How To Avoid Cryptolocker Infection

According to the US Computer Emergency Readiness Team, this malware spreads mainly through mail messages containing unsolicited web links, in order to avoid the infection you just must not follow these links. The other measures that can be taken to avoid the cryptolocker infection are:

  • Always keep your software up to date (especially the antivirus software)
  • Perform regular offline backups of all critical data to limit the impact of the damage.
  • Regularly maintain the rules of your Intrusion detection/prevention system to detect any unknown malicious activity.
  • Secure the shared drives by only allowing the necessary access rights.
  • Avoid Scam e-mails.

There are a few things that can be done to limit the damage.

  • Immediatelly isolate the infected systems from the network – this will prevent the cryptolocker infection to encrypt data on shared network locations.
  • Consider all passwords on the infected machine compromised and change them as soon as the machine is disinfected.

The CryptoLocker Ransomware affects systems running on Microsoft Windows 8, Windows 7, Windows Vista and Windows XP. In order to block the infection you can create some Software Restriction policies.

Here is how you can do that in Windows 8:

Open your local security policy – you can do that by finding the file secpol.msc in the system32 directory and run it or hit the start button and in the search field type “local security policy”.

  1. Right click on it and then run it as administrator.
  2. Navigate to software Restriction Policies and right click on them if you do not have any other restriction policies.
  3. Click on New Software Restriction Policies.
  4. Right click on additional Rules and select “New Path Rule”

To Block CryptoLocker binary launching in %AppData% add the following info:

Path:                                                                           %AppData%\*.exe
Security Level:                                                    from the dropdown select “Disallowed”
Description:                                                          Does not allow exe files to run from %AppData%.

To Block CryptoLocker binary launching in %LocalAppData% add the following info:

Path if using Windows XP:                            %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8:             %LocalAppData%\*.exe
Security Level:                                                      from the dropdown select “Disallowed”

Description:                                                             Does not allow exe files to run from                                                                                                                          %AppData%.

The above policy rule eventually will create some troubles for programs trying to launch from the restricted folders. To add a specific program you just need to follow the above steps from 1 to 4 and in the “New Path Rule” screen to enter the path of the program that should not be blocked, as it is shown in the screenshot to the left. For example, this rule will allow google chrome to run unaffected by the restriction set above.

You can check in the Windows event log when and if any rule was applied.

Leave a Comment