# Ransomware Escalation Prevention Script # v1.0 # Compatibility: Windows 10 # Author: Martijn Kamminga # 499 Lines written by Martijn Kamminga # www.isee2it.nl # contact: martijn@isee2it.nl # You can modify this script, but do not alter commment sections. # Add variables for checking if D drive is present, if not skipping (causes duplicate code) # Advise: Use different folder path's (but keep them on top of the root e.g. most preferebaply C:\!Check, C:\.Check, C:\1.Check or C:\A.Check etc) and alter the contentfile value here and the file's to be checked # Tips are welcome if someone know's which files are touched first upon ransomware infection. My guess is the first folder/file in the root directory of non Windows System and Application Directory's. Which explains the C:\!Check folder advise. # Additional notes in case of compatabillity scripting required: # Working on Windows PowerShell 3.0 + versions # Disable-NetAdapter # New-Item -type File/Directory # Working on Windows PowerShell 5.0 + versions # Add-Content -NoNewLine (The -NoNewLine parameter is only available in powershell 5.0 +) ##:checkransomware.vbs ## (vbs call .bat will prevent powershell from popping up, interfering your work, loose focus on app.) ##(call the bat file) ## Begin code: # CreateObject("Wscript.Shell").Run "C:\Windows\checkransomware.bat", 0, True # ## End code: ## Add an extra line (blank) after above command in the .vbs file, or the wscript will stay in the process list ## if executed every 5 minutes, per 5 minutes, there will be an addtional task causing to get out of memory exception for other applications. ##:checkransomware.bat ## Begin code: Call powershell in # PowerShell.exe -ExecutionPolicy Bypass -windowstyle hidden -File C:\Windows\checkransomware.ps1 # ## Again, add an extra (blank) line as stated above for no execption out of memory error. ## After creating the powershell script: ## Prep Script scheduled task 5 minute (builtin users, highest privilege, terminate task when it is not ending as requested) ## Powershell file: ##:checkransomware.ps1 # BEGIN Configuration # Disconnect all networkshares $disconnectsessions = "yes" # Remove Drive Letter D/E in case of check file being altered? # Be carefull when you have applications like dropbox / google drive installed. It might wants to delete it from the cloud. $removedriveletterD = "no" $removedriveletterE = "no" #Shutdown ALL networkadapters in case of check file being altered? $disableallnetworkadapters = "yes" # System shutdown if ransomware have been detected? # Type "shutdown -a" in run or cmd to cancel $shutdownsystemiffileisaltered = "no" # Stop Dropbox for business if running (safety for not deleting cloud files and needing restore with Dropbox) $killdropbox = "yes" # Contact information $helpdesk = "" $ITDepartment = "Your IT Department (Martijn Kamminga)" $system = $env:computername $user = $env:username # Mail Settings # Above user $env:username must comply with the e-mailaddress prefix name of your domain in order to send mail. $usermail = "$user@domain.nl" $ITNotify = "@domain.nl" $fromemail = "@domain.nl" $Subject = "Ransomware Detected bij '$user': Bel Martijn Kamminga: " # Internal SMTP Server $internalsmtpserver = "yes" $server = "127.0.0.1" #enter your own SMTP server DNS name / IP address here # External SMTP Server Google Mail with App Password $externalsmtpserver = "no" # config $emailSmtpServer = "smtp.gmail.com" $emailSmtpServerPort = "587" $emailSmtpUser = "@domain.nl" # The pass can be an app password of google mail. $emailSmtpPass = "" $HTMLmessage = New-Object System.Net.Mail.MailMessage $HTMLmessage.From = "$emailSmtpUser" $HTMLmessage.To.Add( "$ITNotify" ) $HTMLmessage.To.Add( "$usermail" ) $HTMLmessage.Subject = "$Subject" $HTMLmessage.IsBodyHtml = "True" #$HTMLmessage.Priority = [System.Net.Mail.MailPriority]::Normal $HTMLmessage.Priority = [System.Net.Mail.MailPriority]::High #Powershell Send $SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort ) $SMTPClient.EnableSsl = $true $SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass ); # Alter these path's and content value for all three folders and files! $createosdir = "C:\!Check" $createuserdir = "C:\Users\$env:username\!Check" $createdatadir = "D:\!Check" $createfile = "ThisFileDetectsMalware.txt" $seperator = "\" $dataos = $createosdir + $seperator + $createfile $userdirectory = $createuserdir + $seperator + $createfile $datadrive = $createdatadir + $seperator + $createfile $createlogdir = ($env:allusersprofile + "\Logs\") $logfile = "AntiRansomwareDetectionSet.txt" $logpath = $createlogdir + $logfile $logcontent = "The Ransomware Detection is set by your System Administrator" # Adjust following value but keep the content the same in the files to be checked. $contentfile = "If This File is altered or deleted, your computer will shut down immediatly to prevent ransomware attacks!" # END CONFIGURATION # Do not alter below # Run Once Only If ((!(Test-Path $dataos)) -and (!(Test-Path $logpath))){ New-Item $createosdir -type Directory New-Item $dataos -type File Add-Content $dataos "$contentfile" -NoNewline } If ((!(Test-Path $userdirectory)) -and (!(Test-Path $logpath))) { New-Item $createuserdir -type Directory New-Item $userdirectory -type File Add-Content $userdirectory "$contentfile" -NoNewline } If (!(Test-Path D:)) { Write-Host skipping, no D drive } Else { If ((!(Test-Path $datadrive)) -and (!(Test-Path $logpath))) { New-Item $createdatadir -type Directory New-Item $datadrive -type File Add-Content $datadrive "$contentfile" -NoNewline } } If (!(Test-Path $logpath)) { New-Item $createlogdir -type Directory New-Item $logpath -type File Add-Content $logpath "$logcontent" -NoNewline } # End Run Once Only $occured = date $textos = Get-Content $dataos -Raw $textuser = Get-Content $userdirectory -Raw $textdata = Get-Content $datadrive -Raw If ((Test-Path $dataos)) { # File Exists Write-Host "File is present" $FileOSExists = "Initial Run File OS Directory does Exists!" } If ((Test-Path $userdirectory)) { # File Exists Write-Host "File is present" $FileUserHomeExists = "Initial Run File User Home Directory does Exists!" } If ((Test-Path $datadrive)) { Write-Host "File is present" $FileUserDataExists = "Initial Run File Data Drive Directory does Exists!" } If (!(Test-Path D:)) { Write-Host "Data D Partition not present, skipping" If ((!($textos -eq "$contentfile")) -or (!($textuser -eq "$contentfile"))) { Write-Host "Ransomware Detected! Take Action NOW" $HTMLHeader = @" My Systems Report "@ if ($textos -eq "$contentfile") {$ransomwareosdir = "The OS Directory is safe."} if (!($textos -eq "$contentfile")) {$ransomwareosdir = "Ransomware is detected on OS Disk"} if ($textuser -eq "$contentfile") {$ransomwareuserdir = "The User Directory is safe."} if (!($textuser -eq "$contentfile")) {$ransomwareuserdir = "Ransomware is detected on User Directory"} if ($textdata -eq "$contentfile") {$ransomwaredatadir = "The Data Disk is safe."} if (!($textdata -eq "$contentfile")) {$ransomwaredatadir = "Ransomware is detected on Data Disk"} $RansomwareDetection = $RansomwareDetection | ConvertTo-Html -Fragment # Create HTML Report for the current System being looped through $CurrentSystemHTML = @"

