search

nexxai / CryptoBlocker

A script to deploy File Server Resource Manager and associated scripts to block infected users
GNU General Public License v2.0
200 stars 73 forks source link

Powershell errors #6

Closed PaulyHaley closed 7 years ago

PaulyHaley commented 7 years ago

I am testing the script on our file server in a SRM test failover, so no internet to grab the file. So I downloaded the file and installed XAMPP to run local web server and tweak the script to get the file locally, but when I run it I am getting Could not load file or assembley 'System.Web.Extentions.... FilenotfoundException I checked the logs and the path to the get file and its being read OK, but its not finding it further on in the script. Have you come across this before?

Ideally want to test the script before applying on live production file server.

Thanks

andi-blafasl commented 7 years ago

Which version of PowerShell are you using? Check your version with the command $PSVersionTable.PSVersion

I have the same problem with my test and prod servers right now. TestServer is running PS v4, one of the Production Servers is running PS v2 and giving me the same error.

PaulyHaley commented 7 years ago

v2. Do you know which version is needed to run the script?

nexxai commented 7 years ago

I believe it ran on v4 (although I may be mis-remembering), but it would probably be in your best interests to upgrade to v5 for a variety of reasons, not the least of which being security-related.

andi-blafasl commented 7 years ago

I have the script running on v4 on my Test-Server. Planning the Upgrade to v5 on Prod server right now ;)

PaulyHaley commented 7 years ago

Thanks I will give this a try, just fighting windows updates.

PaulyHaley commented 7 years ago

OK, so I upgraded to V4 and no powershell errors in RED. It looks like its all worked. The only question mark is after adding the file group successfully there is a informational The requested object was not found.
The CryptoBlocker Template has created 4 groups with the contents from the get file. It has created a passive file screen using the templete.

In testing the FSRM only alerts on test.lockey (event log only) but when I try any of the other file names there is nothing logged. Also I tried to change the mode to Active but it just reverts to passive.

I am really impressed with this and would like to implement it in passive mode for now, but just wondering if there is something not quite right about how its working,

nexxai commented 7 years ago

I'll need some more information, specifically which section the "Requested object not found" is happening. Can you paste the entire results of running the script so we can figure out where it's having an issue?

