryukreadme.html","strongcrypt.bmp","structsstructs.exe","svchosd.exe","svchostt.exe","t.wry","tabDll*.dll","taskdl.exe","taskhsvc.exe","tasksche.exe","taskse.exe","tor.exe","tox.html","[email protected]*","vault.hta","vault.key","vault.txt","vesad","warning.txt","wcry.exe","wcry.zip","wie_zum_Wiederherstellen_von_Dateien.txt","winclwp.jpg","wormDll*.dll","x5gj5_gmG8.log","xort.txt","your_key.rsa","zXz.html","zcrypt.exe","zycrypt.*","zzzzzzzzzzzzzzzzzyyy","Инструкция по расшифровке.TXT","инструкция по оплате.txt")
# ONLY if you use the Experiant download you may want to use the following commented variable because Experient does not supply exclusions (and that's a good thing).
# To use this you just uncomment and populate it with your chosen file group exclusions
# The "AntiransomwareFiltersMerge.py" generated json file manages this information for you but it is an extension to, and not included with the basic Experiant JSON format.
# This variable cannot be an empty string (""), either leave it undefined or populate it with meaningful information.
# legacy note - These are file group Exclude Files. They are not the same as SkipList.txt entries.
# $FnameExtExclude = @("this_is_just_a_dummy_placeholder_string","replace_it_with_meaningful_information_if_necessary","excluded_file_specs")
$LocalJsonFilePathAndPattern = $PSScriptRoot+"\"+"combined-"+$JSONfnamesubstring+"-????????_??????.json"
$HoneyPotFileGroupName = "HoneyPotAllFilesWildcard"
$HoneyPotsRapidSMBdisconnectFlagholder = "" # will be populated later based on command line boolean
$HoneyPotFilters = @("*.*")
# the following exclusions are so common that I think it's OK to exclude them by default, mostly dropped by curious legitimate users, let's not lock them out for this
$HoneyPotExclusions = $("thumbs.db","desktop.ini")
$RansomwareTemplateName = "RansomwareFnamesAndExtsCheck"
$HoneyPotTemplateName = "RansomwareHoneyPotCheck"
$TriggeredScriptStaticBaseName = "TriggeredDenySMBPermissions.PS1"
# Creates a valid file path to store triggered script that is called by the FSRM screens
# the path must exist before the triggered script can be created, the default is to use the same path as this script which definitely exists
# replace the $PSCommandPath variable with an alternate location if you wish, it must already exist
# we split the path to isolate the full path from the name of this script (which is always part of $PSCommandPath)
$TriggeredScriptDestinationPath = Split-Path -Path $PSCommandPath
$TriggeredScriptFullName = Join-Path -Path $TriggeredScriptDestinationPath -ChildPath $TriggeredScriptStaticBaseName
# END - ADDITIONAL VARIABLES THAT NEED TO BE SET AND VALIDATED #
# now we get to work
# make sure a "source" has been setup in the event log, this should be first executable line so we catch any subsequent warnings and errors
# we'll just force it blindly every time, detecting sources is too convoluted and this won't hurt anything
New-EventLog -LogName $EventLog -Source $EventLoggingSource -ErrorAction SilentlyContinue
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nInformation:`nNormal script startup`n"
# build a text list of all variables from the param block, format them for easy reading
[string]$localformattedparmstring = (Get-Command -Name $PSCommandPath).Parameters | Format-Table -AutoSize @{ Label = "Key"; Expression={$_.Key}; }, @{ Label = "Value"; Expression={(Get-Variable -Name $_.Key -EA SilentlyContinue).Value}; } | Out-String
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1 -EntryType Information -Message $message
# The "Requires -Version 4" statement at the top is primarily to enforce that the script is being run as administrator
# The rest of this script is compatible with version 3. You may override this version check if you're stuck with PS 3 but you must insure that you're running as admin.
# For Windows 2012x you should add WMF 5.1 to your server which upgrades the PowerShell to version 5.1. See additional info in the notes. WMF 5.1 is standard in W2016 and W2019.
