Cryptolocker: How to avoid getting infected and what

Cryptolocker: How to avoid getting infected and what
to do if you are
There's a new piece of ransomware in town; here's how to protect your company's assets
Jonathan Hassell
October 25, 2013 (Computerworld)
There's a big threat wiling around on the Internet right now: A particularly nasty piece of
ransomware called Cryptolocker. Many, many organizations are being infected with this malware,
but fortunately, there are surefire ways to avoid it and also ways to mitigate the damage without
letting the lowlifes win.
What is Cryptolocker?
Cryptolocker comes in the door through social engineering. Usually the virus payload hides in an
attachment to a phishing message, one purporting to be from a business copier like Xerox that is
delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering
tracking information or from a bank letter confirming a wire or money transfer.
Cryptolocker's ransom note to infected users.
The virus is, of course, an executable attachment, but interestingly the icon representing the
executable is a PDF file. With Windows' hidden extensions feature, the sender simply adds ".pdf"
to the end of the file (Windows hides the .exe) and the unwitting user is fooled into thinking the
attachment is a harmless PDF file from a trusted sender. It is, of course, anything but harmless.
Once Cryptolocker is in the door, it targets files with the following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk,
*.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd,
*.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay,
*.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx,
*.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
When it finds a file matching that extension, it encrypts the file using a public key and then makes
a record of the file in the Windows registry under
HKEY_CURRENT_USER\Software\CryptoLocker\Files. It then prompts the user that his or her
files have been encrypted and that he or she must use prepaid cards or Bitcoin to send hundreds
of dollars to the author of the malware.
Once the payment has been made, the decryption usually begins. There is typically a four-day
time limit on the payment option; the malware's author claims the private key required to decrypt
files will be deleted if the ransom is not received in time. If the private key is deleted, your files will
essentially never be able to be decrypted -- you could attempt to brute force the key, but as a
practical matter, that would take on the order or thousands of years. Effectively, your files are
gone.
Currently, the only versions of Cryptolocker in existence target files and folders on local drives
and mapped drives. The malware does not currently attempt to perform its malfeasance over
network-based universal naming convention paths, although one would surmise this would be a
relatively simple change for the author of the ransomware to make.
Antivirus and anti-malware programs, either running on endpoints or performing inbound email
message hygiene, have a particularly difficult time stopping this infection. Unless you have a
blanket email filtering rule stripping out executable attachments, and that tool is intelligent enough
to do so without allowing the user to request the item's return from quarantine, you will see your
users getting these phishing messages attempting to introduce Cryptolocker. It is only a matter of
time.
Prevention: Software Restriction Policies and AppLocker
As of now, the best tool to use to prevent a Cryptolocker infection in the first place -- since your
options for remediating the infection involve time, money, data loss or all three -- is a software
restriction policy. There are two kinds: Regular software restriction policies, and then enhanced
AppLocker policies. I'll cover how to use both to prevent Cryptolocker infections.
Software Restriction Policies
Software Restriction Policies (SRPs) allow you to control or prevent the execution of certain
programs through the use of Group Policy. You can use SRPs to block executable files from
running in the specific user-space areas that Cryptolocker uses to launch itself in the first place.
The best place to do this is through Group Policy, although if you're a savvy home user or a
smaller business without a domain, you can launch the Local Security Policy tool and do the same
thing.
One tip: if you're using Group Policy, create a new GPO for each restriction policy. This makes it
easier to disable a policy that might be overly restrictive.
Here's how to do it:
1. Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I'll show you how
to create two here -- one for Windows XP machines (which use slightly different paths for the user space)
and one for Windows Vista and later machines.
2. Name the new GPO "SRP for XP to prevent Cryptolocker" or something similar for you to remember
easily.
3. Choose Computer Configuration and then navigate through Policies ​
Windows Settings ​
Security Settings
​
Software Restriction Policies.
4. Right-click Software Restriction Policies and choose New Software Restriction Policy from the context
menu.
5. Now, create the actual rules that will catch the software on which you want to enforce a restriction. Rightclick Additional Rules in the left-hand pane. Choose New Path Rule.
6. Under Path, enter %AppData%\*.exe.
7. Under Security level, choose Disallowed.
8. Enter a friendly description, like "Prevent programs from running in AppData."
9. Choose New Path Rule again, and make a new rule like the one just completed. Use the following table
to fill out the remainder of this GPO.
Path
Security
Level
%AppData%\*.exe
Disallowed Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe
Disallowed
Prevent virus payloads from executing in subfolders of
AppData
%UserProfile%\Local
Settings\Temp\Rar*\*.exe
Disallowed
Prevent un-WinRARed executables in email attachments from
running in the user space
%UserProfile%\Local
Settings\Temp\7z*\*.exe
Disallowed
Prevent un-7Ziped executables in email attachments from
running in the user space
%UserProfile%\Local
Settings\Temp\wz*\*.exe
Disallowed
Prevent un-WinZIPed executables in email attachments from
running in the user space
%UserProfile%\Local
Settings\Temp\*.zip\*.exe
Disallowed
Prevent unarchived executables in email attachments from
running in the user space
Suggested Description
*Note this entry was covered in steps 5-8. It is included here for your easy reference later.
WinRAR and 7Zip are the names of compression programs commonly used in the Windows
environment.
Close the policy.