PaulyHaley commented 7 years ago

PS C:\temp> .\DeployCryptoBlocker.ps1 The following shares needing to be protected: c:\ Checking File Server Resource Manager.. Adding/replacing File Group [CryptoBlockerGroup1] with monitored file [!!! HOW TO DECRYPT FILES !!!.txt,!!! READ THIS - IMPORTANT !!!.txt,!!!!!ATENÇÃO!!!!!.html,!!!READ_TO_UNLOCK!!!.TXT,!!!README!!!.rtf,!!!-WARNING-!!!.html,!!!-WARNING-!!! .txt,!_HOW_TORESTORE.txt,!_RECOVERYHELP!.txt,!Decrypt-All-Files-.txt,!DMALOCK3.0,!Please Read Me!.txt,!readme.,! Recovery_.html,!Recovery_.txt,!satana!.txt,!WannaDecryptor!.exe.lnk,!Where_are_my_files!.html,# DECRYPT MY FILES #.htm l,# DECRYPT MY FILES #.txt,# DECRYPT MY FILES #.vbs,# README.hta,###-READ-FOR-HELLPP.html,#_DECRYPTASSISTANCE#.txt,#_R ESTORINGFILES#.TXT,$RECYCLE.BIN.{---}, .vCrypt1,!DMAlock,!recover!.,.!emc,.cry,.crypto,.darkness,.e xx,.kb15,.kraken,.locked,.nochance,.obleep,.@decrypt2017,.[admin@hoist.desi]..WALLET,.[BRAINCRYPT@INDIA.CO M].BRAINCRYPT,.[crysis@life.com]..WALLET,.[File-Help@India.Com].mails,.[GOFMEN17@YA.RU],CRP,.[NO.TORP3DA@PROTONMAIL .CH].WALLET,.[PINGY@INDIA.COM],.[SHIELD0@USA.COM]..WALLET,._AiraCropEncrypted!,.ryp,.{CRYPTENDBLACKDC},.~HL,.0 x0,.1999,.1txt,.2cXpCihgsVxB3,.31342E30362E32303136,.31392E30362E32303136,.6FKR8d,.73i87A,.777,.7h9r,.7z.en crypted,.7zipper,.8637,.8lock8,.96e2,.a19,.a5zfn,.A95436@YA.RU,.A9V9AHU4,.aaa,.abc,.adk,.ADMIN@BADADMIN.XYZ, .ADR,.AES,.aes_ni_0day,.AES256,.aesir,.AES-NI,.AFD,.aga,.airacropencrypted!,.akaibvn,.Alcatraz,.amba,.amnes ia,.android,.angelamerkel,.AngleWare,.anon,.ap19,.asdasdasd,.ATLAS,.axx,.B10CKED,.b5c6,.bagi,.BarRax,.bart, .bart.zip,.better_call_saul,.bitkangoroo,.bitstak,.bleep,.bleepYourFiles,.bloc,.blocatto,.bloccato,.block_file 12,.braincrypt,.breaking bad,.breaking_bad,.bript,.btc,.btc.kkk.fun.gws,.btcbtcbtc,.btc-help-you,.btcware,.C0r p0r@c@0Xr@,.canihelpyou,.cawwcca,.cbf,.ccc,.CCCRRRPPP,.CEBER3,.cerber,.cerber2,.cerber3,.cfk,.chifrator@qq_co m,.CHIP,.CIFGKSAFFSFYGHD,.clf,.cloud,.code,.coded,.coin,.comrade,.CONFICKER,.Contact_Here_To_Recover_Your_File