There's a big threat wiling around on the Internet right now: a particularly nasty piece of ransomware called Cryptolocker. Many, many organizations are being infected with this malware, but fortunately, there are surefire ways to avoid it and also ways to mitigate the damage without letting the lowlifes win.
What is Cryptolocker?
Cryptolocker comes in the door through social engineering. Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like a Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering tracking information or from a bank letter confirming a wire or ACH transfer.
Cryptolocker's ransom note to infected users.
The virus is, of course, an executable attachment, but interestingly the icon representing the executable is a PDF file With Windows' hidden extensions feature, the sender simply adds ".pdf" to the end of the file (Windows hides the .exe) and the unwitting user is fooled into thinking the attachment is a harmless PDF file from a trusted sender. It is, of course, anything but harmless.
Once Cryptolocker is in the door, it targets files with the following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files. It then prompts the user that his or her files have been encrypted and that he or she must use prepaid cards or Bitcoin to send hundreds of dollars to the author of the malware.
Once the payment has been made, the decryption usually begins. There is typically a four-day time limit on the payment option; the malware's author claims the private key required to decrypt files will be deleted if the ransom is not received in time. If the private key is deleted, your files will essentially never be able to be decrypted - you could attempt to brute force the key, but as a practical matter, that would take on the order or thousands of years. Effectively, your files are gone.
Currently, the only versions of Cryptolocker in existence target files and folders on local drives and mapped drives. The malware does not currently attempt to perform its malfeasance over network -based universal naming convention paths, although one would surmise this would be a relatively simple change for the author of the ransomware to make.
Antivirus and anti-malware programs, either running on endpoints or performing inbound email message hygiene, have a particularly difficult time stopping this infection. Unless you have a blanket email filtering rule stripping out executable attachments, and that tool is intelligent enough to do so without allowing the user to request the item's return from quarantine, you will see your users getting these phishing messages attempting to introduce Cryptolocker. It is only a matter of time.
Prevention: Software Restriction Policies and AppLocker
As of now, the best tool to use to prevent a Cryptolocker infection in the first place -- since your options for remediating the infection involve time, money, data loss or all three -- is a software restriction policy. There are two kinds: Regular software restriction policies, and then enhanced AppLocker policies. I'll cover how to use both to prevent Cryptolocker infections.
Software Restriction Policies
Software Restriction Policies (SRPs) allow you to control or prevent the execution of certain programs through the use of Group Policy. You can use SRPs to block executable files from running in the specific user-space areas that Cryptolocker uses to launch itself in the first place. The best place to do this is through Group Policy, although if you're a savvy home user or a smaller business without a domain, you can launch the Local Security Policy tool and do the same thing.
One tip: if you're using Group Policy, create a new GPO for each restriction policy. This makes it easier to disable a policy that might be overly restrictive.
Here's how to do it:
| Path | Security Level | Suggested Description |
|---|---|---|
| %AppData%\*.exe | Disallowed | Prevent Cryptolocker executable from running in AppData* |
| %AppData%\*\*.exe | Disallowed | Prevent virus payloads from executing in subfolders of AppData |
| %UserProfile%\Local Settings\Temp\Rar*\*.exe | Disallowed | Prevent un-WinRARed executables in email attachments from running in the user space |
| %UserProfile%\Local Settings\Temp\7z*\*.exe | Disallowed | Prevent un-7Ziped executables in email attachments from running in the user space |
| %UserProfile%\Local Settings\Temp\wz*\*.exe | Disallowed | Prevent un-WinZIPed executables in email attachments from running in the user space |
| %UserProfile%\Local Settings\Temp\*.zip\*.exe | Disallowed | Prevent unarchived executables in email attachments from running in the user space |
*Note this entry was covered in steps 5-8. It is included here for your easy reference later.
WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.
Close the policy.
