Blocking Ransomware Scripts with Exchange Transport Rules

One of the current tactics ransomware authors are using to infect your network, is to send email attachments containing malicious scripts. These scripts are often VBScript (.vbs), Windows Script Files (wsf), or JavaScript (.js) files, and when executed, will download a DLL or EXE to spawn the infection.

dodi-transport-rules

An example JavaScript which downloads and executes ransomware

One way to prevent these scripts from ever getting into your users’ inboxes, is by creating an Exchange Transport Rule. These rules allow you to inspect the email attachment, prior to delivering the message to the intended recipient. If the condition matches, you can immediately delete the email.

For Exchange 2007, 2010, or SBS 2011

To create the rule, Open the Exchange Management Console and navigate to Organization Configuration > Hub Transport and click on the Transport Rules Tab. Select “New Transport Rule” and give it a name. Add a comment so that you know what this rule is blocking.

In the conditions step, select “when any attachment file name matches text patterns”. Click the Text Patterns link. Type in .vbs then press the add button. Do the same for wsf and for js. While you are at it, you can also add .vb, .hta, .exe, .bat, and .scr to the list.

After creating the extensions list, select “Delete the message without notifying anyone”.

For Exchange 2013

If you are using Exchange 2013, you can go to the Exchange Admin Center > Mail flow > Rules.  When you create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. Add the same list of extensions (.vbs, .wsf, .js, .vb, .hta, .exe., bat, and .scr) You will need to define an action to take on mail, if the conditions are met.

These instructions will only work if you are running Exchange. If your company uses another mail handling application, consult the user guide on how to filter based off of extensions.

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles