Cryptolocker virus protection

Discussion in 'Tutorials & Guides' started by Petrovic, Feb 15, 2016.

Tags:
  1. Petrovic

    Petrovic Level 61
    Trusted

    Apr 25, 2013
    5,269
    19,731
    Somewhere In nowhere
    You have probably already heard about very well known type of virus called “Cryptolocker“.
    Each day you can heard about new variant of Cryptolocker virus and based from my experience I can say that Antivirus vendors just can’t keep up with this kind of threat, because once downloaded Cryptolocker virus changes .exe file names and hashes so it is really hard to track it down.

    Following recommendations will help you to protect your PC or your network from a Cryptolocker virus.

    1. Do not use non-supported Operating System like Windows XP. Although you’ll be more protected using this guide, even if you use an outdated OS like Windows XP, we strongly recommend you to move forward and upgrade to a newer operating system. Microsoft no longer provides security updates or technical support for Windows XP.
    2. Use good Anti-Virus software protection and make sure your virus definitions are up to date.
    3. Use a third party Firewall or Windows Firewall.
    4. Use Windows User Account Control (UAC) in Admin approval mode. When the system or you initiates an .exe file it will ask you for consent or for a password if you are logged on as a standard user.
    5. Always work under Windows standard user account. Let Windows ask you for administrative credentials each time you try to install something.
    Although above mentioned methods will help you have a better protection, it won’t necessarily protect you from one of the Cryptolocker variants.

    In order to prevent cryptolocker virus from activating and therefore start with the encryption of your files here’s what you can do if you are using Windows Professional or Enterprise versions of Microsoft Operating System.

    Open local policy editor by running gpedit.msc and navigate to:

    Computer Configuration | Windows Settings | Security Settings | Software Restriction Policies

    From the action menu or using a right click select “New Software Restriction Policies”

    Select Additional Rules and in the right pane right click and choose to create a New Path Rule.

    Now add each of the following rules and set Security Level to “Disallowed“:

    %AppData%\*.exe
    %AppData%\*\*.exe
    %LocalAppData%\*.exe
    %LocalAppData%\*\*.exe
    %USERPROFILE%\Appdata\*.exe
    %USERPROFILE%\Appdata\*\*.exe
    %USERPROFILE%\Appdata\LocalLow\*.exe
    %USERPROFILE%\Appdata\LocalLow\*\*.exe

    Once you’re done you should get this result:

    cryptolocker.png

    Close policy editor and restart your machine.

    With this policy in place you will prevent starting of executable files from directories that Cryptolocker mostly use.

    If you work in a corporate environment you can link above created policy to your domain and thus prevent Cryptolocker from running.
    Source
     
    Svoll, Dirk41, frogboy and 7 others like this.
  2. shukla44

    shukla44 Level 10

    Jan 14, 2016
    480
    4,501
    India
    Windows 7
    Kaspersky
    #2 shukla44, Feb 15, 2016
    Last edited: Feb 15, 2016
    This is a sure cut block of any .exe files from these directories.

    What about legitimate programs which have executable files in these locations for eg., uTorrent, IDM auto-update, ICC dasher, Youtube downloader, etc. , what will happen to them? These are the ones that i know about, there are many programs which have some executable files in these directories.

    Is there any way to exclude some folders or files?
    If there is a way, please share.


    EDIT: I think you forgot to add one point: Backup.
     
    Svoll, Dirk41, frogboy and 1 other person like this.
  3. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,711
    10,605
    Testing security programs
    Earth
    Windows 10
    #3 Av Gurus, Feb 15, 2016
    Last edited: Feb 15, 2016
    You can add Path to the .exe you wish to exclude and just change the Security Level to “Unrestricted“.
    For some programs works for others don't.

    Clipboard01.png
     
    Svoll and shukla44 like this.
  4. Andi.cro

    Andi.cro Level 2

    Apr 23, 2014
    80
    215
    Croatia
    Windows 10
    Kaspersky
    What about adding your strings into Secure Folders in read-only mode?
    Image 1.jpg Image 1.jpg
     
    Svoll likes this.
  5. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,711
    10,605
    Testing security programs
    Earth
    Windows 10
    I think it should be set on No-Execution
     
    Svoll likes this.
  6. Andi.cro

    Andi.cro Level 2

    Apr 23, 2014
    80
    215
    Croatia
    Windows 10
    Kaspersky
    "No-Exe" will interfere with all other app.that is located there!
     
    Svoll likes this.
  7. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,711
    10,605
    Testing security programs
    Earth
    Windows 10
    Add them to Trusted Aplications
     
    Svoll and Andi.cro like this.
Loading...
Similar Threads Forum Date
CryptoLocker file more than 40 hours in the wild but still undetected by AV's on VirusTotal (0/56) General Security Discussions Mar 19, 2017
CryptoLocker, The Scariest Virus I seen. Malware Analysis Archive Sep 11, 2013
Special Samples CryptoLocker (30/5/17) Malware Vault (Samples) May 30, 2017