Stopping CryptoLocker and other ransomware

• Author
• Recent Posts

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

Latest posts by Joseph Moody (see all)

• SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
• Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
• PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019

CryptoLocker is a vicious form of ransomware. It doesn’t require administrative permissions to run. Once started, it will slowly encrypt any business-related files that are stored locally or on network drives. If a user’s profile is infected on Friday, it is possible that all shared Office documents, PDFs, and databases will be encrypted and unavailable on Monday. Your business is down.

Ransomware, including CryptoLocker, can be stopped. With a little planning, it can be stopped fairly easily. Our first layer of defense is blocking the EXE.

Using AppLocker to stop CryptoLocker

CryptoLocker is mainly spread by two methods: infected email attachments and infected websites. With either method, the malware is stored in a few default locations, including %Appdata%\. By using SRPs or AppLocker, we can block EXEs from running in the install locations. In the screenshots below, I will be using AppLocker.

If this is your first time using AppLocker, create a new GPO to store your security settings. AppLocker relies on the Application Identity service. You will need to set this service to start automatically. Within your AppLocker GPO, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services to configure the service.

AppLocker requires the Application Identity service to function.

We need to prevent standard users from running user-based applications. Under Security Settings, expand Application Control Policies, select AppLocker, and choose “Configure rule enforcement.” Check Configured, which is under Executable Rules.

Expand the Executable Rules section. Right-click the section and choose Create Default Rules. The three default rules will prevent CryptoLocker from running under standard users because applications within %AppData%\ are blocked.

AppLocker’s three default rules prevent user profile–based malware.

Certain legitimate programs might need to run from locations like C:\ or %USERPROFILE%\. When you encounter these, you will need to create a whitelist to exclude the application from being blocked. It is important that AppLocker be enabled for all of your client PCs (including IT machines) for this layer to work.

Local administrators: your weakest link

The changes above will prevent standard users from running user profile malware such as CryptoLocker. This protection won’t apply to local administrators if the application is elevated. Short of using restricted groups to remove their local administrator permissions, there is not much you can do except make elevation requests harder.

Under Security Settings in your GPO, expand Local Policies/Security Options. Enable the following setting: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. When you define the setting, choose “Prompt for credentials on the secure desktop.”

UAC at its most secure. Prompt for credentials on the secure desktop.

Whenever UAC is triggered, a credential request will appear instead of the normal Yes/No prompt. This tends to make your users more concerned about the popup and eliminates the “I accidently hit yes” excuse.

If you are concerned about a local administrator elevating an EXE for a standard user, you can enable and define the “Behavior for the elevation prompt for standard users.” By setting it to automatically deny elevation requests, users won’t receive a UAC prompt. Caution, though: this can make troubleshooting issues harder for you as the elevation prompt never appears.

Other security changes to make

With the above changes, CryptoLocker (and related ransomware) will have a tough time infecting your network! There are some additional minor tips that can improve your environment’s security.

First, consider disabling the legacy run list. Malware is notorious for starting itself this way. Disabling can be done in Group Policy under Computer Configuration/Policies/Administrative Templates/System/Logon. Set “Do not process the legacy run list” to Enabled.

The “Do not process the legacy run list” Group Policy setting can prevent startup malware.

The current version of CryptoLocker only looks at network drives and ignores UNCs. Double-check the permissions on your network shares. Are you giving too many users Full Control to sub files/folders? If so, consider removing these excessive permissions. If some network drives are no longer needed for certain users, remove these connections to limit any potential exposure.

Finally, communicate with your staff. Warn them about what encryption malware looks like and how it spreads. Alert them if malicious messages make it through your spam filters. Sure, you will get some false positives from overzealous users, but it is better than restoring whole file servers.

CryptoLocker exploits common security holes. By using AppLocker or Software Restriction Policies, it can be stopped. When you test and layer on Group Policy changes (such as UAC and run lists), your machines become much harder to compromise by any ransomware!