Write-Host "`nTesting PowerShell version 4 or above"
If ($PSVersionTable.PSVersion.Major -lt 4)
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nError:`nWrong version of PowerShell detected`nThis script requires PowerShell version 4 or above.`n`nAborting script.`nIt is possible to override this requirement but you must insure you're running this script as administrator.`nA better alternative is to install Windows Management Framwork (WMF) 5.1`nSee the special PowerShell 3 instructions in this script.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Red -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 2001 -EntryType Error -Message $message
Exit
}
# test Windows version, Windows 2012 and above and server edition
Write-Host "`nTesting for Windows 2012 or higher and Server edition"
# get info for the running OS
$OSinfoNow = Get-CimInstance -ClassName Win32_OperatingSystem -Property Version,Caption
# perform a regex matching operation on the Version property as a string, matches nn.nn but not the second '.' or anything after, single line mode
$OSinfoNow."Version" -match "(?s)^[0-9]+\.[0-9]+"
# use the automatically populated $Matches array's first element, cast to float
$WverFloat = [float]$Matches[0]
# test for both server edition string and version number
If ( -not (($OSinfoNow.Caption -like "*Server*") -and ($WverFloat -ge [float]6.2)))
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nError:`nWrong version of Windows detected`nThis script will only run on Windows 2012 and higher, and will only run on Server editions of Windows.`n`nAborting script.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Red -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 2002 -EntryType Error -Message $message
Exit
}
Write-Host "`nTesting variables configured"
If (-not $YesAllTheVariablesAreSetHowIWant)
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nError:`nScript unconfigured`nThis script implements very critical security measures.`nIt is imperative that you understand and edit the configuration variables in this script.`nYou will find them in the param() block and in the begin{} section.`nWhen all the settings are configured how you want them use the`n -YesAllTheVariablesAreSetHowIWant `$True`nparameter and rerun this script.`n`nAborting script.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Red -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 2003 -EntryType Error -Message $message
Exit
}
Write-Host "`nInformation:`nVerifying existence of triggered script located at `"$TriggeredScriptFullName`"`n"
If (Test-Path -Path $TriggeredScriptFullName)
{
# we must convert this to a short/8.3 format path name because of how we have to wrap the command in double quotes for the FSRM screen command property, totally convoluted
# create a COM object that knows how to conver to a short path
$COMObjFnameConvert = New-Object -ComObject Scripting.FileSystemObject
$TriggeredScriptDestinationPath8dot3 = $COMObjFnameConvert.GetFolder($TriggeredScriptDestinationPath).ShortPath
# important!!!: no spaces in script's name, because the file doesn't exist yet we can't use the COM object magic we used just above, NO SPACES!
$TriggeredScriptFullName8dot3 = Join-Path -Path $TriggeredScriptDestinationPath8dot3 -ChildPath $TriggeredScriptStaticBaseName
# add rapid disconnect flag, otherwise leave empty string
If ($RansomewareScreenRapidSMBdisconnect -eq $true) { $RansomewareRapidSMBdisconnectFlagholder = "-RapidSMBdisconnect" }
#$TriggeredRansomwareCommandParm = "-Command `"& {"+$TriggeredScriptFullName8dot3+" -username '[Source Io Owner]'}`""
$TriggeredRansomwareCommandParm = "-Command `"& {"+$TriggeredScriptFullName8dot3+" "+$RansomewareRapidSMBdisconnectFlagholder+" -username '[Source Io Owner]'}`""
# add rapid disconnect flag, otherwise leave empty string
If ($HoneyPotsScreenRapidSMBdisconnect -eq $true) { $HoneyPotsRapidSMBdisconnectFlagholder = "-RapidSMBdisconnect" }
#$TriggeredHoneyPotCommandParm = "-Command `"& {"+$TriggeredScriptFullName8dot3+" -username '[Source Io Owner]'}`""
$TriggeredHoneyPotCommandParm = "-Command `"& {"+$TriggeredScriptFullName8dot3+" "+$HoneyPotsRapidSMBdisconnectFlagholder+" -username '[Source Io Owner]'}`""
Write-Host "FSRM Ransomware triggered script (8.3 format) command string is:`n$TriggeredRansomwareCommandParm"
Write-Host "FSRM Honey Pot triggered script (8.3 format) command string is:`n$TriggeredHoneyPotCommandParm"
}
else
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nError:`nA critical error has occurred locating $TriggeredScriptFullName.`nThe FSRM triggered lockouts will not function correctly until this error is corrected.`n`nAborting script.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Red -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 2004 -EntryType Error -Message $message
