Antivirus and anti-malware programs, either running on endpoints or performing inbound email message hygiene, have a particularly difficult time stopping this infection. Unless you have a blanket email filtering rule stripping out executable attachments, and that tool is intelligent enough to do so without allowing the user to request the item's return from quarantine, you will see your users getting these phishing messages attempting to introduce Cryptolocker. It is only a matter of time.
Prevention: Software Restriction Policies and AppLocker
As of now, the best tool to use to prevent a Cryptolocker infection in the first place — since your options for remediating the infection involve time, money, data loss or all three — is a software restriction policy. There are two kinds: Regular software restriction policies, and then enhanced AppLocker policies. I'll cover how to use both to prevent Cryptolocker infections.
Software Restriction Policies
Software Restriction Policies (SRPs) allow you to control or prevent the execution of certain programs through the use of Group Policy. You can use SRPs to block executable files from running in the specific user-space areas that Cryptolocker uses to launch itself in the first place. The best place to do this is through Group Policy, although if you're a savvy home user or a smaller business without a domain, you can launch the Local Security Policy tool and do the same thing.
One tip: if you're using Group Policy, create a new GPO for each restriction policy. This makes it easier to disable a policy that might be overly restrictive.
Here's how to do it:
- Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I'll show you how to create two here — one for Windows XP machines (which use slightly different paths for the user space) and one for Windows Vista and later machines.
- Name the new GPO "SRP for XP to prevent Cryptolocker" or something similar for you to remember easily.
- Choose Computer Configuration and then navigate through Policies ' Windows Settings ' Security Settings ' Software Restriction Policies.
- Right-click Software Restriction Policies and choose New Software Restriction Policy from the context menu.
- Now, create the actual rules that will catch the software on which you want to enforce a restriction. Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
- Under Path, enter %AppData%\*.exe.
- Under Security level, choose Disallowed.
- Enter a friendly description, like "Prevent programs from running in AppData."
- Choose New Path Rule again, and make a new rule like the one just completed. Use the following table to fill out the remainder of this GPO.
Sign up for CIO Asia eNewsletters.