CryptoLocker Software Restriction Policies

Identification of Cryptolocker

Location of CryptoLocker binaries:

  • %AppData%<random>.exe
  • %LocalAppData%<random>.exe

If the malware has executed, one or more of the following registry keys will be present:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker_<version>
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce *CryptoLocker
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun <Random>

Containing CryptoLocker

Stop the binaries from executing by applying GPO to block the following:

  • %appdata%*.exe
  • %appdata%**.exe
  • %localappdata%*.exe
  • %localappdata%**.exe

It is also possible to stop execution by creating a Software Restriction Policy (SRP).

Below are SRP rules to assist in blocking CryptoLocker. You may have to tweak some of these rules for your environment.

———–

Block CryptoLocker executable in %AppData%

Path: %AppData%*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.

Block CryptoLocker executable in %LocalAppData%.

Path if using Windows XP: %UserProfile%Local Settings*.exe
Path if using Windows Vista/7/8: %LocalAppData%*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.

Block executable run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%Local SettingsTempRar**.exe
Path if using Windows Vista/7/8: %LocalAppData%TempRar**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executable run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%Local SettingsTemp7z**.exe
Path if using Windows Vista/7/8: %LocalAppData%Temp7z**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executable run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%Local SettingsTempwz**.exe
Path if using Windows Vista/7/8: %LocalAppData%Tempwz**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executable run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%Local SettingsTemp*.zip*.exe
Path if using Windows Vista/7/8: %LocalAppData%Temp*.zip*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

———–

Identifying if your system has already begun encrypting files:

The following PowerShell script will list all files that are currently encrypted on the local system. To execute this, run PowerShell as administrator and paste the following code:

(Get-Item HKCU:SoftwareCryptoLockerFiles).GetValueNames().Replace(?,) | Out-File CryptoLockerFiles.txt -Encoding unicode

Leave a Reply

Your email address will not be published. Required fields are marked *