s.txt,.CONTACT_TARINEOZA@GMAIL.COM,.corrupted,.coverton,.CRADLE,.crashed,.cRh8,.crime,.crinf,.criptiko,.cripto kod,.cripttt,.crjocker,.crjoker,.crptrgr,.CRPTXXX,.CRRRT,.cry,.cryp1,.crypt,.crypt1,.crypt38,.crypted,.cryp ted_file,.CRYPTED000007,.crypto,.CRYPTOBOSS,.CRYPTOBYTE,.cryptolocker,.CRYPTOSHIEL,.CRYPTOSHIELD,.cryptotorlocke r,.CryptoTorLocker2015!,.cryptowall,.cryptowin,.crypttt,.cryptz,.crypz,.CrySiS,.CTB2,.ctbl,.CTBL2,.czvxce,. d4nk,.da_vinci_code,.DALE,.damage,.DARKCRY,.darkness,.dCrypt,.decrypt2017,.decryptional,.ded,.deria,.DEXTER, .dharma,.Do_not_change_the_file_name.cryp,.domino,.donation1@protonmail.ch.12345,.doomed,.duhust,.dxxd,.dyatel@qq _com,.ecc,.eclr,.edgel,.eky,.encedRSA,.EnCiPhErEd,.encoderpass,.ENCR,.encrypt,.Encrypted,.encrypted.locked,. encryptedAES,.encryptedped,.encryptedRSA,.encryptedyourfiles,.EncrypTile,.enigma,.enjey,.epic,.evil,.evillock, .exotic,.exploit,.exx,.ezz,.FailedAccess,.fantom,.fartplz,.file0locked,.filegofprencrp,.fileiscryptedhard,.fil ock,.firecrypt,.FLATCHER3@INDIA.COM.000G,.flyper,.frtrss,.fuck,.Fuck_You,.fucked,.fuckyourdata,.fun,.gangbang, .gefickt,.gembok,.GETREKT,.GG,.globe,.good,.gruzin@qq_com,.GSupport3,.gui,.gws,.gws.porno,.h3ll,.ha3,.Haku naMatata,.hannah,.happy,.happydayzz,.Harzhuangzi,.hasp,.haters,.hb15,.hcked,.heisenberg,.helpdecrypt@india.com ,.helpdecrypt@ukr.net,.helpdecrypt@ukr.net,.helpdecrypt@ukr_net,.helpmeencedfiles,.helppme@india.com.,.HELPPME@I NDIA.COM.ID83994902,.herbst,.hnumkhotep,.hnumkhotep@india.com.hnumkhotep,.hnyear,.How_To_Decrypt.txt,.How_To_Get_B ack.txt,.htrs,.hush,.hydracrypt_ID,.hydracryptID,.iaufkakfhsaraf,.id-3044989498_x3m,.ID-7ES642406.CRY,.infec ted,.isis,.IWANT,.I'WANT MONEY,.iwanthelpuuu,.jaff,.jeepdayz@india.com,.JEEPERS,.jey,.jse,.justbtcwillhelpyou, .k0stya,.keepcalm,.kencf,.keybtc@inbox,.keybtc@inbox_com,.KEYH0LES,.KEYHOLES,.KEYZ,.KEYZ.KEYH0LES,.kilit,.kil ledXXX,.kimcilware,.kimcilware.locked,.kirked,.kkk,.kok,.korrektor,.kostya].. The requested object was not found.

