Blocking Ransomware Scripts with Exchange Transport Rules

One of the current tactics ransomware authors are using to infect your network, is to send email attachments containing malicious scripts. These scripts are often VBScript (.vbs), Windows Script Files (wsf), or JavaScript (.js) files, and when executed, will download a DLL or EXE to spawn the infection.

dodi-transport-rules

An example JavaScript which downloads and executes ransomware

One way to prevent these scripts from ever getting into your users’ inboxes, is by creating an Exchange Transport Rule. These rules allow you to inspect the email attachment, prior to delivering the message to the intended recipient. If the condition matches, you can immediately delete the email.

For Exchange 2007, 2010, or SBS 2011

To create the rule, Open the Exchange Management Console and navigate to Organization Configuration > Hub Transport and click on the Transport Rules Tab. Select “New Transport Rule” and give it a name. Add a comment so that you know what this rule is blocking.

In the conditions step, select “when any attachment file name matches text patterns”. Click the Text Patterns link. Type in .vbs then press the add button. Do the same for wsf and for js. While you are at it, you can also add .vb, .hta, .exe, .bat, and .scr to the list.

After creating the extensions list, select “Delete the message without notifying anyone”.

For Exchange 2013

If you are using Exchange 2013, you can go to the Exchange Admin Center > Mail flow > Rules.  When you create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. Add the same list of extensions (.vbs, .wsf, .js, .vb, .hta, .exe., bat, and .scr) You will need to define an action to take on mail, if the conditions are met.

These instructions will only work if you are running Exchange. If your company uses another mail handling application, consult the user guide on how to filter based off of extensions.

(Visited 1,367 times, 1 visits today)

7 thoughts on “Blocking Ransomware Scripts with Exchange Transport Rules

  1. PC Matic has been my choice for over 5 years because it delivers. Super Shield has stopped dozens of malware and pup downloads and I very seldom have to a replace HD and wipe operation.

    • Yes. Any ransomware that is executable is blocked with our SuperShield technology. This is just another proactive measure that users can take. It doesn’t replace a security software solution, but prevents the malicious email from even entering your inbox.

Leave a Reply

Your email address will not be published. Required fields are marked *