Cryptolocker help

Dieselboy · January 31, 2017, 08:29:55 PM

I have a Windows domain with a Windows network drive server. On that I have File Server Resource Manager and within there I have a file group which I created to try and match the filenames created by Cryptolocker. The reason for this is that FSRM will alert that it's seen files matching extensions configured in the file group and this happens immediately and gives the user ID of the user who saved the file(s). I am taking regular snapshots of the network share drive so the idea is that if/when we get an alert we can remediate immediately.

The file group may need ongoing work but it looks like cryptolocker re-saves the files from filename.docx to filename.docx.ryaolr

So the file group will have things like *.docx.*
I've used docx in this example, but need to do this for the other extensions.

I've not had any infections at mine since setting up FirePOWER and AMP (AntiMalware Protection for Endpoints), so this is a just in case.

I'm posting here to share what I've done as it's pretty simple to set up.

deanwebb · January 31, 2017, 08:38:11 PM

I have a file named HELP_YOUR_FILES.PNG in all my important directories, as many cryptolocker programs check for that file and then pass over that directory if it exists.

icecream-guy · February 01, 2017, 06:32:15 AM

Quote from: deanwebb on January 31, 2017, 08:38:11 PM
I have a file named HELP_YOUR_FILES.PNG in all my important directories, as many cryptolocker programs check for that file and then pass over that directory if it exists.

it that just top level directories or sub directories and sub-sub-directories also?

LynK · February 01, 2017, 07:24:46 AM

your best bet is to get rid of mapped network drives and move to network locations. Last I had heard Network Locations are not browsable by crypto, so the only thing that would get affected is the host. PXE-boot the image on it, and bam... good to go.

This is coming from an org who would get it like every 2 weeks. Once we got OpenDNS it did wonders.

deanwebb · February 01, 2017, 08:30:50 AM

Quote from: ristau5741 on February 01, 2017, 06:32:15 AM
Quote from: deanwebb on January 31, 2017, 08:38:11 PM
I have a file named HELP_YOUR_FILES.PNG in all my important directories, as many cryptolocker programs check for that file and then pass over that directory if it exists.

it that just top level directories or sub directories and sub-sub-directories also?

Top level directories in Desktop, Documents, Dropbox, Program Files, Users, Music, stuff like that. It checks major document/library folders and then moves on if the topmost folder has the file in it.

I also have it on my C:/ drive, just in case.

Dieselboy · February 28, 2017, 09:58:26 PM

Quote from: LynK on February 01, 2017, 07:24:46 AM
your best bet is to get rid of mapped network drives and move to network locations. Last I had heard Network Locations are not browsable by crypto, so the only thing that would get affected is the host. PXE-boot the image on it, and bam... good to go.

This is coming from an org who would get it like every 2 weeks. Once we got OpenDNS it did wonders.

Do you have any info on how to do that?
https://technet.microsoft.com/en-us/library/network-location-2(v=ws.11).aspx

I have set up our own company dropbox-like file access, because most of the company are on apple mac and it's easier that way. We've not had another "infection" for well over a year but I could stop using mapped drives and use the web URL.

Cryptolocker help

Dieselboy

deanwebb

icecream-guy

LynK

deanwebb

Dieselboy