File group added successfully. Adding/replacing File Group [CryptoBlockerGroup2] with monitored file [.kr3,.kraken,.kratos,.krypted,.L0CKED,.lamb da.l0cked,.LAMBDA.LOCKED,.lambda_l0cked,.LCKD,.LeChiffre,.legion,.lesli,.letmetrydecfiles,.lfk,.LOCK75,.lock93 ,.locked,.locked-,.LOCKED.txt,.locked3,.Locked-by-Mafia,.Lockify,.LOCKOUT,.locky,.LOL!,.LOLI,.loptr,.lovewi ndows,.loveyouisreal,.magic,.magic_software_syndicate,.maktub,.MATRIX,.MAYA,.medal,.MERRY,.micro,.MIKOYAN,.MO LE,.MRCR1,.msj,.nalog@qq_com,.neitrino,.nemo-hacks.at.sigaint.org,.news,.NM4,.no_more_ransom,.nochance,.noprob lemwedecfiles,.nuclear55,.NUMBERDOT,.odcodc,.odin,.okean,.okokokokok,.OMG!,.one,.one-we_can-help_you,.ONION, .only-we_can-help_you,.oops,.oor,.openforyou@india.com,.oplata@qq_com,.oshit,.osiris,.otherinformation,.owned,. p5tkjw,.padcrypt,.PAY,.paybtcs,.paycyka,.payfordecrypt,.payfornature@india.com.crypted,.paymds,.paymrts,.payms, .paymst,.payransom,.paytounlock,.pdcr,.PEGS1,.pizda@qqcom,.pizdec,.pky,.plauge17,.PoAr2w,.porno,.porno.porn oransom,.pornoransom,.POSHKODER,.potato,.powerfulldecrypt,.powned,.pr0tect,.psh,.purge,.pzdc,.R.i.P,.R16M01D0 5,.R4A,.R5A,.RAD,.RADAMANT,.raid10,.ranranranran,.RANSOM,.RARE1,.razarac,.razy,.razy1337,.RDM,.rdmk,*.Read Me.Txt,.realfs0ciety,.rekt,.relock@qq_com,.remind,.REVENGE,.rip,.RMCM1,.rnsmwr,.rokku,.RRK,.RSNSlocked,.RSp lited,.rtyrtyrty,.ryp,.sage,.SALSA222,.sanction,.scl,.SecureCrypte,.SecureCrypted,.SERP,.serpent,.sgood,.shi fr,.shino,.shit,.sifreli,.Silent,.SKJDTHGHH,.slvpawned,.son,.sport,.sshxkej,.stn,.SUPERCRYPT,.surprise,.sze snl,.szf,.TheTrumpLockerf,.TheTrumpLockerp,.theva,.thor,.tmp.exe,.toxcrypt,.troyancoder@qq_com,.trun,.ttt,.tz u,.uDz2j8mv,.UIWIX,.uk-dealer@sigaint.org,.unavailable,.unbrecryptID,.usr0,.vault,.VBRANSOM,.vCrypt1,.vdul, .velikasrbija,.Venusf,.venusp,.VforVendetta,.viki,.vindows,.vscrypt,.vvv,.vxLock,.wallet,.warn_wallet,.wcry, .WCRYT,.weareyourfriends,.weencedufiles,.wflx,.whatthefuck,.Where_my_files.txt,.Whereisyourfiles,.wincry,.windo ws10,.wncry,.wncrypt,.wncryt,.wnry,.WORMKILLER@INDIA.COM.XTBL,.wowreadfordecryp,.wowwhereismyfiles,.WRNY,.wuciw ug,.WWW,.x0lzs3c,.x3m,.x3mpro,.XBTL,.xcrypt,.xncrypt,.xorist,.xort,.XRNT,.xrtn,.xtbl,.xxx,.xyz,.Yakes,.y ouransom,.yourransom,.YTBL,.Z81928819,.zc3791,.zcrypt,.zendr4,.zepto,.Zimbra,.ZINO,.zorro,.zXz,.zycrypt,.zy klon,.zypto,.zzz,.Zzzz,.zzzzz,.????? ????????????,.????,.???,@gmailcom,@india.com,[cryptservice@inbox.ru] ,[cryptsvc@mail.ru].,[lavandos@dr.com].wallet,_.rmd,_crypt,_help_instruct.,_HELP_instructions.html,_HOWDO_tex t.bmp,_HOWDO_text.html,_luck,_nullbyte,_READ_THISFILE_,recover.,_ryp,steaveiwalker@india.com,_WHAT_is .html,+recover+.,bingo@opensourcemail.org,cerber2,decipher,decrypt my file.,decrypt your file.,decryptmyfi les.,drakosho_new@aol.com,EdgeLocker.exe,files_are_encrypted.,-filesencrypted.html,garryweber@protonmail.ch,g mail.crypt,help_restore.,HERMES,how_to_recover.,info@kraken.cc_worldcza@email.cz,install_tor.,keemail.me, maestro@pizzacrypts.info,opentoyou@india.com,qq_com,rec0ver.,-recover-.,recover_instruction.,recover}-., restore_fi.,ukr.net,want your files back.,warning-!!.,.~,@_USE_TOFIX.txt,@Please_Read_Me@.txt,@WanaDecryptor @.,@WARNING_FILES_ARE_ENCRYPTED..txt,[amandasofost@india.com].wallet,[KASISKI]*,!!!README!!!*,!!!README!!!* .txt,_!!!README!!!*.hta,__HOWDOtext.html,README.hta,_README.jpg,_Adatok_visszaallitasahoz_utasitasok.txt,_DEC RYPTINFO.html,_DECRYPT_INFO_szesnl.html,_H_e_l_p_RECOVER_INSTRUCTIONS.html,_H_e_l_p_RECOVER_INSTRUCTIONS.png,_H_e_l _p_RECOVER_INSTRUCTIONS.txt,_H_e_l_p_RECOVER_INSTRUCTIONS+.html,_H_e_l_p_RECOVER_INSTRUCTIONS+.png,_H_e_l_p_RECOVER_I NSTRUCTIONS+.txt,_HELP_HELPHELP,_HELP_HELPHELP.hta,_HELP_HELPHELP.jpg,_help_instruct.,_HELP_instructions.bmp ,_HELP_instructions.txt,_HELP_RecoverFiles.html,_how_recover.html,_how_recover*.txt].. The requested object was not found.