Exit
}
#add the FSRM role if it doesnt exist
Write-Host "`nVerifying FSRM is installed"
If ((Get-WindowsFeature fs-resource-manager).installed -like "False")
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nInstalling FSRM`nYou will only see this warning message when this script is installing the FSRM role.`nRead the following messages from the Windows installer carefully. You may need to reboot manually.`nRerun this script when the FSRM installation has finished.`nNote - for Windows 2012 and 2012r2 only:`nThe FSRM service can be a little unstable immediately after the FSRM role is installed.`nIf you see errors when you rerun this script then stop and restart the FSRM service and then rerun this script again.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1001 -EntryType Warning -Message $message
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
Exit
}
} # end Begin clause
Process
{
# we always need some sort of SMTP setup (this if clause will execute for both reinstallation of FSRM and partial installations that needed to be rebooted to complete, it's a kludge but very necessary)
Write-Host "`nVerifying SMTP server and admin email address settings in FSRM"
If (((Get-FsrmSetting).SmtpServer -ne $SMTPServer) -or ((Get-FsrmSetting).AdminEmailAddress -ne $AdminEmailTo))
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nThe current global FSRM SMTP server and destination email address settings do not match this script's settings.`nThe current settings in this script are SMTP: `"$SMTPServer`" and Admin email: `"$AdminEmailTo`" .`nIf this is the first time you've run this script after installing FSRM then`nthe settings from the variables will be applied.`nIf this is not the first time you've run this script after installing FSRM then`nthe current settings in FSRM will be replaced with the values shown just above.`nYou will need to close and then reopen the FSRM manager to view the new settings because`nthere is no refresh option for global settings.`nFinally, use the FSRM manager to send a test message just to be sure everything works the way you expect.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1002 -EntryType Warning -Message $message
Set-FsrmSetting -SmtpServer $SMTPServer -AdminEmailAddress $AdminEmailTo -FromEmailAddress $EmailFrom -CommandNotificationLimit 0 -EmailNotificationLimit 1 -EventNotificationLimit 0 -ReportFileScreenAuditEnable
Write-Host "`nVerifying SMTP server and admin email reset"
if ($? -ne $True)
{
# you should never get here but it is so important that we have to check the return value
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nError:`nA critical error has occurred setting the global settings in FSRM.`nSettings include SMTP server, admin email address, from email address, and notification timers.`nThe FSRM file screens will not function correctly until this error is corrected.`n`nAborting script.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Red -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 2005 -EntryType Error -Message $message
Exit
}
}
# this is so important that we'll check every time the script is run, sorry to be heavy handed but you have no choice, this is a critical security issue
# the command notification limit must be set to 0, anything but 0 will prevent the lockout script from running more than once within the timer interval
# the event notification limit should be set to 0, we want every trigger to be logged in the Windows event logs
Write-Host "`nVerifying command and event notification limits set to 0 (zero)"
If (((Get-FsrmSetting).CommandNotificationLimit -ne 0) -or ((Get-FsrmSetting).EventNotificationLimit -ne 0))
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nThe FSRM global settings for both Command Notification and Event Notification must be set to zero (0)`nThe triggered scripts and email notifications will not work reliably if the notification values are set to ANYTHING else.`nYou're seeing this message because the values were not zero. They will be reset to the correct values now.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1003 -EntryType Warning -Message $message
Set-FsrmSetting -CommandNotificationLimit 0 -EventNotificationLimit 0
if ($? -ne $True)
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nError:`nA critical error has occurred setting the global notification timers in FSRM.`nThe FSRM file screens will not function correctly until this error is corrected.`n`nAborting script.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Red -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 2006 -EntryType Error -Message $message