To protect Windows Vista and newer machines, create another GPO and call this one "SRP for
Windows Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and
create path rules based on the following table.
Path
Security
Level
%AppData%\*.exe
Disallowed Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe
Disallowed
Suggested Description
Prevent virus payloads from executing in subfolders of
AppData
%LocalAppData%\Temp\Rar*\*.exe Disallowed
Prevent un-WinRARed executables in email attachments
from running in the user space
%LocalAppData%\Temp\7z*\*.exe
Prevent un-7Ziped executables in email attachments from
running in the user space
Disallowed
%LocalAppData%\Temp\wz*\*.exe
Disallowed
%LocalAppData%\Temp\*.zip\*.exe Disallowed
Prevent un-WinZIPed executables in email attachments from
running in the user space
Prevent unarchived executables in email attachments from
running in the user space
Close the policy.
Once these GPOs get synchronized down to your machines -- this can take up to three reboots to
happen, so allow some time -- when users attempt to open executables from email attachments,
they'll get an error saying their administrator has blocked the program. This will stop the
Cryptolocker attachment in its tracks.
Unfortunately, taking this "block it all in those spots" approach means that other programs your
users may install from the web, like GoTo Meeting reminders and other small utilities that do have
legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc
allow rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before
it denies anything else, so by defining these exceptions in the SRP GPO, you will instruct
Windows to let those apps run while blocking everything else. Simply set the security level to
Unrestricted, instead of Disallowed as we did above.
AppLocker
AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or
Windows 7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still
on Windows XP for the time being or you have a significant contingent of Windows Vista
machines, AppLocker will not do anything for you.
But if you are a larger company with volume licenses that is deploying the enterprise editions of
the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply
block programs from running -- except those from specific software publishers that have signed
certificates.
Here's what to do:
1. Create a new GPO.
2. Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security
Settings, Application Control Policies and AppLocker.
3. Click Configure Rule Enforcement.
4. Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from
the drop-down box. Click OK.
5. In the left pane, click Executable Rules.
6. Right-click in the right pane and select Create New Rule.
7. On the Before You Begin screen, click Next.
8. On the Permissions screen, click Next.
9. On the Conditions screen, select the Publisher condition and click Next.
10. Click the Browse button and browse to any executable file on your system. It doesn't matter which.
11. Drag the slider up to Any Publisher and then click Next.
12. Click Next on the Exceptions screen.
13. Name the policy something like "Only run executables that are signed" and click Create.
14. If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go
ahead and click Yes here.
NOTE: Also take this opportunity to review the permissions set on your file server share access
control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny
permissions, so if the user who gets infected is logged into an account that has very limited
permissions, the damage will be minimal. Conversely, if you allow the Everyone group Write
access for the NTFS permissions on most of your file shares, and you use mapped drives, one
Cryptolocker infection could put you into a world of hurt. Review your permissions now. Tighten
where you can. Work with your line of business application vendors to further tighten loose
permissions that are "required" for "supportability" -- often these specifications are needlessly
broad.
Using either an SRP or an AppLocker policy, you can prevent Cryptolocker from ever executing
and save yourself a lot of problems.
Mitigation: Previous versions (shadow copies) and ShadowExplorer
If you are unlucky enough to have been infected with Cryptolocker, then there are some
mitigation strategies available to you. (Of course, you can always restore from backups as well.)
Both strategies involve a tool called Shadow Copies that is an integral part of the System Restore
feature in Windows. This is turned on by default in client versions of Windows, and best practices
for storage administration have you turning this on manually on Windows Server-based file
servers. If you have left this setting alone, you likely have backups right on your computer or file
share.
Previous versions
To restore the previous version of a file using the traditional Windows interface, just right-click the
file in question and choose Properties. If System Restore is enabled or your administrator has
enabled Shadow Copies through Group Policy, you should be able to see the Previous Versions
tab in the Properties window. This will list all of the versions on record of the file. Choose a
version before the Cryptolocker infection and then click either Copy to export a copy of the file
somewhere else, or Restore to pop the backup right where the encrypted file belongs. You can
open the files directly from this box too if you are not sure of the exact date and time of infection.
ShadowExplorer
ShadowExplorer is a downloadable free tool that makes it much easier to explore all of the
available shadow copies on your system. This is a useful ability when you have a wide range of
files infected with Cryptolocker and need to restore a swath of them at once.
When you install and run the tool, you can select the drive and the shadow copy date and time
from the drop-down menu at the top of the window. Then, just like in a regular Windows Explorer
menu, you can choose the folder and file you want, and then right-click and select Export.
Choose the destination on your file system to put the exported shadow copies on, and then you
have your backup restored. Of course, this is a previous version, so it may not have the most
current updates to your files, but it is much better than having lost them completely or having to
pay a ransom for them.
The last word
Cryptolocker sucks. Its creator is a piece of scum. To trick users into downloading something that
encrypts their files and then to demand from them hundreds of dollars to give their own data back
to them is despicable. Please, take steps now so you don't have to be the one ponying up your
money and enabling this trash to continue.
This article, Cryptolocker: How to avoid getting infected and what to do if you are, was originally
published at Computerworld.com.
Jonathan Hassell runs 82 Ventures LLC, a consulting firm based out of Charlotte, N.C. He's also
an editor with Apress Media LLC. Reach him at jhassell@gmail.com.