What is CryptoLocker?
CryptoLocker is a relatively new type of ransomware, and one which is particularly pernicious. For those of you who may not be aware; “ransomware” is the term used to describe malicious software which locks down the system or personal data, often via encryption, and demands a ransom (payment) in order for the user to regain access.
Wikipedia describes ransomware thus:
Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.
CryptoLocker, as the name may suggest, is ransomware which utilizes the more serious encryption method. It is a particularly nasty infection because it encrypts a user’s files on all connected drives and even over computers connected to a network via mapped drives and shares, which makes it very difficult to remove and overcome. There are no specialist cleanup tools available as yet and no known way to undo the encryption… other than to rely on paying the ransom, which is obviously a last resort and not generally recommended. What’s more, antivirus software is unlikely to prevent the CryptoLocker infection, even when totally up-to-date.
Victims of the CryptoLocker infection will see a banner informing them that their files are now encrypted and a payment will be required in order to unlock them:
How does a system become infected with CryptoLocker?
CryptoLocker generally requires some kind of user interaction to initiate the infection – clicking on a malicious email attachment for example, or downloading a malicious file. It may also take advantage of vulnerabilities in programs such as Java to deliver its malicious payload, you really should consider uninstalling Java in all but the most necessary of situations… read more on that here: You should junk your Java!
Lawrence Abrams at Bleeping Computer.com has compiled and published a reference guide to CryptoLocker here: CryptoLocker Ransomware Information Guide and FAQ. It is the most complete and informative guide I have seen on the topic, recommended reading.
Avoiding the CryptoLocker Threat
Windows Professional and above users can manually create software restriction policies to block CryptoLocker via the Local Security Policy editor. Lawrence Abrams guide, linked to above, includes precise instructions on how to do accomplish this.
For all other Windows users, who do not have access to Local Security Policy, and for those not savvy enough to manually create the restrictions themselves, FoolishIT has released a great little tool called CryptoPrevent. CryptoPrevent is portable, completely free, and very easy to implement.
CryptoPrevent – The software
Usage of the Group Policy Editor is available only in Professional versions of Windows, and is a time consuming manual task. CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes, while being easy enough for the average Joe to do, and optionally providing silent automation options for system admins and those who need to immunize a lot of computers automatically.
CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there.
CryptoPrevent – Download and usage
CryptoPrevent is a mere 310KB zip download extracting to 906KB (Windows 7 Home Premium). To run the tool, simply double click the extracted executable.
As you can see from the screenshot, the user interface is simplicity personified. Note the option to automatically Whitelist executables already located in CryptoPrevent’s areas of protection. This will allow for known pre-existing executables to be run as per normal and not be blocked by the software.
There are a handful of legitimate executables that developers have poorly decided to put in these locations, and the most popular seems to be ‘Spotify’ though there also there are a few remote support applications as well that can run from these locations. Due to this CryptoPrevent v2 comes with a whitelist editor and capabilities. From here you can view whitelisted items and add your own manually or via browse button, and also you may choose to automatically whitelist all items currently located in %appdata% / %localappdata% and their first level subdirectories.
When you are finished whitelisting, simply click the Block button and CryptoPrevent will do its thing (requires a reboot to complete the process).
- View more information about CryptoPrevent and download direct from the developer here: http://www.foolishit.com/vb6-projects/cryptoprevent/ (scroll down to the bottom of the page for download links).
When it comes to mitigating the threat presented by CryptLocker and similar ransomware there is no substitute for the advice commonly and regularly afforded by security experts everywhere. But, even if those dictates are followed rigorously, there is still the chance that the system may become infected. If or when the cybercriminals may alter their approach in order to bypass CryptoPrevent’s current areas of protection is anyone’s guess but, right now, I think it is a terrific little tool and wholeheartedly commend the developer.
In any event, the onset of ransomware such as CryptoLocker emphasizes DCT’s mantra to… Backup, Backup, Backup!!