CryptoLocker: A particularly pernicious virus

Susan Bradley

Online attackers are using encryption to lock up our files and demand a ransom — and AV software probably won’t protectyou.

Here are ways to defend yourself from CryptoLocker — pass this information along to friends, family, and business associates.

Forgive me if I sound a bit like those bogus virus warnings proclaiming, “You have the worst virus ever!!” But there’s a new threat to our data that we need to take seriously. It’s already hit many consumers and small businesses. Called CryptoLocker, this infection shows up in two ways.

First, you see a red banner (see Figure 1) on your computer system, warning that your files are now encrypted — and if you send money to a given email address, access to your files will be restored to you.

CryptoLocker warning

Figure 1. CryptoLocker is not making idle threats.

The other sign you’ve been hit: you can no longer open Office files, database files, and most other common documents on your system. When you try to do so, you get another warning, such as “Excel cannot open the file [filename] because the file format or file extension is not valid,” as stated on a TechNet MS Excel Support Team blog.

As noted in a Reddit comment, CryptoLocker goes after dozens of file types such as .doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf.

CryptoLocker attacks typically come in three ways:

1) Via an email attachment. For example, you receive an email from a shipping company you do business with. Attached to the email is a .zip file. Opening the attachment launches a virus that finds and encrypts all files you have access to — including those located on any attached drives or mapped network drives.

2) You browse a malicious website that exploits vulnerabilities in an out-of-date version of Java.

3) Most recently, you’re tricked into downloading a malicious video driver or codec file.

There are no patches to undo CryptoLocker and, as yet, there’s no clean-up tool — the only sure way to get your files back is to restore them from a backup.

Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it’s the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don’t want to add the insult of identity theft to the injury of data loss.

In this case, your best defense is prevention

Keep in mind that antivirus software probably won’t prevent a CryptoLocker infection. In every case I’m aware of, the PC owner had an up-to-date AV application installed. Moreover, running Windows without admin rights does not stop or limit this virus. It uses social engineering techniques — and a good bit of fear, uncertainty, and doubt — to trick users into clicking a malicious download or opening a bogus attachment.

Your best prevention is two-fold:

1) Basic method: Ensure you keep complete and recent backups of your system. Making an image backup once or twice a year isn’t much protection. Given the size of today’s hard drives on standalone PCs, an external USB hard drive is still your best backup option. A 1TB drive is relatively cheap; you can get 3TB drives for under U.S. $200. For multiple PCs on a single local-area network, consider Michael Lasky’s recommendations in the Oct. 10 Best Hardware article, “External hard drives take on cloud storage.”

Small businesses with networked PCs should have automated workstation backups enabled, in addition to server backups. At my office, I use Backup Box by Gramps’ Windows Storage Server 2008 R2 Essentials (site). It lets me join the backup server to my office domain and back up all workstations. I run the backups during the day, while others in the office are using their machines — and I’ve had no complaints of noticeable drops in workstation performance.

The upcoming release of Windows Server 2012 R2 Essentials (site) will also include easy-to-use, workstation-backup capabilities. Recently announced Western Digital drives will also act as both file-storage servers and workstation-backup devices.

2) The advanced method: If you have Windows Professional or higher, you can tweak your systems to protect them against CryptoLocker. You’ll want to thoroughly test the impact of the settings changes detailed below — and be prepared to roll back to your original settings if needed. (After making some of these changes, you might not be able to install or update some applications.)

All business and Pro versions of Windows include the ability to prevent certain types of software from launching from specific locations. CryptoLocker launches from a specific location and in a specific way (well, for now). By implementing Windows’ Software Restriction Policies rules, we can block CryptoLocker from launching its payload in your computer.

Software Restriction Policies (more info) were first introduced in Windows XP and Server 2003. In a domain setting, you can use Group Policy to set up these restrictions or rules; on standalone machines, you can use Local Security Policy. (Windows Home Premium doesn’t support Group or Local policies, so none of the following settings changes is supported.)

