CryptoLocker Preventative Measures

If you haven’t heard of CryptoLocker, it is a form of Ransomware which basically means locking down your files in an attempt to get you (the victim) to pay a sum of money to get access to those locked files.

CryptoLocker isn’t the first of its kind and nor will it be the last. It is just another one out of the thousands out there, except this one has been more cleverly engineered to infect more machines and thus gain more media attention.

Below is some advice to take in a corporate environment – this advice is purely my own and is not meant to be some extensive ‘go-to’ for all your sys admin problems when dealing with these issues 🙂

  • TALK to your users. Send around a ‘high priority’ blanket e-mail to remind users of their responsibilities to IT Security and remind them of security best practices; stick to the point and write in a short, concise manner (1 or 2 line bullet points).
  • If you do not already have an anti-virus/malware solution – deploy one. CryptoLocker variants and signatures may be changing every day but that doesn’t mean your AV is completely useless. Heuristic based anti-malware solutions such as Sourcefire’s FireAMP can help thwart these type of attacks by analysing more than just file signatures.
  • Make sure you have backups and that they actually work by testing them. More importantly, make sure your backup media isn’t permanently connected to your network as CryptoLocker has been known to jump mapped drives. Keep a back-up offsite.
  • CryptoLocker does not need Administrator priveleges to run so don’t think you’re safe just because none of your users are domain/local admins. The CryptoLocker .exe is placed in the user’s %appdata% and/or %localappdata% folders which runs under the user’s context and doesn’t require privilege escalation. Use group policies and make Software Restriction policies like below:
    • Computer configuration –> windows settings –> security settings –> software restriction policies
    • Right click and create new
    • Double click additional rules and create new path rules for the following:
    • %appdata%\*.exe
    • %localappdata%\*.exe
  • If you have an e-mail security gateway or appliance (like a Cisco IronPort), make sure you block all executable attachments as well as attachments containing executables (for example – an.exe within a .zip)