Bel Martijn Kamminga op: 0641459474 of 108 / 125
Your system will shutdown within 1 minute

Ransomware alert on system: $system !

Possible Ransomware Detected! System: $system User: $user on Timestamp: $occured

$RansomwareDetection

Ransomware could be active on your computer or either you have deleted an ICT Folder or altered it's content


$FileOSExists

$FileUserHomeExists

$FileUserDataExists


$user on $system reports $ransomwareosdir

$user on $system reports $ransomwareuserdir

$user on $system reports $ransomwaredatadir


Contact your system administrator immediatly!


Call $helpdesk for support and explain you have been infected or that you have made a mistake by deleting ICT Folders



Kind regards,

$ITDepartment

"@ # Add the current System HTML Report into the final HTML Report body $HTMLMiddle += $CurrentSystemHTML # Assemble the closing HTML for our report. $HTMLEnd = @"
"@ # Assemble the final report from all our HTML sections # Internal mailserver body e-mail format $HTMLmessageEmail = $HTMLHeader + $HTMLMiddle + $HTMLEnd # Email our report out via internal smtp server. If ($internalsmtpserver -eq "yes") { send-mailmessage -from $fromemail -to $usermail, $ITNotify -subject $Subject -BodyAsHTML -body $HTMLmessageEmail -priority High -smtpServer $server } If ($externalsmtpserver -eq "yes") { $HTMLmessage.Body = $HTMLmessage try{ $SMTPClient.Send($HTMLmessage) } catch{ Write-Host "Failed to send E-Mail: $_" -ForegroundColor Red } } # Safety measures # Kill Dropbox for Business in case running If ($killdropbox -eq "yes") { Stop-Process -processname Dropbox } # Disconnect Networkshares If ($disconnectsessions -eq "yes") { net use * /delete /yes } # Disable all networkadapters when the check file is altered If ($disableallnetworkadapters -eq "yes") { Disable-NetAdapter -Name * } # Shutdown the system when the check file is altered If ($shutdownsystemiffileisaltered -eq "yes") { shutdown /f /s /t 60 } } } else { If ((!($textos -eq "$contentfile")) -or (!($textuser -eq "$contentfile")) -or (!($textdata -eq "$contentfile"))) { Write-Host "Ransomware Detected! Take Action NOW" $HTMLHeader = @" My Systems Report "@ if ($textos -eq "$contentfile") {$ransomwareosdir = "The OS Directory is safe."} if (!($textos -eq "$contentfile")) {$ransomwareosdir = "Ransomware is detected on OS Disk"} if ($textuser -eq "$contentfile") {$ransomwareuserdir = "The User Directory is safe."} if (!($textuser -eq "$contentfile")) {$ransomwareuserdir = "Ransomware is detected on User Directory"} if ($textdata -eq "$contentfile") {$ransomwaredatadir = "The Data Disk is safe."} if (!($textdata -eq "$contentfile")) {$ransomwaredatadir = "Ransomware is detected on Data Disk"} $RansomwareDetection = $RansomwareDetection | ConvertTo-Html -Fragment # Create HTML Report for the current System being looped through $CurrentSystemHTML = @"

Bel Martijn Kamminga op: 0641459474 of 108 / 125
Your system will shutdown within 1 minute

Ransomware alert on system: $system !

Possible Ransomware Detected! System: $system User: $user on Timestamp: $occured

$RansomwareDetection

Ransomware could be active on your computer or either you have deleted an ICT Folder or altered it's content


$FileOSExists

$FileUserHomeExists

$FileUserDataExists


$user on $system reports $ransomwareosdir

$user on $system reports $ransomwareuserdir

$user on $system reports $ransomwaredatadir


Contact your system administrator immediatly!


Call $helpdesk for support and explain you have been infected or that you have made a mistake by deleting ICT Folders



Kind regards,

$ITDepartment

"@ # Add the current System HTML Report into the final HTML Report body $HTMLMiddle += $CurrentSystemHTML # Assemble the closing HTML for our report. $HTMLEnd = @"
"@ # Assemble the final report from all our HTML sections # Internal mailserver body e-mail format $HTMLmessageEmail = $HTMLHeader + $HTMLMiddle + $HTMLEnd # Gmail Application body e-mail format: powershell send mail variable $HTMLmessage.Body = $HTMLmessageEmail # Email our report out via internal smtp server. If ($internalsmtpserver -eq "yes") { send-mailmessage -from $fromemail -to $usermail, $ITNotify -subject $Subject -BodyAsHTML -body $HTMLmessageEmail -priority High -smtpServer $server } # Email our report out via external smtp server. If ($externalsmtpserver -eq "yes") { try{ $SMTPClient.Send($HTMLmessage ) } catch{ Write-Host "Failed to send E-Mail: $_" -ForegroundColor Red } } # Safety measures # Kill Dropbox for Business in case running If ($killdropbox -eq "yes") { Stop-Process -processname Dropbox } # Disconnect Networkshares If ($disconnectsessions -eq "yes") { net use * /delete /yes } # Remove Driveletter D so files / backups cannot be altered. If (((Test-Path D:)) -and (($removedriveletterD -eq "yes"))) { Get-Volume -Drive D | Get-Partition | Remove-PartitionAccessPath -accesspath "D:\" } If (((Test-Path E:)) -and (($removedriveletterE -eq "yes"))) { Get-Volume -Drive E | Get-Partition | Remove-PartitionAccessPath -accesspath "E:\" } # Disable all networkadapters when the check file is altered If ($disableallnetworkadapters -eq "yes") { Disable-NetAdapter -Name * } # Shutdown the system when the check file is altered If ($shutdownsystemiffileisaltered -eq "yes") { shutdown /f /s /t 60 } } }