Skip the navigation

Cryptolocker: How to avoid getting infected and what to do if you are

By Jonathan Hassell
October 25, 2013 01:45 PM ET

Here's how to do it:

  1. Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I'll show you how to create two here -- one for Windows XP machines (which use slightly different paths for the user space) and one for Windows Vista and later machines.
  2. Name the new GPO "SRP for XP to prevent Cryptolocker" or something similar for you to remember easily.
  3. Choose Computer Configuration and then navigate through Policies ’ Windows Settings ’ Security Settings ’ Software Restriction Policies.
  4. Right-click Software Restriction Policies and choose New Software Restriction Policy from the context menu.
  5. Now, create the actual rules that will catch the software on which you want to enforce a restriction. Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
  6. Under Path, enter %AppData%\*.exe.
  7. Under Security level, choose Disallowed.
  8. Enter a friendly description, like "Prevent programs from running in AppData."
  9. Choose New Path Rule again, and make a new rule like the one just completed. Use the following table to fill out the remainder of this GPO.
                                                       
PathSecurity LevelSuggested Description
%AppData%\*.exeDisallowedPrevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exeDisallowedPrevent virus payloads from executing in subfolders of AppData
%UserProfile%\Local Settings\Temp\Rar*\*.exeDisallowedPrevent un-WinRARed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\7z*\*.exeDisallowedPrevent un-7Ziped executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\wz*\*.exeDisallowedPrevent un-WinZIPed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\*.zip\*.exeDisallowedPrevent unarchived executables in email attachments from running in the user space

*Note this entry was covered in steps 5-8. It is included here for your easy reference later.

WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.

Close the policy.

To protect Windows Vista and newer machines, create another GPO and call this one "SRP for Windows Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and create path rules based on the following table.

                                                       
PathSecurity LevelSuggested Description
%AppData%\*.exeDisallowedPrevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exeDisallowedPrevent virus payloads from executing in subfolders of AppData
%LocalAppData%\Temp\Rar*\*.exeDisallowedPrevent un-WinRARed executables in email attachments from running in the user space
%LocalAppData%\Temp\7z*\*.exeDisallowedPrevent un-7Ziped executables in email attachments from running in the user space
%LocalAppData%\Temp\wz*\*.exeDisallowedPrevent un-WinZIPed executables in email attachments from running in the user space
%LocalAppData%\Temp\*.zip\*.exeDisallowedPrevent unarchived executables in email attachments from running in the user space

Close the policy.

Once these GPOs get synchronized down to your machines -- this can take up to three reboots to happen, so allow some time -- when users attempt to open executables from email attachments, they'll get an error saying their administrator has blocked the program. This will stop the Cryptolocker attachment in its tracks.

Unfortunately, taking this "block it all in those spots" approach means that other programs your users may install from the web, like GoTo Meeting reminders and other small utilities that do have legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before it denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows to let those apps run while blocking everything else. Simply set the security level to Unrestricted, instead of Disallowed as we did above.



Our Commenting Policies