File group added successfully. Adding/replacing File Group [CryptoBlockerGroup3] with monitored file [_how_recover.txt,_how_recover+.html,_how_recover +.txt,_HOW_TO_Decrypt.bmp,_HOWDO_text.html,_Locky_recover_instructions.bmp,_Locky_recover_instructions.txt,_READ_THI$F ILE,README.hta,README.hta,_RECOVER_INSTRUCTIONS.ini,_ryp,_secret_code.txt,_WHAT_is.html,0_HELP_DECRYPT_FILES.HTM, 000-IF-YOU-WANT-DEC-FILES.html,000-No-PROBLEM-WE-DEC-FILES.html,000-PLEASE-READ-WE-HELP.html,001-READ-FOR-DECRYPT-FILES. html,009-READ-FOR-DECCCC-FILESSS.html,4-14-2016-INFECTION.TXT,About_Files.txt,Aescrypt.exe,AllFilesAreLocked.bmp,ASSIST ANCE_IN_RECOVERY.txt,ATLAS_FILES.txt,ATTENTION!!!.txt,ATTENTION.url,bahij2@india.com,BitCryptorFileList.txt,BTCDECRYPT FILES.txt,BUYUNLOCKCODE,BUYUNLOCKCODE.txt,C-email--.odcodc,Coin.Locker.txt,COME_RIPRISTINARE_I_FILE.,Comment débloque r mes fichiers.txt,Como descriptografar seus arquivos.txt,COMO_ABRIR_ARQUIVOS.txt,COMO_RESTAURAR_ARCHIVOS.html,COMO_REST AURAR_ARCHIVOS.txt,confirmation.key,crjoker.html,cryptinfo.txt,cryptolocker.,CryptoRansomware.exe,Crytp0l0cker.dll,Cryt p0l0cker.exe,Crytp0l0cker.Upack.dll,Cversions.2.db,Cyber SpLiTTer Vbs.exe,DALE_FILES.TXT,damage@india.com,de_crypt_read me.,de_crypt_readme.bmp,de_crypt_readme.html,de_crypt_readme.txt,decipher_ne@outlook.com,Decrypt All Files .bmp,decry pt explanations.html,decrypt_Globe.exe,DECRYPT_INFO.txt,DECRYPT_INFORMATION.html,decrypt_instruct.,DECRYPT_INSTRUCTIO N.HTML,DECRYPT_INSTRUCTION.TXT,DECRYPT_INSTRUCTION.URL,DECRYPT_INSTRUCTIONS.html,DECRYPT_INSTRUCTIONS.TXT,DECRYPT_ReadMe .TXT,DECRYPT_Readme.TXT.ReadMe,DECRYPT_ReadMe1.TXT,DECRYPT_YOUR_FILES.HTML,DECRYPT_YOUR_FILES.txt,DecryptAllFiles.txt,D ecryptAllFiles.txt,decrypted_files.dat,DecryptFile.txt,decrypt-instruct.,DECRYPTION INSTRUCTIONS.txt,DECRYPTION_HOWTO. Notepad,decypt_your_files.html,default32643264.bmp,default432643264.jpg,DESIFROVANI_POKYNY.html,DesktopOsiris.,DesktopO siris.htm,DOSYALARINIZA ULASMAK IÇIN AÇINIZ.html,EMAIL__recipient.zip,email-salazar_slytherin10@yahoo.com.ver-.id--. randomname-,email-vpupkin3@aol.com,enc_files.txt,encryptor_raas_readme_liesmich.txt,enigma.hta,enigma_encr.txt,ENTSCHL USSELNHINWEISE.html,exit.hhr.obleep,fattura.js,File Decrypt Help.html,file0locked.js,FILES_BACK.txt,FILESAREGONE.TXT, firstransomware.exe,GetYouFiles.txt,GJENOPPRETTING_AV_FILER.html,GJENOPPRETTING_AV_FILER.txt,Hacked_Read_me_to_decrypt_f iles.html,HELLOTHERE.TXT,Help Decrypt.html,help_decrypt.,HELP_DECRYPT.HTML,HELP_DECRYPT.lnk,HELP_DECRYPT.PNG,Help_Decr ypt.txt,HELP_DECRYPT.URL,help_decrypt_your_files.html,helpfile.,help_instructions.,HELP_ME_PLEASE.txt,help_recover .,HELP_RECOVER_FILES.txt,help_recover_instructions.bmp,help_recover_instructions.html,help_recover_instructions.txt, help_recover_instructions+.BMP,help_recover_instructions+.html,help_recover_instructions+.txt,help_restore.,HELP_RE STORE_FILES.txt,HELP_RESTOREFILES.,HELP_RESTOREFILES.TXT,HELP_TO_DECRYPT_YOUR_FILES.txt,HELP_TO_SAVE_FILES.bmp,HE LP_TO_SAVE_FILES.txt,help_your_file.,HELP_YOUR_FILES.html,HELP_YOUR_FILES.PNG,HELP_YOUR_FILES.TXT,HELP_YOURFILES.HTML, HELPDECRYPT.TXT,HELPDECYPRT_YOUR_FILES.HTML,help-file-decrypt.enc,HELP-ME-ENCED-FILES.html,How decrypt files.hta,How Dec rypt My Files.lnk,how to decrypt aes files.lnk,HOW TO DECRYPT FILES.HTML,HOW TO DECRYPT FILES.txt,How to decrypt LeChiff re files.html,How to decrypt your data.txt,How to decrypt your files.jpg,How to decrypt your files.txt,how to decrypt. ,How to get data back.txt,how to get data.txt,How to restore files.hta,how_decrypt.gif,HOW_DECRYPT.HTML,HOW_DECRYPT.TXT, HOW_DECRYPT.URL,How_Decrypt_My_Files,HOW_OPEN_FILES.hta,how_recover.,HOW_RETURN_FILES.TXT,how_to_decrypt.,HOW_TO_DEC RYPT.HTML,HOW_TO_DECRYPT_FILES.html,HOW_TO_DECRYPT_FILES.TXT,How_to_decrypt_your_files.jpg,HOW_TOFIX!.TXT,how_to_recov er.,How_To_Recover_Files.txt,How_to_restore_files.hta,HOW_TO_RESTORE_FILES.html,HOW_TO_RESTORE_FILES.txt,HOW_TO_RESTOR E_YOUR_DATA.html,how_to_unlock.,HOW_TO_UNLOCK_FILESREADME.txt,HowDecrypt.gif,HowDecrypt.txt,howrecover+.txt,howto_ recover_file.txt,HOWTO_RECOVERFILES.,HOWTO_RECOVERFILES.TXT,howto_restore.].. The requested object was not found.

