You are here:Home»KB»PC»Security»Cryptolocker Removal, Prevention and Mitigation
Tuesday, 08 December 2015 12:32

Cryptolocker Removal, Prevention and Mitigation

Written by

This article will help you deal with Cryptolocker, and hopefully prevent you getting it. If you are heere because you are already infected I have also givend some things you can try to get rid of the infection and hopefully recover some of your data.

Clean List

This does not unencrypt your files but cleans the infection. If your files are encrypted I would recommend buying a new hard drive and starting again on that drive while you wait to see if you can recover your files. Do not pay the ransom, there are no guarantees you will get your files back either. If you try an decrypt your files I would recommend performing that on an image of your drive, ye that’s right you could end up with 3 hard drives.

Recommended list of things to do to remove the Cryptolocker infection

  1. Image PC hard drive to another HDD
  2. Comodo Rescue - Boot from DVD, update and scan
  3. Hitman Pro Kickstart- Boot from DVD, update and scan
  4. Comodo CIS, install update and scan
  5. Malwarebytes, install update and scan
  6. sfc /scannow
  7. Netsh winsock reset
  8. Combofix
  9. Hitman Pro Alerts, install update and scan alerts
  10. Check for infections manually
  11. Scan with other Antivirus software (Avast/AVG....)

Prevent List

These are things you can do to reduce your chance of getting infected by Cryptolocker in the first place.

  • Foolishit CyrptoPrevent - Modifies Registry and Group Ploicies
  • Hitman Pro Alerts, install update and scan alerts
  • Use Comodo CIS as your security solution and enable:
    • HIPS
    • Behaviour Analysis
    • Virus Scope
    • Auto Sandbox
    • Comodo Secure DNS (or Your prefered secure DNS)
  • Firefox - Use only this browser and:
    • No Script
    • Disble Flash by default
    • Block all Adds (UBlock Origin)
    • Run in a sandbox (Comodo CIS has this feature)
  • Google Chrome
    • Block all Adds (UBlock Origin)
    • Run in a sandbox (Comodo CIS has this feature)
    • Anythinthing else that is in the Firefox List
  • Malwarebytes Anti-Exploit (Pro version is better)
  • Malwarebytes Pro - Has a real time scanner
  • User Account Rights
    • Create an administrator account with a password on it
    • Downgrade all accounts to Non-admin rights (Standard User)
  • Software
    • Use software whitelisting methods rather than blacklisting
    • Update Windows (set to automatic updates)
    • Update in particular
      • Adobe PDF - better to completely remove
      • Adobe Flash - better to completely remove
      • Java - better to completely remove
    • Update all software
    • Remove unneeded software
  • Network / Network Shares / Mapped Drives
    • Secure DNS (Comodo/OpenDNS/Norton DNS etc..)
    • Restrict what sites staff/computers can visit on a network level
    • Disable public network settings in network sharing (advanced settings)
    • make all shares read only or disable them, inluding c$, d$
    • Dont use mapped drives
    • Hardware SPI Firewall that scans the traffic on a hardware basis
    • Always use a NAT router and never expose a computer to the internet witha real IP
    • Disable all unneeded ports
    • Point DMZ to a non-existant internal IP
  • Email
    • Spam filters on your email server
    • Secure email to prevent credential capturing
    • Antivirus Email scanning - A specific scanner that checks all incoming and outgoing mail for virus and then cleans the mail
    • block all .exe in outlook or whatever email client you are using.
  • HardCore (only if you really can)
    • Remove internet access
    • Disable all usb ports
    • Remove all Web Browsers
    • Use Group Policy and cripple the computer except for what is required of it.

* These measures could go in my security document

Mitigation

Backup Your Data

This is bar for one of the most importatn things you can do, but there are a few rules you must follow depending on your backup solution

  • Backups should be created for all of the following reasons
    • Restore from cryptolocker infection
    • Prior version of files
    • Hardware failure
  • All backups must be stored off the machine with the data on
  • Air-gapped backups are an excellent defence against cryptocloker but requires manual intervention
  • When using shared folder to store backup
    • Do not connect to backup shares with mapped drives
    • Backup shares should be a unc path not a mapped drive. If there is no mapped drive, cryptolocker cannot see it.
    • The share should have password protection on which is not the same as the logged on user. If cryptolocker does find the share, it is unable to logon because the user's account does not have permission.
    • The username and password for the share will be stored within the backup software only preventing it being exposed to cryptolocker.
  • Incremental backups
    • Even if your files get encrypted you will have a prior version of ll your files.
    • If you use just a backup and replace policy if your dont notice that your files are encrypted your backedup files will also get replaced with encrypted versions.
  • Cloud Based backup
    • These can be an excellent method of keeping your files safe as they tend to have incremental file backups in place.
    • These systems will have massive hardware redundancy so you do not have to worry about this eithere
    • The downside to these is there are a paid service so once you started to use them you have to keep paying them

Data Recovery Options

Image the affected Hard Drive before you do anything and make sure youo do not boot of the infected drive.

  • Volume Shadow Copy / System Restore - Use these programs to browse SystemRestore Points
    • ShadowExplorer.com - ShadowExplorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 Volume Shadow Copy Service. It's especially thought for users of the home editions, who don't have access to the shadow copies by default, but it's also useful for users of the other editions.
    • System Restore Explorer - System Restore Explorer is a tool which allows you to browse system restore points on your computer and select individual ones for deletion should you wish to free up some disk space. It also allows you to mount the contents of a restore point into a folder so that you can browse and copy individual files, without the need to perform a full system restore.
  • Previous Versions - Some folders store old versions of files using the System Restore technology. The Desktop fodlerdoes but i do not know what others do by default. You can acces these versions by
    • Boot off the infected drive in to windows
    • Navigate to the the Desktop folder via 'My computer' C:\Users\{User Account}\
    • Right click on the Desktop folder
    • Click on the 'Previous Versions' tab
    • Restore files as needed.
  • Browse the hard drive offline - In another computer and manually Copy off unaffected files.

Recommend Cleaning Software

  • Comodo Rescue DVD
  • Hitman Pro Kickstart DVD
  • Comodo CIS
  • Malwarebytes
  • Hitman Pro Alerts
  • Additional AV
    • AVG
    • Avast

Links

 

Read 1147 times Last modified on Saturday, 21 January 2017 14:29
Published in Security
back to top