Ransomware Protection

I recently wrote a post in the forums regarding ransomware prevention, I'd like to highlight some good practices that can help you out with the prevention of Ransomware being executed against your /clients servers.After attempting to develop our own in-house solutions to prevent the automatic encryption of files we found that the process was cumbersome due to the MS Windows Operating System and other Software naturally encrypting certain files.Having investigated third party vendors we found many AV companies open admit they're unable to detect such Exploits being run as they don't use traditional signature base viruses.New products are emerging very day which is behavior based, rather than signature based and boast to be able to detect new variants as they are released - however with the business of ransomware and RaaS being so lucrative I personally suspect that the authors will find ways around any protection systems as they emerge.Our Solution, which we've found most effective is in using FSRM (File Server Resource Manager) and creating file Screening and reporting and blocking of files being renamed by known file extensions of ransomware.Initially, I came across the following link by Tim Buntrock on Technet:https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fceThis provides the starting point of configuring an effective file blocking and email notification system which will prevent the files being changed and also notify both us and the user who executed the ransomware.You can modify the options from just blocking and reporting to shutting off shares immediately or rebooting the affected server depending on the specific requirements.The File extensions list will need to be updated manually as new variants are released but I have seen some people are writing scripts to automate this so that also worth keeping an eye out for.At the end of the day the most important points are these:Backup every day!Monitor the backups daily - know if a backup hasn't run and then take action!Offsite Backups! - I had seen a ransomware actively attack an onsite backup repository and destroy it!Do not depend on Volume Shadow Copies as they generally become worthless in the event of an attack. All due respect and many thanks to Tim Buntrock.