Select Page

Imagine having all your files encrypted without your permission and being charged exorbitant prices if you want to decrypt them; that is precisely what has been happening on a large scale by a recent ransomware infection known as cryptolocker. While cryptolocker is far from the first ransomware to work in this manner, it is becoming widespread and the attention to detail the authors of the ransomware have applied is impressive. Furthermore, given that the ransom has been between 2 and 10 bitcoins and bitcoins at the time of this writing are valued at well over 300 USD on the exchange, this is an expensive ransom to pay. To help my friends, family, and clients prevent becoming victims of cryptolocker, I’ve compiled the following tips to prevent cryptolocker infection.

 

1.) Be Careful With Email Attachments

Thus far cryptolocker has been passed from victim to victim via social engineering. It usually comes in the form of an email with an attachment that is purported to be a PDF form and may even have an extension like FORM_12321540.pdf.exe or FORM_12369234.pdf.zip. Windows uses the final three letters after a period to determine how to handle a file and those extensions tell windows to either unzip or execute those files. Never trust an executable that gets sent to you via email.

 

2.) Make Sure That Volume Shadow Copies Are On and Backup and Restore is Functioning

Most of you will have left system restore active; however, if you have disabled it, I recommend turning it back on. System restore and shadow copies have the ability to turn back the clock when something goes wrong with a file or the system registry. That being said, the newer versions of cryptolocker try to wipe out all old file versions that shadow copies keeps. Sometimes it manages to wipe them out and sometimes it fails so it can help to keep it turned on.

 

3.)  Keep Backups

Make sure you are keeping at least a weekly backup of your data. The moment you discover your system is infected, you should of course disconnect it from the internet and/or LAN, wipe the infection, and finally restore your files from backup. GeekOut Technologies provides affordable industry leading offsite backup solutions for home and business for those of you who aren’t currently keeping system backups.

 

4.) Prevent Execution

Cryptolocker runs itself in the user space, probably to avoid needing administrative privilege. Essentially, we can use local or group policy to limit the ability of programs to run in those areas. There are a couple of ways we can accomplish this, first we can modify the local policies which will effect only that computer, the guys at Foolish IT put together a free program called CryptoPrevent that can make all the policy changes for you at the local level and is perfect for home or small office use. You can download the program from http://www.foolishit.com/download/cryptoprevent/.

If you have a small or large network, you should make changes to the group policies as it would be impractical to run cryptoprevent on every computer in the event cryptolocker is modified to run in different locations. Bleepingcomputer.com recommends the following policies (all credit for the following policies to bleepingcomputer.com):

Block CryptoLocker executable in %AppData%

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%.

Block CryptoLocker executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%.

Block Zbot executable in %AppData%

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from immediate subfolders of %AppData%.

Block Zbot executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened using Windows built-in Zip support.

 

5.) Limit Write Access

Finally, for those of us running networks of computers and file shares, write access needs to be limited. At the time of this writing, cryptolocker will only encrypt files on a share mapped to a drive letter. Even if you haven’t mapped drive letters, it is still advisable to allow file write access only to those who need it. Again, this can be defined by your group policies.

 

Conclusion

I encourage all of you to take precautions against cryptolocker and all the other various forms of malicious software. If you find need a comprehensive strategy to combat the various dangers out there, then please contact us to discuss how GeekOut Technologies can help secure your network.