How to avoid Cryptolocker virus encrypting your files

Recent news reports by the BBC and Sky have detailed the increase in detections of the Cryptolocker virus and warned of the severity of this potential threat.

What is Crytolocker?

It is a Trojan, a non self-replicating virus that needs to be delivered by email, infected link or infected code within a web page (often a fake FedEx and UPS tracking notice).

What does it do?

If activated on the target machine, Cryptolocker finds and encrypts any files so as to be unreadable to any user without the decryption key.
Files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives are also vulnerable.

Cryptolocker then connects to the attackers’ command and control server to deposit the asymmetric private encryption key out of the victim’s reach.
Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.

Who does it target?

Cryptolocker can infect on any machine running Microsoft systems; Windows 8 or 8.1, Windows 7, Windows Vista, and Windows XP.

What can you do to avoid infection?

Cryptolocker requires some level of user intervention and the most important tip would be not to follow unsolicited web links in email messages.

Use caution when opening email attachments. Refer to the US-CERT ‘Using Caution with Email Attachments‘ page for more information on safely handling email attachments.

Can we block any links to this virus?

Users subscribed to our email filtering service (details at http://www.realworldcs.com/email) are currently protected from the known variants; from the samples we taken we are blocking the known links. However these type of Trojan viruses develop and a new infection link can appear at any time.

To further assist with preventative steps we are providing a utility called CryptoPrevent to make infection as difficult as possible. This utility is available from us at http://www.realworldcs.com/downloads/CryptoPreventSetup.exe

What is CryptoPrevent?

CryptoPrevent is a small program installed onto your computer which prevents the virus from running from its known infection points (see Technical Information below for details).

What does it cost?

We are providing CryptoPrevent free of charge.

Which machines will this run on?

Any machine that is susceptible to this Trojan; Windows 8 or 8.1, Windows 7, Windows Vista, and Windows XP.

Are you guaranteeing complete protection to us?

No. While the methods utilised by this program do protect and prevent infection of current strains of Cryptolocker, we cannot guarantee how future strains with infect. Rest assured, we will continue to study the latest variants of this and other malware in an attempt to keep this program relevant and continue to provide an excellent additional layer of protection against this and other threats.

Incidentally, due to the way that CryptoPrevent works, it actually protects against a wide variety of malware, not just Cryptolocker.

Where can I download CryptoPrevent?

You can download this prevention tool here

download_now

Full URL – http://www.realworldcs.com/downloads/CryptoPreventSetup.exe

Step by step instructions for installation are available here

What can I do if I have been infected already?

Although the recommendation from the National Cyber Crime Unit is to “If a computer is infected the advice is to disconnect it from the network and seek professional help to clean the device” unfortunately this is too late; your files will be encrypted and unretrievable by any expert.

 


 

Technical Information

Prevention Methodology

CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. The number of rules created by CryptoPrevent is somewhere between 150 and 200+ rules depending on the OS and options selected, not including whitelisting! Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there! Executables now protected against (starting with v2.6) are *.exe *.com *.scr and *.pif, and these executables are blocked in the paths below where * is a wildcard:

 

%appdata% / %localappdata% / Recycle Bin – These locations are used by Cryptolocker and other malware as launch points.

 

%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
%localappdata% (and on Windows XP, any first-level subdirectories in there.)

NOTE any time %localappdata% is referred to on this page, it also refers to %userprofile%\Local Settings\Application data on Windows XP, where %localappdata% is not an actual environment variable.

The All Users application data and local settings\application data paths on XP.

the %userprofile% and %programdata% paths (no nested subfolders.)

The Recycle Bin on all drives, and multiple nested subfolders.

Fake File Extension Executables: (ex. document.docx.exe)

 

*.x.y where:

x = pdf, doc, docx, xls, xlsx, ppt, pptx, txt, rtf, zip, rar, 7z, jpeg, jpg, png, gif, avi, mp3, wma, wmv, wav, divx, mp4

y = exe, com, scr, and pif.

with v4.1, now includes RLO (Right to Left Override) exploit protection.

Temp Extracted Executables in Archive Files:

 

%temp%\rar* directories

%temp%\7z* directories

%temp%\wz* directories

%temp%\*.zip directories

The final four locations above are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well; however this option may interfere with certain program installations (e.g. Firefox.))

NOTE the variable %temp% is no longer used, and instead the actual temp file path is expanded after %userprofile%. There is an apparent bug in Microsoft’s software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata% or %userprofile%)… so protection for %temp% folders is now applied by expanding the full path to the user’s temp folder (after %userprofile%) in each rule set. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn’t working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.

Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will protect all user accounts on the system.

The Test Feature

When using the test feature, you are first presented with a dialog of simple success or failure. What actually happens is a temporary executable is extracted to %appdata% and the test feature attempts to launch it, if the launch fails then the prevention is successful. If the launch succeeds the temporary application silently returns errorlevel 9 back to CryptoPrevent to alert it that the app was successful in launching and the prevention has failed.

Whitelist Options

There are a handful of legitimate executables that developers have poorly decided to put in these locations, and the most popular seems to be ‘Spotify’ though there also there are a few remote support applications as well that can run from these locations. Due to this CryptoPrevent v2 comes with a whitelist editor and capabilities. From here you can view whitelisted items and add your own manually or via browse button, and also you may choose to automatically whitelist all items currently located in %appdata% / %localappdata% and their first level subdirectories. Note that manually entered whitelist items may NOT contain wildcards.

