Stop CryptoLocker (and copy-cat variants of this badware) before it ruins your day


A shortcut to this page is: http://jpelectron.com/stopcrypto


Update 09/12/2017: I am bored with this...

My original article on how to setup FSRM is still available here.
However, since I've never been affected by this threat personally, I've concluded this FSRM detection method is dumb, and Internet filtering is the better protection. Since copy-cat variants of CryptoLocker are still very much prevalent I would much rather promote the following list of action items to help you really stop this threat:

1) Ensure Internet filter is updating to block known badware domains (suggestion: DNS Redirector)
2) Ensure Internet filter is blocking ccTLDs and IDNs that are not relevant to your business (suggestion: DNS Redirector, see how to)
3) Ensure Firewall is blocking any URLs with an IP address (only the bad guys do this)
           Bad: http://93.184.216.34 | Good: http://example.com | see how to
4) Ensure Firewall is blocking DNS (TCP/UDP 53 + 5353) outbound from everything except your (trusted) internal/AD DNS server IP(s)
5) Ensure Firewall is allowing only good/necessary ports outbound (NOT any/any)
           Suggestion for DCs: 53,80,123,443,3544 | Suggestion for End-Users: 80,443,1935,3544
6) Run CryptoPrevent by Foolish IT on every end-user workstation, the free one is just fine, apply the standard rules, then restart
7) Disable vssadmin.exe (on user workstations that don't need it) with this batch
8) Make a share (or two) that no end-user will actually use, put one file in there called "do_not_modify_or_delete.txt"
           (better if you pick your own random filename for this) and set FSRM to detect any change (encryption happened) to that file
9) Implement backups, test them, really review the logs daily to ensure it's working (suggestion: Veeam free and SyncBackFree)

Over and out, it's been "fun"