Using PowerShell to Combat CryptoLocker

On the Varonis blog, we recently wrote about how CryptoLocker—the malware that encrypts your local files and holds them for a Bitcoin ransom—has better marketing than many companies. However, we...
Michael Buckbee
3 min read
Last updated October 14, 2022

On the Varonis blog, we recently wrote about how CryptoLocker—the malware that encrypts your local files and holds them for a Bitcoin ransom—has better marketing than many companies. However, we thought it would be helpful to also offer some tactical advice for dealing with CryptoLocker using our sysadmin tool of choice: PowerShell.

What follows are the best scripts we’ve found for preventing, detecting, identifying, and remediating a CryptoLocker infection with PowerShell.

Get the Free PowerShell and Active Directory Essentials Video Course


One of the few proven ways of stopping CryptoLocker from gaining a foothold on a network (or even a single computer) is the use of the AppLocker utility (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application.

CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.

Microsoft has made this easier for you to roll out with its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process:



A common means of testing for CryptoLocker and other malware is to use a Honeypot file. A file of the appropriate type (for CryptoLocker this would be primarily Microsoft Office documents and photos) is placed in an accessible location on the network and, if modified, alerts the system administrators that unauthorized access has occurred.  Importantly, the filename or directory should try to signify to human users that they shouldn’t touch it.  More on this here:


Varonis customers have had success detecting and reacting to CryptoLocker infections using DatAdvantage and DatAlert.  The former captures a continuous log of your network file system, intranet, and email activity and the latter allows you to generate real-time alerts when CryptoLocker behavior is observed—you could use a threshold (e.g., modified more than 100 files in a minute) or a honeypot.  You can even make your alert kick-off a PowerShell script that disables the offending user account.



A PowerShell function to aid in finding CryptoLocker encrypted files. This PS script works by comparing the NTFS Master File Table modification time to that of the local file’s timestamps. Differences between these two values indicate possible unauthorized file encryption, though the author warns that false positives will most likely be found, so proceed with caution.

CryptoLocker / OU Scan Reporter

This script queries hosts on a network OU and scans each for potential CryptoLocker activity.  The results are then written back to an Excel file. The script relies upon being able to access the Windows Remote Registry Service to search for the known values that CryptoLocker writes to an infected system.

Dump Local Encrypted Files List from the Registry

The following PowerShell one-liner function will export a list of files that the local CryptoLocker infection has encrypted. Differing versions of CryptoLocker in the wild appear to modify this registry location, so this will likely not work with all variants that might be encountered.

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding unicode


Due to the manner in which CryptoLocker encrypts files, it is generally considered impossible to recover them without access to the underlying cryptographic keys used by the attackers. Fortunately, through the efforts of some security firms, it is now possible to recover the key used for encrypting the files and then to unlock them for a full recovery.

The website will let you upload an infected file and then will email you the associated key. The key, together with the recovery program from the site will let you unlock your files.

Decryptolocker.exe –key “<key>” <Lockedfile.doc>

Depending on how you built your list of encrypted files, this process can be further automated with PowerShell’s foreach command.


The mass wave of CryptoLocker infections has prompted many to create free tools and scripts to help you combat infections. However, given the economic success enjoyed by the CryptoLocker’s authors it is only a matter of time before the next devastating round of ransomware is unleashed.  To minimize the threat, we suggest you go back to our 4 As: authentication, authorization, auditing, and alerting.

Further, learning more practical, security focused PowerShell will help you protect your network regardless of the source of the threat. You can unlock the full 3 hour video course on PowerShell and Active Directory Essentials with the code cmdlet.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

SQL Server Best Practices, Part I: Configuration
Am I the only one who finds the Microsoft SQL server best practice guides to be a little painful to trawl through? Somehow, I doubt it. After being frustrated reading...
CryptoLocker: Everything You Need to Know
CryptoLocker is a type of malware that encrypts files, holding them for ransom. For this reason, CryptoLocker and its variants have come to be known as “ransomware.”
Risks of Renaming Your Domain in Active Directory
As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there…
Samas, Cerber, Surprise: Three New Ransomware Variants to Have On Your Radar
As of late, the weekly press coverage of ransomware has been building a kind of brand recognition that’s the envy of many legitimate IT vendors. Ransomware’s own success has made...