Using PowerShell to Combat CryptoLocker

On the Varonis blog, we recently wrote about how CryptoLocker—the malware that encrypts your local files and holds them for a Bitcoin ransom—has better marketing than many companies. However, we thought it would be helpful to also offer some tactical advice for dealing with CryptoLocker using our sysadmin tool of choice: PowerShell.

What follows are the best scripts we’ve found for preventing, detecting, identifying, and remediating a CryptoLocker infection with PowerShell.

Prevention

One of the few proven ways of stopping CryptoLocker from gaining a foothold on a network (or even a single computer) is the use of the AppLocker utility (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application.

CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.

Microsoft has made this easier for you to roll out with its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process:

http://technet.microsoft.com/en-us/library/hh994594.aspx

Detection

HoneyPots

A common means of testing for CryptoLocker and other malware is to use a Honeypot file. A file of the appropriate type (for CryptoLocker this would be primarily Microsoft Office documents and photos) is placed in an accessible location on the network and, if modified, alerts the system administrators that unauthorized access has occurred.  Importantly, the filename or directory should try to signify to human users that they shouldn’t touch it.  More on this here:

http://www.reddit.com/r/sysadmin/comments/1qf7yi/cryptolocker_using_powershell_as_a_tripwire/

Varonis

Varonis customers have had success detecting and reacting to CryptoLocker infections using DatAdvantage and DatAlert.  The former captures a continuous log of your network file system, intranet, and email activity and the latter allows you to generate real-time alerts when CryptoLocker behavior is observed—you could use a threshold (e.g., modified more than 100 files in a minute) or a honeypot.  You can even make your alert kick-off a PowerShell script that disables the offending user account.

Identification

Find-PCBCrypto

A PowerShell function to aid in finding CryptoLocker encrypted files. This PS script works by comparing the NTFS Master File Table modification time to that of the local file’s timestamps. Differences between these two values indicate possible unauthorized file encryption, though the author warns that false positives will most likely be found, so proceed with caution.

http://poshcodebear.com/blog/2014/5/2/function-to-aid-in-finding-cryptolocker-encrypted-files

CryptoLocker / OU Scan Reporter

This script queries hosts on a network OU and scans each for potential CryptoLocker activity.  The results are then written back to an Excel file. The script relies upon being able to access the Windows Remote Registry Service to search for the known values that CryptoLocker writes to an infected system.

https://gallery.technet.microsoft.com/scriptcenter/Cryptolocker-report-8155ac6b

Dump Local Encrypted Files List from the Registry

The following PowerShell one-liner function will export a list of files that the local CryptoLocker infection has encrypted. Differing versions of CryptoLocker in the wild appear to modify this registry location, so this will likely not work with all variants that might be encountered.

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding unicode

Remediation

Due to the manner in which CryptoLocker encrypts files, it is generally considered impossible to recover them without access to the underlying cryptographic keys used by the attackers. Fortunately, through the efforts of some security firms, it is now possible to recover the key used for encrypting the files and then to unlock them for a full recovery.

The website https://decryptcryptolocker.com/ will let you upload an infected file and then will email you the associated key. The key, together with the recovery program from the site will let you unlock your files.

Decryptolocker.exe –key “<key>” <Lockedfile.doc>

Depending on how you built your list of encrypted files, this process can be further automated with PowerShell’s foreach command.

http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/28/basics-of-powershell-looping-foreach.aspx

Conclusion

The mass wave of CryptoLocker infections has prompted many to create free tools and scripts to help you combat infections. However, given the economic success enjoyed by the CryptoLocker’s authors it is only a matter of time before the next devastating round of ransomware is unleashed.  To minimize the threat, we suggest you go back to our 4 As: authentication, authorization, auditing, and alerting.

Further, learning more practical, security focused PowerShell will help you protect your network regardless of the source of the threat. You can unlock the full 3 hour video course on PowerShell and Active Directory Essentials with the code cmdlet.

Get the latest security news in your inbox.