Exit
}
}
# look for a json file with updated filters and exceptions, if not found then just use the defaults set in the variables
If ($LegacyDownloadFiltersJson)
{
$message = "`nInformation:`nAttempting legacy download of ransomware filter list from $LegacyDownloadFiltersJsonURL`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 2 -EntryType Information -Message $message
$FromJSONdata = Invoke-WebRequest $LegacyDownloadFiltersJsonURL | ConvertFrom-Json
# testing $? does work here, but testing for null value is more comprehensive and tests json conversion too
If ($FromJSONdata -eq $null)
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nDownloading filters list from $LegacyDownloadFiltersJsonURL failed.`nUsing built-in defaults for now.`nMust be remediated for maximum protection.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1004 -EntryType Warning -Message $message
}
Else
{
# download json read succesfully, apply to file group
$message = "`nInformation:`nLegacy download of filters directly from $LegacyDownloadFiltersJsonURL succeeded.`n"
$message = $message + "`nDownloaded filters timestamp: " + $FromJSONdata.lastUpdated
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 3 -EntryType Information -Message $message
Write-Host "`n"
$FnameExtFilters = $FromJSONdata.filters
}
# now process IncludeList.txt and SkipList.txt, these are optional so just emit warning if missing, emit an info event upon success
$TempIncludeListTxtPath = $PSScriptRoot + "`\IncludeList.txt"
If (Test-Path -Path $TempIncludeListTxtPath)
{
# read the Include List file and appende to $FnameExtFilters
$FnameExtFilters = $FnameExtFilters + (Get-Content -LiteralPath $TempIncludeListTxtPath | ForEach-Object {$_.Trim()})
# dedupe
$FnameExtFilters = $FnameExtFilters | Select-Object -Unique
$message = "`nInformation:`nIncludeList.txt read successfully from $TempIncludeListTxtPath`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 12 -EntryType Information -Message $message
}
Else
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nDid not find an IncludeList.txt file.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1007 -EntryType Warning -Message $message
}
# remove SkipList.txt entries (equivalent of extended-data.allowed in the extended format JSON)
$TempSkipListTxtPath = $PSScriptRoot + "`\SkipList.txt"
If (Test-Path -Path $TempSkipListTxtPath)
{
# read in the filters that should be allowed, the Skip List
$TempSkipList = Get-Content -LiteralPath $TempSkipListTxtPath | ForEach-Object {$_.Trim()}
# now remove them from $FnameExtFilters
$FnameExtFilters = $FnameExtFilters | Where-Object {$TempSkipList -notcontains $_}
$message = "`nInformation:`nSkipList.txt read successfully from $TempSkipListTxtPath`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 13 -EntryType Information -Message $message
}
Else
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nDid not find an IncludeList.txt file.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1008 -EntryType Warning -Message $message
}
}
Else
{
Write-Host "`nSearching for local JSON file matching:`n$LocalJsonFilePathAndPattern`n"
$LocalJsonFile = Get-ChildItem -Path $LocalJsonFilePathAndPattern | Sort-Object -Property PSChildName | Select-Object -Last 1
If ($LocalJsonFile -eq $null)
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nNo input JSON file matching $LocalJsonFilePathAndPattern found.`nUsing built-in defaults for now.`nMust be remediated for maximum protection.`n"
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1005 -EntryType Warning -Message $message
}
else
{
Write-Host "`nReading filters and exceptions from local JSON file:`n$LocalJsonFile`n"
$FromJSONdata = Get-Content -Path $LocalJsonFile -Raw | ConvertFrom-Json
# testing $? does work here, but testing for null value is more comprehensive and tests json conversion too
If ($FromJSONdata -eq $null)
{
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nWarning:`nThe Get-Content import from $LocalJsonFile filters file failed.`nUsing built-in defaults for now.`nMust be remediated for maximum protection.`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1006 -EntryType Warning -Message $message
}
Else
{
# local json read succesfully, apply to file group
$message = "`nInformation:`nFilters data successfully imported from $LocalJsonFile`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 4 -EntryType Information -Message $message
$FnameExtFilters = $FromJSONdata.filters
$FnameExtExclude = $FromJSONdata.exceptions
}
}
}
# At this point we've settled on a set of filters, whether we downloaded them directly, used and input file, or just used the embedded filters.