File group added successfully. Adding/replacing File Group [CryptoBlockerGroup4] with monitored file [Howto_RESTORE_FILES.html,Howto_Restore_FILES.TXT, howtodecrypt.,howtodecryptaesfiles.txt,HOW-TO-DECRYPT-FILES.HTML,HowtoRESTORE_FILES.txt,HUR_DEKRYPTERAFILER.html,HUR DEKRYPTERA_FILER.txt,HVORDAN_DU_GENDANNER_FILER.html,HVORDAN_DU_GENDANNER_FILER.txt,HWID Lock.exe,IAMREADYTOPAY.TXT,IF_W ANT_FILES_BACK_PLS_READ.html,IHAVEYOURSECRET.KEY,IMPORTANT READ ME.txt,Important!.txt,IMPORTANT.README,install_tor.,IN STALL_TOR.URL,INSTRUCCIONES.txt,INSTRUCCIONES_DESCIFRADO.html,INSTRUCCIONES_DESCIFRADO.TXT,INSTRUCTION RESTORE FILE.TXT, INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt,Instructionaga.txt,INSTRUCTIONS_DE_DECRYPTAGE.html,ISTRUZIONI_DECRITTAZIONE.ht ml,KryptoLocker_README.txt,last_chance.txt,lblBitcoinInfoMain.txt,lblFinallyText.txt,lblMain.txt,LEER_INMEDIATAMENTE.txt ,locked.bmp,loptr-.htm,maxcrypt.bmp,MENSAGEM.txt,MERRY_I_LOVE_YOU_BRUCE.hta,message.txt,NFS-e1025-7152.exe,NOTE;!!!-OD ZYSKAJ-PLIKI-!!!.TXT,OKSOWATHAPPENDTOYOURFILES.TXT,OKU.TXT,ONTSLEUTELINGS_INSTRUCTIES.html,oor.,OSIRIS-.,OSIRIS-.htm ,PadCrypt.exe,padcryptUninstaller.exe,paycrypt.bmp,Payment_Advice.mht,Payment_Instructions.jpg,PAYMENT-INSTRUCTIONS.TXT, PLEASE-READIT-IF_YOU-WANT.html,popcorn_time.exe,pronk.txt,qwer.html,qwer2.html,Rans0m_N0te_Read_ME.txt,ransomed.html,REA D IF YOU WANT YOUR FILES BACK.html,Read Me (How Decrypt) !!!!.txt,READ ME ABOUT DECRYPTION.txt,READ ME FOR DECRYPT.txt,R EAD TO UNLOCK FILES.salsa..html,Read.txt,READ@My.txt,READ_IT.txt,READ_IT_FOR_GET_YOUR_FILE.txt,README!.txt,READ_ME_TO _DECRYPT_YOU_INFORMA.jjj,Read_this_file.txt,READ_THIS_TO_DECRYPT.html,ReadDecryptFilesHere.txt,README HOW TO DECRYPT YOU R FILES.HTML,README!!!.txt,readme.hta,readme_decrypt.,ReadME_DecryptHelp.html,README_DECRYPT_HYDRAID.txt,README_ DECRYPT_HYRDAID.txt,README_DECRYPT_UMBREID.jpg,README_DECRYPT_UMBREID.txt,readme_for_decrypt.,README_HOW_TO_U NLOCK.HTML,README_HOW_TO_UNLOCK.TXT,readme_liesmich_encryptor_raas.txt,README_RECOVERFILES.html,README_RECOVERFILES .png,README_RECOVERFILES.txt,README_TO_RECURE_YOUR_FILES.txt,READ-READ-READ.html,READTHISNOW!!!.TXT,Receipt.exe,reco ver.bmp,recover.txt,recoverfile.txt,RECOVERY_FILE.txt,recovery_file.txt,RECOVERY_FILES.txt,recovery_key.txt,recovery+ .,Recovery+.html,Recovery+.txt,recoveryfile.txt,Recupere seus arquivos aqui.txt,redchip2.exe,RESTORE_CORUPTED_FILES. HTML,RESTORE_FILES.HTML,restore_files.txt,RESTOREFILES.,RESTOREFILES.txt,RESTORE-12345-FILES.TXT,restorefiles.txt ,rtext.txt,Runsome.exe,Sarah_G@ausi.com___,SECRET.KEY,SECRETIDHERE.KEY,SHTODELATVAM.txt,SIFRE_COZME_TALIMATI.html,stron gcrypt.bmp,Survey Locker.exe,svchosd.exe,t.wry,taskdl.exe,taskhsvc.exe,tasksche.exe,taskse.exe,ThxForYurTyme.txt,tor.exe ,tox.html,TRY-READ-ME-TO-DEC.html,UnblockFiles.vbs,unCrypte@outlook.com,UNLOCK_FILES_INSTRUCTIONS.html,UNLOCK_FILESINS TRUCTIONS.txt,Vape Launcher.exe,vault.hta,vault.key,vault.txt,VictemKey_,VIP72.exe,Wannacry.exe,WannaCrypt 4.0.exe,wc ry.exe,wcry.zip,WE-MUST-DEC-FILES.html,What happen to my files.txt,WHERE-YOUR-FILES.html,wie_zum_Wiederherstellen_von_Da teien.txt,winclwp.jpg,WindowsApplication1.exe,xort.txt,YOUGOTHACKED.TXT,Your files are locked !!!!.txt,Your files are lo cked !!!.txt,Your files are locked !!.txt,Your files are locked !.txt,Your files encrypted by our friends !!! txt,Your f iles encrypted by our friends !!!.txt,YOUR_FILES.HTML,YOUR_FILES.url,YOUR_FILES_ARE_DEAD.hta,YOUR_FILES_ARE_ENCRYPTED.HT ML,YOUR_FILES_ARE_ENCRYPTED.TXT,YOUR_FILES_ARE_LOCKED.txt,YourID.txt,zcrypt.exe,ZINO_NOTE.TXT,zXz.html,zycrypt.,zzzzzzz zzzzzzzzzzyyy,????????????????????.txt].. The requested object was not found.

