With all this mess about Cryptolocker going around, a lot of folks are looking to immunize themselves from this nasty bit of malware which will encrypt user files and hold them for ransom. Removal of the malware is easy with d7, but there is no known method to decrypt the files except by paying the ransom, so prevention is crucial.
There is a Cryptolocker Prevention Kit here: http://msmvps.com/blogs/bradley/archive/2013/10/15/cryptolocker-prevention-kit.aspx however the kit is for domains and professional versions of Windows which can utilize group policy. This will not work for home versions of Windows. So I set out to create a tool to work for ALL versions of Windows, regardless of whether they support group policy or not.
So now I give you CryptoPrevent.exe
CryptoPrevent is based on the excellent prevention information from Grinler found here: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information and will block the infection from executing. I’ve taken Grinler’s information one step further and given you an option within CryptoPrevent on exactly what you wish to block. This can either be ALL .exe files (which is the method presented by Grinler and also in the original Cryptolocker Prevention Kit for group policy) or instead you can block {all_EXE_files_surrounded_in_brackets}.exe which is how the malware actually manifests itself. I’ve made the {}.exe method default, because there could be legitimate files you are preventing from running from these locations which wouldn’t be surrounded in {brackets}. Current iterations of the malware no longer follow that logic, so blocking *.exe in v1.4 and above is now the only method used by CryptoPrevent.
CryptoPrevent will block these executables in %appdata%, any first level subfolders of %appdata%, and the same for %localappdata% as well, and also block any temporarily extracted EXE files from decompression programs (so if you run the malware directly from within a zip file via Windows Explorer, Winzip, WinRAR, or 7zip.)
Here’s a short Youtube video on usage: http://www.youtube.com/watch?v=Hr2S4zMopQY
UPDATE: CryptoPrevent now has a permanent page on FoolishIT.com, which you should visit for the latest information.
UPDATE2: I’ve been asked for a white-label redistributable version of CryptoPrevent for tech shops to brand with their company name and logo, in order to freely distribute to their customers, that has become reality here.
39 Comments
Leave your reply.