Ransomware can lock away your documents and kill a business. Learn how to prevent CryptoLocker and related malware with this step-by-step guide.

CryptoLocker is a vicious form of ransomware. It doesn’t require administrative permissions to run. Once started, it will slowly encrypt any business-related files that are stored locally or on network drives. If a user’s profile is infected on Friday, it is possible that all shared Office documents, PDFs, and databases will be encrypted and unavailable on Monday. Your business is down.

Ransomware, including CryptoLocker, can be stopped. With a little planning, it can be stopped fairly easily. Our first layer of defense is blocking the EXE.

Using AppLocker to stop CryptoLocker

CryptoLocker is mainly spread by two methods: infected email attachments and infected websites. With either method, the malware is stored in a few default locations, including %Appdata%\. By using SRPs or AppLocker, we can block EXEs from running in the install locations. In the screenshots below, I will be using AppLocker.

If this is your first time using AppLocker, create a new GPO to store your security settings. AppLocker relies on the Application Identity service. You will need to set this service to start automatically. Within your AppLocker GPO, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services to configure the service.

AppLocker requires the Application Identity service to function

AppLocker requires the Application Identity service to function.

We need to prevent standard users from running user-based applications. Under Security Settings, expand Application Control Policies, select AppLocker, and choose “Configure rule enforcement.” Check Configured, which is under Executable Rules.

Expand the Executable Rules section. Right-click the section and choose Create Default Rules. The three default rules will prevent CryptoLocker from running under standard users because applications within %AppData%\ are blocked.

AppLocker’s three default rules prevent user profile based malware

AppLocker’s three default rules prevent user profile–based malware.

Certain legitimate programs might need to run from locations like C:\ or %USERPROFILE%\. When you encounter these, you will need to create a whitelist to exclude the application from being blocked. It is important that AppLocker be enabled for all of your client PCs (including IT machines) for this layer to work.

Local administrators: your weakest link

The changes above will prevent standard users from running user profile malware such as CryptoLocker. This protection won’t apply to local administrators if the application is elevated. Short of using restricted groups to remove their local administrator permissions, there is not much you can do except make elevation requests harder.

Under Security Settings in your GPO, expand Local Policies/Security Options. Enable the following setting: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. When you define the setting, choose “Prompt for credentials on the secure desktop.

UAC at its most secure. Prompt for credentials on the secure desktop

UAC at its most secure. Prompt for credentials on the secure desktop.

Whenever UAC is triggered, a credential request will appear instead of the normal Yes/No prompt. This tends to make your users more concerned about the popup and eliminates the “I accidently hit yes” excuse.

If you are concerned about a local administrator elevating an EXE for a standard user, you can enable and define the “Behavior for the elevation prompt for standard users.” By setting it to automatically deny elevation requests, users won’t receive a UAC prompt. Caution, though: this can make troubleshooting issues harder for you as the elevation prompt never appears.

Other security changes to make

With the above changes, CryptoLocker (and related ransomware) will have a tough time infecting your network! There are some additional minor tips that can improve your environment’s security.

First, consider disabling the legacy run list. Malware is notorious for starting itself this way. Disabling can be done in Group Policy under Computer Configuration/Policies/Administrative Templates/System/Logon. Set “Do not process the legacy run list” to Enabled.

Do not process the legacy run list

The “Do not process the legacy run list” Group Policy setting can prevent startup malware.

The current version of CryptoLocker only looks at network drives and ignores UNCs. Double-check the permissions on your network shares. Are you giving too many users Full Control to sub files/folders? If so, consider removing these excessive permissions. If some network drives are no longer needed for certain users, remove these connections to limit any potential exposure.

Finally, communicate with your staff. Warn them about what encryption malware looks like and how it spreads. Alert them if malicious messages make it through your spam filters. Sure, you will get some false positives from overzealous users, but it is better than restoring whole file servers.

CryptoLocker exploits common security holes. By using AppLocker or Software Restriction Policies, it can be stopped. When you test and layer on Group Policy changes (such as UAC and run lists), your machines become much harder to compromise by any ransomware!

  1. Avatar
    CMax 8 years ago

    Great straight forward guide, thank you kindly

  2. Avatar Author

    Glad you enjoyed it!

  3. Avatar
    Kevin Fortin 8 years ago

    Thank you, Joseph!  I appreciate this as well.

  4. Avatar Author

    No problem – I hope to have some follow up information on the networking prevention steps soon.

  5. Avatar
    lou 8 years ago

    Works great, except that I got the StartMenu on Windows10 disabled….   which is a hindrance when 99% of your users are technically challenged.  Any thoughts?

  6. Avatar Author

    Hi Lou – you need to right click on the packaged apps rule section in AppLocker and select create default rule.

  7. Avatar
    Randy 7 years ago

    Has Applocker been updated to stop scripts from running through regsvr32? That Allows one to unregister a workstation, then allowing scripts to run inside the registration tag, then allowing a *.sct file be run remotely which in turns allows the COM Object to run in the script and never show up in the registry? Any thoughts?

  8. Avatar Author

    I believe it still has this issue – that is one of the big selling points of DeviceGuard in Windows 10.

Leave a reply to lou Click here to cancel the reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account