Guide | How To Cryptolocker virus protection

The associated guide may contain user-generated or external content.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
You have probably already heard about very well known type of virus called “Cryptolocker“.
Each day you can heard about new variant of Cryptolocker virus and based from my experience I can say that Antivirus vendors just can’t keep up with this kind of threat, because once downloaded Cryptolocker virus changes .exe file names and hashes so it is really hard to track it down.

Following recommendations will help you to protect your PC or your network from a Cryptolocker virus.

  1. Do not use non-supported Operating System like Windows XP. Although you’ll be more protected using this guide, even if you use an outdated OS like Windows XP, we strongly recommend you to move forward and upgrade to a newer operating system. Microsoft no longer provides security updates or technical support for Windows XP.
  2. Use good Anti-Virus software protection and make sure your virus definitions are up to date.
  3. Use a third party Firewall or Windows Firewall.
  4. Use Windows User Account Control (UAC) in Admin approval mode. When the system or you initiates an .exe file it will ask you for consent or for a password if you are logged on as a standard user.
  5. Always work under Windows standard user account. Let Windows ask you for administrative credentials each time you try to install something.
Although above mentioned methods will help you have a better protection, it won’t necessarily protect you from one of the Cryptolocker variants.

In order to prevent cryptolocker virus from activating and therefore start with the encryption of your files here’s what you can do if you are using Windows Professional or Enterprise versions of Microsoft Operating System.

Open local policy editor by running gpedit.msc and navigate to:

Computer Configuration | Windows Settings | Security Settings | Software Restriction Policies

From the action menu or using a right click select “New Software Restriction Policies”

Select Additional Rules and in the right pane right click and choose to create a New Path Rule.

Now add each of the following rules and set Security Level to “Disallowed“:

%AppData%\*.exe
%AppData%\*\*.exe
%LocalAppData%\*.exe
%LocalAppData%\*\*.exe
%USERPROFILE%\Appdata\*.exe
%USERPROFILE%\Appdata\*\*.exe
%USERPROFILE%\Appdata\LocalLow\*.exe
%USERPROFILE%\Appdata\LocalLow\*\*.exe

Once you’re done you should get this result:

cryptolocker.png


Close policy editor and restart your machine.

With this policy in place you will prevent starting of executable files from directories that Cryptolocker mostly use.

If you work in a corporate environment you can link above created policy to your domain and thus prevent Cryptolocker from running.
Source
 

shukla44

Level 13
Verified
Top Poster
Well-known
Jan 14, 2016
601
This is a sure cut block of any .exe files from these directories.

What about legitimate programs which have executable files in these locations for eg., uTorrent, IDM auto-update, ICC dasher, Youtube downloader, etc. , what will happen to them? These are the ones that i know about, there are many programs which have some executable files in these directories.

Is there any way to exclude some folders or files?
If there is a way, please share.


EDIT: I think you forgot to add one point: Backup.
 
Last edited:

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
You can add Path to the .exe you wish to exclude and just change the Security Level to “Unrestricted“.
For some programs works for others don't.

Clipboard01.png
 
Last edited:
  • Like
Reactions: Svoll and shukla44

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top