When I sit across the table from CISOs and ask, “has your organization been affected by ransomware recently?” the answer is almost always “of course!” However, when asked on how they are handling it, they are typically looking to me for an answer. While I believe that training the human and having in-line security appliances are certainly important, I wanted to share a solution that uses resources already built into Windows. This solution utilizes PowerShell and Windows File Services Resource Manager to automatically lock out a user account when ransomware activities are detected.
First and foremost, you will need to set up FSRM on your file servers. This feature is part of the File Services Role and can be installed with the following PowerShell command (all one line).
Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools
Take note, FSRM is only available on Windows Server. If you’re interested in workstation mitigation, comment below and I’ll get to writing!