# No we validate the filters and reject any illegal file specs. We have to work around the fact that FSRM file groups accept * and ? wildcards.
# init temp arrays
$ValidatedFilters = @()
$InvalidFilters = @()
$FnameExtFilters | ForEach-Object {
# make a copy of each filter, then replace the * and ? characters with ZZ and Y respecitively
$scratch = $_
$scratch = $scratch -replace '\*','ZZ'
$scratch = $scratch -replace '\?','Y'
# tests against the regex modified scratch version of the filter but copies the unmodified filter string to the appropriate array
if (Test-Path -IsValid -Path $scratch)
{
# we'll use these to pass into FSRM
$ValidatedFilters += $_
}
else
{
# these are just for output in text format in event log message, that's why the formatting is different than $ValidatedFilters
$InvalidFilters += "`n" + $_
}
}
# if there are any invalid filters then replace the filters with the validated list, then build warning message and emit
if ($InvalidFilters.Count -gt 0)
{
$FnameExtFilters = $ValidatedFilters
# now barf an event log warning with the invalid filter strings
$message = "`Warning:`nInvalid input filters were detected. They will be skipped and not applied to the ransomware file group.`n"
$message = $message +"`nInvalid filters found`n:"+$InvalidFilters
Write-Host -ForegroundColor Yellow -BackgroundColor Black $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 1007 -EntryType Warning -Message $message
}
# refresh is especially useful to clean up unneeded file screens for cases where a drive or share has been removed, (no error if none found)
If($RefreshRansomewareScreens)
{
# delete all existing ransomeware file screens
$message = "`nInformation:`nPurging $RansomwareTemplateName file screens`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 5 -EntryType Information -Message $message
Get-FsrmFileScreen | Where-Object -Property Template -eq $RansomwareTemplateName | ForEach-Object {
Remove-FsrmFileScreen -Confirm:$false -Path $_.Path
Write-Host "`nRemoved file screen $_.Path"
}
}
If ($RefreshHoneyPots) # honey pot refresh requested, delete all existing, (no error if none found)
{
# delete all existing honey pot file screens
$message = "`nInformation:`nPurging $HoneyPotTemplateName file screens`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 6 -EntryType Information -Message $message
# the following will match honey pot directories with a leading dot
Get-FsrmFileScreen | Where-Object {($_.Template -eq $HoneyPotTemplateName) -and ($_.Path -Like "*$HoneyPotDirectoryNamePattern")} | ForEach-Object {
Remove-FsrmFileScreen -Confirm:$false -Path $_.Path
Write-Host "`nRemoved file screen $_.Path"
}
}
$message = "`nInformation:`nCreating/Updating file groups`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 7 -EntryType Information -Message $message
#Create File Group for FSRM ransomware file name detection, (no error if none found)
If (Get-FsrmFileGroup | Where-Object -Property Name -eq $RansomeWareFileGroupName )
{
Write-Host "`nUpdating $RansomeWareFileGroupName file group"
Set-FsrmFileGroup -name $RansomeWareFileGroupName -IncludePattern $FnameExtFilters -ExcludePattern $FnameExtExclude
}
Else
{
Write-Host "`nCreating $RansomeWareFileGroupName file group"
New-FsrmFileGroup -name $RansomeWareFileGroupName -IncludePattern $FnameExtFilters -ExcludePattern $FnameExtExclude
}
#Create File Group for FSRM ransomware honey pot activity detection, (no error if none found)
If (Get-FsrmFileGroup | Where-Object -Property Name -eq $HoneyPotFileGroupName )
{
Write-Host "`nUpdating $HoneyPotFileGroupName file group"
Set-FsrmFileGroup -name $HoneyPotFileGroupName -IncludePattern $HoneyPotFilters -ExcludePattern $HoneyPotExclusions
}
Else
{
Write-Host "`nCreating $HoneyPotFileGroupName file group"
New-FsrmFileGroup -name $HoneyPotFileGroupName -IncludePattern $HoneyPotFilters -ExcludePattern $HoneyPotExclusions
}
# !!! look at the end of the $action3 line, you must put a -KillTimeOut parameter with a Command type action, this line will silently fail without it but the new template command will bork with an "out of range" error
$action1 = New-FsrmAction -Type Email -MailTo $TriggeredScriptEmailTo -Subject "Potential Ransomware Attack - Unauthorized file from the [Violated File Group] file group detected" -Body "User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file is in the [Violated File Group] file group, which is not permitted on the server and suggests a ransomware attack has been attempted."