File group added successfully. Adding/replacing File Screen Template [CryptoBlockerTemplate] with Event Notification [] and Command Notification [].. The requested object was not found.

Template added successfully. Adding/replacing File Screens.. Adding/replacing File Screen for [c:] with Source Template [CryptoBlockerTemplate].. The requested object was not found.

File screen successfully created for "c:\". PS C:\temp>

PaulyHaley commented 7 years ago

Incidentally if you run it again there are no problems it deletes and re-adds the groups and template.

There is still a problem with the FSRM though not being able to change it to Active, even if you remove the file screen and re-create it. This is a VM that is running in a failed over test isolated network.

I just installed and ran on our production backup server, and although i saw the same messages in the powershell it's all working as expected. Active File Screens and are blocking on multiple file names.

Dont waste too much time on this. We are going ahead but as this is production file server we need to patch it and update powershell 1st which we are planning on doing Friday night.

Thanks for the really quick responses.

Cheers Paul

nexxai commented 7 years ago

Ok, so you can't have an Active filescreen on the root of C:\ drive because the system lives there, however if you create one on a subfolder of C:\ (e.g. C:\Shares), you can set it to Active. Otherwise, as long as the filescreens are showing up, it should be fine.

PaulyHaley commented 7 years ago

Sweet. Awesome. The share for the users data (is on the C drive and don't ask) is a hidden share which I guess it doesn't detect. Doesn't matter as its easy enough to create a new one.

Thanks Paul