Again, be sure you test these settings changes on a single workstation first before rolling them out to other systems. Also, take the extra step of undoing the changes and checking whether the test system still runs as expected. Most important: Back up all systems before making the changes.

To make the changes, click Start/Control Panel/Administrative Tools. Click Local Security Policy and locate Software Restriction Policies under the Security Settings heading. Right-click it and select New Software Restriction Policies. Right-click Additional Rules and select New Path Rule to open the new-rule dialog box shown in Figure 2.

New Path Rule

Figure 2. Creating a new path rule to block CryptoLocker

The following rules block applications such as CryptoLocker from running in the defined locations. For example, the first set of rules applies to the specific user folder %Appdata%, which equates to user\{yourusername}\appdata\roaming.

Enter the following sets of Path, Security Level, and Description information as separate rules:

For Windows XP, enter the following:

  • Path: %AppData%\*.exe
  • Security Level: Disallowed
  • Description: Don’t allow executables from AppData

and

  • Path: %AppData%\*\*.exe
  • Security Level: Disallowed
  • Description: Don’t allow executables from AppData

For Windows Vista and higher, use the above settings plus the following:

  • Path: %localAppData%\*.exe
  • Security Level: Disallowed
  • Description: Don’t allow executables from AppData

and

  • Path: %localAppData%\*\*.exe
  • Security Level: Disallowed
  • Description: Don’t allow executables from AppData

Additional paths for blocking ZIP-file locations are described in the bleepingcomputer.com CryptoLocker Ransomware Information Guide and FAQ. The following will ensure the virus can’t launch from embedded or attached .zip files.

  • Path: %Temp%\Rar*\*.exe
  • Security Level: Disallowed
  • Description: Block executables run from archive attachments opened with WinRAR.

From archive attachments opened with 7zip:

  • Path: %Temp%\7z*\*.exe
  • Security Level: Disallowed
  • Description: Block executables run from archive attachments opened with 7-Zip.

From archive attachments opened with WinZip:

  • Path: %Temp%\wz*\*.exe
  • Security Level: Disallowed
  • Description: Block executables run from archive attachments opened with WinZip.

From archive attachments opened using Windows’ built-in .zip support:

  • Path: %Temp%\*.zip\*.exe
  • Security Level: Disallowed
  • Description: Block executables run from archive attachments opened using Windows’ built-in ZIP support.

Figure 3 shows the Software Restrictions Policies section with newly entered rules.

New policies

Figure 3. A completed set of software restriction policies

When you’re done entering new rules, reboot your system so that the changes take effect. Again, if you discover you can no longer update some applications or install software, you might need to undo some of these changes. Look in your application event log — or in the admin section — for the specific rule that’s misbehaving. (To open the log, click Control Panel/Administrative Tools/Event Viewer; then, in the navigation pane, click Windows Logs/Application. For more on the Event Viewer, see the Oct. 27, 2011, Top Story, “What you should know about Windows’ Event Viewer.”)

As the malware authors change their tactics, you might need to revisit the rules settings; I’ll try to post updates into the Windows Secrets Lounge whenever needed.

For even stronger CryptoLocker protection, those folks with solid IT savvy might want to consider application whitelisting — i.e., setting up a list of applications approved to run on their workstations. All other software installations are blocked. See the National Security Agency (yes, that NSA) document (downloaded PDF), “Application whitelisting using Software Restriction Policies.”

Be aware that application whitelisting is a highly advanced tactic. Take some time to determine all allowed applications in order to properly set up application whitelisting.

Once again, keeping your AV software up to date is not the panacea for CryptoLocker. The hackers using this exploit are adapting the virus so quickly that AV vendors can’t keep up with the many CryptoLocker variations in play. It’s up to individual users to stay vigilant about what they click. The bad guys just keep getting badder.



Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!

= Paid content

All Windows Secrets articles posted on 2013-10-24:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.