Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Using PowerShell to Combat CryptoLocker

3 min read
Published October 17, 2014
Last updated October 14, 2022

On the Varonis blog, we recently wrote about how CryptoLocker—the malware that encrypts your local files and holds them for a Bitcoin ransom—has better marketing than many companies. However, we thought it would be helpful to also offer some tactical advice for dealing with CryptoLocker using our sysadmin tool of choice: PowerShell.

What follows are the best scripts we’ve found for preventing, detecting, identifying, and remediating a CryptoLocker infection with PowerShell.

Get the Free PowerShell and Active Directory Essentials Video Course

Prevention

One of the few proven ways of stopping CryptoLocker from gaining a foothold on a network (or even a single computer) is the use of the AppLocker utility (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application.

CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.

Microsoft has made this easier for you to roll out with its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process:

http://technet.microsoft.com/en-us/library/hh994594.aspx

Detection

HoneyPots

A common means of testing for CryptoLocker and other malware is to use a Honeypot file. A file of the appropriate type (for CryptoLocker this would be primarily Microsoft Office documents and photos) is placed in an accessible location on the network and, if modified, alerts the system administrators that unauthorized access has occurred.  Importantly, the filename or directory should try to signify to human users that they shouldn’t touch it.  More on this here:

http://www.reddit.com/r/sysadmin/comments/1qf7yi/cryptolocker_using_powershell_as_a_tripwire/

Varonis

Varonis customers have had success detecting and reacting to CryptoLocker infections using DatAdvantage and DatAlert.  The former captures a continuous log of your network file system, intranet, and email activity and the latter allows you to generate real-time alerts when CryptoLocker behavior is observed—you could use a threshold (e.g., modified more than 100 files in a minute) or a honeypot.  You can even make your alert kick-off a PowerShell script that disables the offending user account.

Identification

Find-PCBCrypto

A PowerShell function to aid in finding CryptoLocker encrypted files. This PS script works by comparing the NTFS Master File Table modification time to that of the local file’s timestamps. Differences between these two values indicate possible unauthorized file encryption, though the author warns that false positives will most likely be found, so proceed with caution.

http://poshcodebear.com/blog/2014/5/2/function-to-aid-in-finding-cryptolocker-encrypted-files

CryptoLocker / OU Scan Reporter

This script queries hosts on a network OU and scans each for potential CryptoLocker activity.  The results are then written back to an Excel file. The script relies upon being able to access the Windows Remote Registry Service to search for the known values that CryptoLocker writes to an infected system.

https://gallery.technet.microsoft.com/scriptcenter/Cryptolocker-report-8155ac6b

Dump Local Encrypted Files List from the Registry

The following PowerShell one-liner function will export a list of files that the local CryptoLocker infection has encrypted. Differing versions of CryptoLocker in the wild appear to modify this registry location, so this will likely not work with all variants that might be encountered.

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding unicode

Remediation

Due to the manner in which CryptoLocker encrypts files, it is generally considered impossible to recover them without access to the underlying cryptographic keys used by the attackers. Fortunately, through the efforts of some security firms, it is now possible to recover the key used for encrypting the files and then to unlock them for a full recovery.

The website https://decryptcryptolocker.com/ will let you upload an infected file and then will email you the associated key. The key, together with the recovery program from the site will let you unlock your files.

Decryptolocker.exe –key “<key>” <Lockedfile.doc>

Depending on how you built your list of encrypted files, this process can be further automated with PowerShell’s foreach command.

http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/28/basics-of-powershell-looping-foreach.aspx

Conclusion

The mass wave of CryptoLocker infections has prompted many to create free tools and scripts to help you combat infections. However, given the economic success enjoyed by the CryptoLocker’s authors it is only a matter of time before the next devastating round of ransomware is unleashed.  To minimize the threat, we suggest you go back to our 4 As: authentication, authorization, auditing, and alerting.

Further, learning more practical, security focused PowerShell will help you protect your network regardless of the source of the threat. You can unlock the full 3 hour video course on PowerShell and Active Directory Essentials with the code cmdlet.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
how-to-install-and-import-active-directory-powershell-module
How to Install and Import Active Directory PowerShell Module
The Active Directory PowerShell module is a powerful tool for managing Active Directory. Learn how to install and import the module in this detailed tutorial!
threat-update-49-–-serioussam-&-black-hat-2021
Threat Update 49 – SeriousSAM & Black Hat 2021
Cybersecurity folks find themselves in a “Zero-Daze” as they get hit with another new 0-day attack, called SeriousSAM, that allows attackers to get access to the Windows Security Account Manager (SAM) file containing hashed account passwords from a system.
threat-update-45-–-ransomware-early-warning:-ad-attacks
Threat Update 45 – Ransomware Early Warning: AD Attacks
Attackers leverage a number of techniques, but two of the most common are password spray attacks and kerberoasting. Join Kilian and Kyle Roth from the Varonis Incident Response team as they discuss how and why attackers leverage each technique and look at a real-life example of each type of attack from one of our attack lab scenarios.
threat-update-44-–-ransomware-early-warning:-dns-recon
Threat Update 44 – Ransomware Early Warning: DNS Recon
Join Kilian and Kyle Roth from the Varonis Incident Response team as they discuss what DNS is, how it works, and how attackers can “live off the land” to map out an organization’s network using a few command-line tools built into every OS.