Undo

You may undo the protection at any time by using the Undo button in the main interface. You are given the option in v2.x to also undo the whitelist policies, selecting no will undo the protection only. Note that actually removing the protection is not consistent behaviour. In my testing, when removing the protection sometimes the change is instantaneous, while other times a reboot is required just like applying the policies in the first place, and on rare occasion a group policy update is required, then a reboot. Windows is funny that way and there seems to be no way to predict this behaviour. v2.1.1 now runs gpupdate /force after the Undo features to ensure group policy is refreshed, and then protection is tested for again to determine if a reboot prompt will be displayed.

Automation / Scripting

CryptoPrevent when run by itself will display a user interface, but command line parameters may be utilised for optionally silent automation. Command line parameters accepted are:

 

/apply – this option applies the default settings (to block *.exe in both %appdata% locations and the four %temp% locations.)

/silent – this option SILENTLY applies the default settings as listed above (or when combined with /undo it will silently undo the protection.)

/reboot – this option SILENTLY applies the default settings as listed above, and executes a forced mandatory reboot.

/noappdata – this option skips the block on both %appdata% locations as explained above.

/notempexes – this option skips the block on the four %temp% locations as explained above. (this option is skipped by default in v3.1)

/includetempexes – (new in v3.1) – include the Temp Extracted Executables block.

/nofakeexts – (new in v2.5!) this option skips the block on the fake file extension executables as explained above.

/whitelist – whitelist all EXEs currently located in %appdata% / %localappdata% and their first level subdirectories.

/w=[path\filename.exe] – whitelist a specific file.

The path/filename may not contain wildcards.

If no path is specified (e.g. /w=foo.exe ) then both %appdata%\foo.exe and %localappdata%\foo.exe will be whitelisted.

If a path is specified it should be only one first level subdirectory from either %appdata% or %localappdata% (e.g. /w=Foo\Bar.exe ) which will actually whitelist both %appdata%\Foo\Bar.exe and %localappdata%\Foo\Bar.exe

/undo – this option obviously removes the protection, and can be combined with the /silent parameter.

/undoall – this option removes the protection and any whitelist policies defined as well.

/nogpupdate – skip the group policy update after modifications are made.

/test – obviously this runs the test feature, overriding any other command line parameters. v1.3 is required for this parameter to function. Scripters should use the new CryptoPreventTestCLI.exe included with v1.4 and above to silently test for the protection, as this command line parameter will output a dialog box just like the test button in the main user interface.

These parameters may be used in most any logical combination, e.g.

CryptoPrevent.exe /whitelist /reboot

CryptoPrevent.exe /undoall /silent

CryptoPrevent.exe /silent /whitelist /notempexes /w=Foo\Bar.exe /w=Foo\Bar2.exe

IMPORTANT NOTE: If you are pushing out CryptoPrevent.exe through Labtech’s RMM tool, there may be a problem with the /whitelist parameter not working as intended. You must use the ‘Process Execute as Admin’ or ‘Shell as Admin’ option to deploy properly. This is confirmed to work properly when running under the local system account as deployed via Kaseya. I do not have any feedback on other RMM deployment tools or methods.

CryptoPreventTestCLI.exe

This is a console application designed to test for the protection, designed to be scripted, and included in the latest portable download. Perfect for usage with your RMM software (maybe, see note below,) when protection tests successful, it will output to the console “Prevention Successfully Applied!” and exit with errorlevel 0. If unsuccessful, it exits with errorlevel 1 and prints to the console “Prevention Not Applied or Unsuccessful!”

NOTE: This test will always return unsuccessful when run from the local system account, as many RMM tools will do by default. It must be run from a standard user or admin account to test properly. This is because the local system account is NOT restricted by the policies set by CryptoPrevent.


 

Q&A

You released a new version of CryptoPrevent. Should I update, and how?

Yes. You should periodically check for and update to the latest version using the program’s internal update function in the top menu to stay current with the latest methodology in preventing this (and other) malware. After update it is then necessary to re-apply the protection to your system. It is not necessary to undo the previous protection in place before doing this, or even to uninstall the app before updating.

Will this protect against other malware?

Yes. A lot of trojan based malware out there utilises the same infection tactics and launch point locations as Cryptolocker, therefore CryptoPrevent will protect against all malware that fits the same or similar profile and behaviour.

My legitimate software isn’t working properly after applying the protection. What do I do?

Be certain you have the latest version of the app, which is getting better all the time at not blocking legitimate applications. If you had an outdated version, after update then re-apply the protection and restart, then re-test your app. If it still isn’t working, ensure you’ve done the whitelisting first, and reboot if new entries are added to the whitelist. If it still isn’t working, then you may need to temporarily undo protection when using/installing that app. If this is the case, I would appreciate you notifying us what app isn’t working for you and if you can, the details on the app’s filename and where it is running from, possibly we can help alleviate the issue with a new version.

Does CryptoPrevent work with my existing Anti-Virus software?

Yes. Because CryptoPrevent is not an active monitor, it only writes these rules for Windows to follow and that’s it, it will sit peacefully along side any Anti-Virus software without issue.

How can I tell if CryptoPrevent is running?

It isn’t. Once you run CryptoPrevent and apply the protection, it doesn’t have a need to run again as Windows itself is now the one doing the protecting by following CryptoPrevent’s rules. CryptoPrevent will only run again if you launch the program to test, check for updates, or undo/re-apply the protection. The exception to this is that with Automatic Updates enabled, it will run once daily to check for and apply updates if necessary.

 

Please contact us for any assistance or further information.
If you found this article helpful, please consider making a donation via Bitcoin to: 163YG7LtsAqKsD7bsft8sJXu1wMJP2QkUx

 

Found this article helpful?

donate-bc

Comments

One Response to “How to avoid Cryptolocker virus encrypting your files”
  1. Rolly says:

    Thanks for this article and for elaborating the options on how to aviod the infection or virus.

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!