$action2 = New-FsrmAction -Type Event -EventType Warning -Body "User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file is in the [Violated File Group] file group, which is not permitted on the server and suggests a ransomware attack has been attempted."
$action3Ransomware = New-FsrmAction -Type Command -SecurityLevel LocalSystem -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -CommandParameters $TriggeredRansomwareCommandParm -WorkingDirectory $TriggeredScriptDestinationPath -ShouldLogError -KillTimeOut 1
$action3HoneyPot = New-FsrmAction -Type Command -SecurityLevel LocalSystem -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -CommandParameters $TriggeredHoneyPotCommandParm -WorkingDirectory $TriggeredScriptDestinationPath -ShouldLogError -KillTimeOut 1
$message = "`nInformation:`nCreating/Updating file screen templates`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 8 -EntryType Information -Message $message
# process the ransomware template
If (Get-FsrmFileScreenTemplate | Where-Object -Property Name -eq $RansomwareTemplateName) # It must have existed already so we'll just update it
{
# note: we are pushing this update to ALL derived file screens, not just the directly matching file screens
Write-Host "`nUpdating $RansomwareTemplateName template"
Set-FsrmFileScreenTemplate -Name $RansomwareTemplateName -UpdateDerived -Active:$RansomwareTemplateIsActive -IncludeGroup $RansomeWareFileGroupName -Description "This template traps files with extensions on the likely ransomware list" -Notification $action1,$action2,$action3Ransomware
}
Else
{
Write-Host "`nCreating $RansomwareTemplateName template"
New-FsrmFileScreenTemplate -Name $RansomwareTemplateName -Active:$RansomwareTemplateIsActive -IncludeGroup $RansomeWareFileGroupName -Description "This template traps files with extensions on the likely ransomware list" -Notification $action1,$action2,$action3Ransomware
}
#process the honey pot templates
# note:
# the -Active:$false is not well documented but this is the only way to make the template passive, passive will allow the user to keep creating files until the access is revoked
# this template should always be passive to allow that bad guys to create files and not detect an access denied condition
If (Get-FsrmFileScreenTemplate | Where-Object -Property Name -eq $HoneyPotTemplateName) # It must have existed already so we'll just update it
{
# note: we are pushing this update to ALL derived file screens, not just the directly matching file screens
Write-Host "`nUpdating $HoneyPotTemplateName template"
Set-FsrmFileScreenTemplate -Name $HoneyPotTemplateName -UpdateDerived -Active:$false -IncludeGroup $HoneyPotFileGroupName -Description "This template detects any file creation in our honey pot directories." -Notification $action1,$action2,$action3HoneyPot
}
Else
{
Write-Host "`nCreating $HoneyPotTemplateName template"
New-FsrmFileScreenTemplate -Name $HoneyPotTemplateName -Active:$false -IncludeGroup $HoneyPotFileGroupName -Description "This template detects any file creation in our honey pot directories." -Notification $action1,$action2,$action3HoneyPot
}
# Note:
# You MAY use both the monitoring drives and the monitoring share methods together. Since roots of drives can't be shared there will never be direct conflicts.
# File screens at lower levels (farther from the root) of the file system always override the file screens applied at higher levels (nearer to the root).