To protect Windows Vista and newer machines, create another GPO and call this one "SRP for Windows Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and create path rules based on the following table.
| Path | Security Level | Suggested Description |
|---|---|---|
| %AppData%\*.exe | Disallowed | Prevent Cryptolocker executable from running in AppData* |
| %AppData%\*\*.exe | Disallowed | Prevent virus payloads from executing in subfolders of AppData |
| %LocalAppData%\Temp\Rar*\*.exe | Disallowed | Prevent un-WinRARed executables in email attachments from running in the user space |
| %LocalAppData%\Temp\7z*\*.exe | Disallowed | Prevent un-7Ziped executables in email attachments from running in the user space |
| %LocalAppData%\Temp\wz*\*.exe | Disallowed | Prevent un-WinZIPed executables in email attachments from running in the user space |
| %LocalAppData%\Temp\*.zip\*.exe | Disallowed | Prevent unarchived executables in email attachments from running in the user space |
Close the policy.
Once these GPOs get synchronized down to your machines -- this can take up to three reboots to happen, so allow some time -- when users attempt to open executables from email attachments, they'll get an error saying their administrator has blocked the program. This will stop the Cryptolocker attachment in its tracks.
Unfortunately, taking this "block it all in those spots" approach means that other programs your users may install from the web, like GoTo Meeting reminders and other small utilities that do have legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before it denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows to let those apps run while blocking everything else. Simply set the security level to Unrestricted, instead of Disallowed as we did above.
AppLocker
AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or Windows 7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still on Windows XP for the time being or you have a significant contingent of Windows Vista machines, AppLocker will not do anything for you.
But if you are a larger company with volume licenses that is deploying the enterprise editions of the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply block programs from running -- except those from specific software publishers that have signed certificates.
Here's what to do:
NOTE: Also take this opportunity to review the permissions set on your file server share access control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny permissions, so if the user who gets infected is logged into an account that has very limited permissions, the damage will be minimal. Conversely, if you allow the Everyone group Write access for the NTFS permissions on most of your file shares, and you use mapped drives, one Cryptolocker infection could put you into a world of hurt. Review your permissions now. Tighten where you can. Work with your line of business application vendors to further tighten loose permissions that are "required" for "supportability" -- often these specifications are needlessly broad.
Using either an SRP or an AppLocker policy, you can prevent Cryptolocker from ever executing and save yourself a lot of problems.
Mitigation: Previous versions (shadow copies) and ShadowExplorer
If you are unlucky enough to have been infected with Cryptolocker, then there are some mitigation strategies available to you. (Of course, you can always restore from backups as well.) Both strategies involve a tool called Shadow Copies that is an integral part of the System Restore feature in Windows. This is turned on by default in client versions of Windows, and best practices for storage administration have you turning this on manually on Windows Server-based file servers. If you have left this setting alone, you likely have backups right on your computer or file share.
Previous versions
To restore the previous version of a file using the traditional Windows interface, just right-click the file in question and choose Properties. If System Restore is enabled or your administrator has enabled Shadow Copies through Group Policy, you should be able to see the Previous Versions tab in the Properties window. This will list all of the versions on record of the file. Choose a version before the Cryptolocker infection and then click either Copy to export a copy of the file somewhere else, or Restore to pop the backup right where the encrypted file belongs. You can open the files directly from this box too if you are not sure of the exact date and time of infection.
ShadowExplorer
ShadowExplorer is a downloadable free tool that makes it much easier to explore all of the available shadow copies on your system. This is a useful ability when you have a wide range of files infected with Cryptolocker and need to restore a swath of them at once.
When you install and run the tool, you can select the drive and the shadow copy date and time from the drop-down menu at the top of the window. Then, just like in a regular Windows Explorer menu, you can choose the folder and file you want, and then right-click and select Export. Choose the destination on your file system to put the exported shadow copies on, and then you have your backup restored. Of course, this is a previous version, so it may not have the most current updates to your files, but it is much better than having lost them completely or having to pay a ransom for them.
The last word
Cryptolocker sucks. Its creator is a piece of scum. To trick users into downloading something that encrypts their files and then to demand from them hundreds of dollars to give their own data back to them is despicable. Please, take steps now so you don't have to be the one ponying up your money and enabling this trash to continue.
Jonathan Hassell runs 82 Ventures LLC, a consulting firm based out of Charlotte, N.C. He's also an editor with Apress Media LLC. Reach him at jhassell@gmail.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.