CryptoLocker and its variants are typically spread by infected email attachments or infected websites. A common approach to addressing the spread of CryptoLocker is to use Group Policies to block the execution of EXE files from running inside of %AppData% (and other specific folders) using AppLocker or Software Restriction Policy. While good intentioned, I have personally found this approach to only be partially effective. I have seen CryptoLocker evolve and place its files in other locations that are not on the “block list.” When this happens, the new folder must be added to the list…and by then, you are already behind the curve and addressing the problem reactively instead of proactively.
For this reason, I would recommend a proactive approach to mitigating the spread of CryptoLocker by blocking the execution of ALL EXEs in ALL folders on ALL computers. Instead of listing the folders that should be blocked, consider blocking everything and then whitelisting only the folders that should be allowed. Of course, this is a much larger undertaking and usually involve working closely with key stakeholders to ensure all of the appropriate folders are whitelisted. However, it’s worth it.
My process for implementation is outlined below:
- Explain the differences between “blacklist specific folders” vs. “blacklist all and whitelist some” to management and obtain blessing for implementation
- Create new Software Restriction Policy GPO and configure SRP settings
- Create new Active Directory OU for computers to which SRP GPO will apply
- Apply new GPO to new Active Directory OU
- Analyze environment and make list of which program folders need whitelisted
- Add program folders to SRP GPO
- Move test computers within Active Directory to new SRP OU
- Test. Test
- Once all SRP issues have been addressed, migrate small number of test users to SRP OU
- When test users are comfortable, begin to migrate additional users to SRP OU
I have not covered any of the technical specifics here, but feel free to let me know if you have questions.