# There is no Set-FsrmFileScreen PowerShell command because they are modified by their templates.
If ($ApplyRansomewareScreenToDrives -or $ApplyRansomewareScreenToShares)
{
$message = "`nInformation:`nCreating ransomeware file screens`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 10 -EntryType Information -Message $message
# we're excluding the C: drive root by default, note $_.DeviceID is essentially a path to the root, that's why it works here
If ($ApplyRansomewareScreenToDrives)
{
Get-CimInstance -Class CIM_LogicalDisk |
Where-Object {($_.DriveType -eq 3) -and ($_.DeviceID -ne "C:")} |
ForEach-Object {If (-not (Get-FsrmFileScreen -Path $_.DeviceID -ErrorAction SilentlyContinue)) {New-FsrmFileScreen -Path $_.DeviceID -Template $RansomwareTemplateName}}
# since we're never going to apply a drive level screen to C: we need to apply the screen template to all shares on C: except those under C:\Windows
# this is an arbitrary decision on my part, recode as necessary
Get-SmbShare | Select-Object -Property * |
Where-Object {($_.Special -ne "True") -and ($_.ShareType -eq "FileSystemDirectory") -and ($_.Path -like "C:\*") -and ($_.Path -notlike "C:\Windows\*")} |
ForEach-Object {If (-not (Get-FsrmFileScreen -Path $_.Path -ErrorAction SilentlyContinue)) {New-FsrmFileScreen -Path $_.Path -Template $RansomwareTemplateName}}
}
# find all shares that are not Special (eg C$) AND that are FileSystemDirectory AND are not under C:\Windows ie NETLOGON,SCRIPTS,etc. (because they are not "Special")
# FSRM is smart enough to only allow passive monitoring in the sensitive directories like NETLOGON, so you could always delete the file screens later
# skips any shares that were already setup above
If ($ApplyRansomewareScreenToShares)
{
Get-SmbShare | Select-Object -Property * |
Where-Object {($_.Special -ne "True") -and ($_.ShareType -eq "FileSystemDirectory") -and ($_.Path -notlike "C:\Windows\*")} |
ForEach-Object {If (-not (Get-FsrmFileScreen -Path $_.Path -ErrorAction SilentlyContinue)) {New-FsrmFileScreen -Path $_.Path -Template $RansomwareTemplateName}}
}
}
# monitor all our honey pot directories for any file creation, we're only applying this to matching directories under shares
If ($ApplyHoneyPots)
{
$message = "`nInformation:`nCreating honey pot file screens`n"
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 11 -EntryType Information -Message $message
$MatchedHoneyPotDirs = Get-SmbShare | Select-Object -Property * |
Where-Object {($_.Special -ne "True") -and ($_.ShareType -eq "FileSystemDirectory") -and ($_.Path -notlike "C:\Windows\*")} |
ForEach-Object -Process {Get-ChildItem -Path $_.Path -Force -ErrorAction SilentlyContinue -Directory -Filter $HoneyPotDirectoryNamePattern}
If ($HoneyPotDirectoryNameWildcardMatchesLeadingDot)
{
# if first char is ? then replace with . in new variable
$HoneyPotDirectoryNamePatternWithLeadingDotSubst = $HoneyPotDirectoryNamePattern -replace '^\?','.'
# append matching to list
$MatchedHoneyPotDirs += Get-SmbShare | Select-Object -Property * |
Where-Object {($_.Special -ne "True") -and ($_.ShareType -eq "FileSystemDirectory") -and ($_.Path -notlike "C:\Windows\*")} |
ForEach-Object -Process {Get-ChildItem -Path $_.Path -Force -ErrorAction SilentlyContinue -Directory -Filter $HoneyPotDirectoryNamePatternWithLeadingDotSubst}
}
$MatchedHoneyPotDirs | Select-Object -Property FullName |
ForEach-Object {If (-not (Get-FsrmFileScreen -Path $_.FullName -ErrorAction SilentlyContinue)) {New-FsrmFileScreen -Path $_.FullName -Template $HoneyPotTemplateName}}
}
$message = "FSRM-Anti-ransomware.ps1 Script version: " + $CurrentVersion + "`nInformation:`nNormal script shutdown`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-Host $message
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 999 -EntryType Information -Message $message
} # end Process clause
}
InstallUpdate-FSRMRansomwareScreening