Version
6.0.2.x.
7.x
Topic
How to block Cryptolocker.
Steps
CryptoLocker v1.0 and v2.0 prevention method:
Steps to create and test your rule:
1. Navigate to the registry rules page in your console
2. Rules -> software rules -> registry tab
3. Click Add Registry Rule (Name it whatever you like) and add whatever description you like (I filled out a bunch of details about how the rule works so I can later refer to it and find out why I created the rule that I did.)
4. Status - enabled
5. Write action should be “report” But why use report rather than block immediately? Do you buy a car without driving it? Imagine you mistyped the paths and accidently block something you need. It is far better to put these rules into you environment as report only for a few days to let them “soak”, find any typos you had and fix them before going into block mode.
This step will save you headaches later. (mostly from people throwing things at your head because you blocked something they need)
Registry path – please paste these in exactly
HKCU-SoftwareX86\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker* HKCU-SoftwareX64\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker* HKCU\Software\CryptoLocker\Files\* HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker* HKCU-SoftwareX86\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker* HKCU-SoftwareX64\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker* HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker* |
6. Process – any
User or group (this is your preference, I choose any)
7. Rule applies to – all (this also is your preference.)
Let it soak for 2 days – 1 week then if there are no obvious issues, change to block mode
Important Note(s)
These are the complete step-by-step instructions that Bit9 is recommending for blocking Cryptolocker (v1.0 and v2.0) in its current form (v2.0). You should enable this rule right in Report mode only first, check for any false positives in the first hour, due to typographical errors when manually entered by your company’s Bit9 administrator, then move to Block mode once you have verified there are no typographical errors during the rule entry. If you leave it in report, please make sure to review periodically the events generated by your rule in your console after a period of a few hours to a few days to see if you want to fully implement it in block mode. Please keep in mind, that in Report only mode, this rule will not block CryptoLocker. Only Block mode will Block the installation of CryptoLocker.
