Identification of Cryptolocker
Location of CryptoLocker binaries:
- %AppData%<random>.exe
- %LocalAppData%<random>.exe
If the malware has executed, one or more of the following registry keys will be present:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker_<version>
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce *CryptoLocker
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun <Random>
Containing CryptoLocker
Stop the binaries from executing by applying GPO to block the following:
- %appdata%*.exe
- %appdata%**.exe
- %localappdata%*.exe
- %localappdata%**.exe
It is also possible to stop execution by creating a Software Restriction Policy (SRP).
Below are SRP rules to assist in blocking CryptoLocker. You may have to tweak some of these rules for your environment.
———–
Block CryptoLocker executable in %AppData%
Path: %AppData%*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.
Block CryptoLocker executable in %LocalAppData%.
Path if using Windows XP: %UserProfile%Local Settings*.exe
Path if using Windows Vista/7/8: %LocalAppData%*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.
Block executable run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%Local SettingsTempRar**.exe
Path if using Windows Vista/7/8: %LocalAppData%TempRar**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executable run from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%Local SettingsTemp7z**.exe
Path if using Windows Vista/7/8: %LocalAppData%Temp7z**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executable run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%Local SettingsTempwz**.exe
Path if using Windows Vista/7/8: %LocalAppData%Tempwz**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executable run from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%Local SettingsTemp*.zip*.exe
Path if using Windows Vista/7/8: %LocalAppData%Temp*.zip*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
———–
Identifying if your system has already begun encrypting files:
The following PowerShell script will list all files that are currently encrypted on the local system. To execute this, run PowerShell as administrator and paste the following code:
(Get-Item HKCU:SoftwareCryptoLockerFiles).GetValueNames().Replace(?,) | Out-File CryptoLockerFiles.txt -Encoding unicode