Skip the navigation

Cryptolocker: How to avoid getting infected and what to do if you are

By Jonathan Hassell
October 25, 2013 01:45 PM ET

AppLocker

AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or Windows 7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still on Windows XP for the time being or you have a significant contingent of Windows Vista machines, AppLocker will not do anything for you.

But if you are a larger company with volume licenses that is deploying the enterprise editions of the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply block programs from running -- except those from specific software publishers that have signed certificates.

Here's what to do:

  1. Create a new GPO.
  2. Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
  3. Click Configure Rule Enforcement.
  4. Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
  5. In the left pane, click Executable Rules.
  6. Right-click in the right pane and select Create New Rule.
  7. On the Before You Begin screen, click Next.
  8. On the Permissions screen, click Next.
  9. On the Conditions screen, select the Publisher condition and click Next.
  10. Click the Browse button and browse to any executable file on your system. It doesn't matter which.
  11. Drag the slider up to Any Publisher and then click Next.
  12. Click Next on the Exceptions screen.
  13. Name the policy something like "Only run executables that are signed" and click Create.
  14. If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here.

NOTE: Also take this opportunity to review the permissions set on your file server share access control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny permissions, so if the user who gets infected is logged into an account that has very limited permissions, the damage will be minimal. Conversely, if you allow the Everyone group Write access for the NTFS permissions on most of your file shares, and you use mapped drives, one Cryptolocker infection could put you into a world of hurt. Review your permissions now. Tighten where you can. Work with your line of business application vendors to further tighten loose permissions that are "required" for "supportability" -- often these specifications are needlessly broad.

Using either an SRP or an AppLocker policy, you can prevent Cryptolocker from ever executing and save yourself a lot of problems.

Mitigation: Previous versions (shadow copies) and ShadowExplorer

If you are unlucky enough to have been infected with Cryptolocker, then there are some mitigation strategies available to you. (Of course, you can always restore from backups as well.) Both strategies involve a tool called Shadow Copies that is an integral part of the System Restore feature in Windows. This is turned on by default in client versions of Windows, and best practices for storage administration have you turning this on manually on Windows Server-based file servers. If you have left this setting alone, you likely have backups right on your computer or file share.

Previous versions

To restore the previous version of a file using the traditional Windows interface, just right-click the file in question and choose Properties. If System Restore is enabled or your administrator has enabled Shadow Copies through Group Policy, you should be able to see the Previous Versions tab in the Properties window. This will list all of the versions on record of the file. Choose a version before the Cryptolocker infection and then click either Copy to export a copy of the file somewhere else, or Restore to pop the backup right where the encrypted file belongs. You can open the files directly from this box too if you are not sure of the exact date and time of infection.

ShadowExplorer

ShadowExplorer is a downloadable free tool that makes it much easier to explore all of the available shadow copies on your system. This is a useful ability when you have a wide range of files infected with Cryptolocker and need to restore a swath of them at once.

When you install and run the tool, you can select the drive and the shadow copy date and time from the drop-down menu at the top of the window. Then, just like in a regular Windows Explorer menu, you can choose the folder and file you want, and then right-click and select Export. Choose the destination on your file system to put the exported shadow copies on, and then you have your backup restored. Of course, this is a previous version, so it may not have the most current updates to your files, but it is much better than having lost them completely or having to pay a ransom for them.

The last word

Cryptolocker sucks. Its creator is a piece of scum. To trick users into downloading something that encrypts their files and then to demand from them hundreds of dollars to give their own data back to them is despicable. Please, take steps now so you don't have to be the one ponying up your money and enabling this trash to continue.

This article, Cryptolocker: How to avoid getting infected and what to do if you are, was originally published at Computerworld.com.

Jonathan Hassell runs 82 Ventures LLC, a consulting firm based out of Charlotte, N.C. He's also an editor with Apress Media LLC. Reach him at jhassell@gmail.com.

Read more about Windows in Computerworld's Windows Topic Center.



Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!