Reduce the Risk of CryptoLocker Without Using Antivirus

Sponsored Blog

A recent USA Today article about the nasty ransomware known as CryptoLocker made some awfully big assumptions about how to remove it. According to them, there’s nothing you can do to remove it. They aren’t exactly right, and we’ll explore why.

While there are, of course, cases in which it can’t be removed, there are certain best practices for defending against it and there are ways to remove some types of ransomware before it really affects the system it’s on. The best bet is to prepare for this type of threat beforehand. Here are two ways to prevent or remove malware, CryptoLocker, or other types of ransomware. Plus, they don’t even require antivirus.

Education
Any business has a workforce with employees of varying tech-savviness. This means that some might not see an infected email attachment as a threat at all—they just don’t know any better. These are the people that could (and probably do) end up with the most problems. The remedy to this is to help employees understand how to spot threats and keep themselves safe while browsing. Any good IT admin can protect from most threats using antivirus, firewalls, and so forth, but no IT admin can protect all employees that aren’t familiar with the basics of cyber safety. Teaching safe computing practices to workers is one of the best ways to prevent threats like CyptoLocker from ever becoming an issue.

Incremental Backups
As is often the case, preparing for threats ahead of time is pivotal. Many businesses elect to backup critical servers, but might ignore backing up workstations because of the cost or effort involved, but having regular incremental backups of workstations is the best way to defend against threats like CryptoLocker. Instead of worrying about how you’ll get the files decrypted or worrying about actually giving the hackers what they want, you simply restore to a point-in-time before you were infected—it’s dead simple. Those that aren’t backing up might literally pay the price.

The above two solutions involve some pre-planning, but what if it’s too late for that?

Removal
Suppose one of the less tech-savvy members of your workforce ends up with CrytoLocker and you’ve got no way to restore a backup. Perhaps the backups you were taking were unreliable and can’t be recovered, or perhaps you didn’t take any at all. In some situations, removing CrytoLocker can be a simple process that starts by using System Restore and then scanning with a solid antivirus solution. You can also try restarting the computer in safe mode with command prompt and deleting the registry keys that reference the files affecting you (check out this article for some of the files extensions commonly associated with CryptoLocker). Of course, there are plenty of occasions where none of the above methods will work. If none of these methods work and you don’t have a point-in-time to restore to, you might be out of luck.

The thought of losing an entire system’s worth of data should at least illustrate the importance of taking care of things ahead of time. As always, thinking ahead about cyber-security is your best bet. If you don’t have a plan that addresses situations where cyber threats sneak past your security (or are downloaded accidentally by employees), it’s time to think about getting one. Ransomware will only become more ubiquitous in the days to come.


Casey Morgan is the marketing content specialist at StorageCraft. U of U graduate and lover of words, his experience lies in construction and writing, but his approach to both is the same: start with a firm foundation, build a quality structure, and then throw in some style. If he’s not arguing about comma usage or reading, you'll likely find him and his Labrador hiking, biking, or playing outdoors -- he's even known to strum a few chords by the campfire. Casey.Morgan@storagecraft.com
 

Discuss this Blog Entry 1

on May 30, 2014

This article suggests removing Cryptolocker from an infected PC. Two things to consider are 1) You won't be able to pay the ransom and your files back if you remove the program and 2) it's never advisable to use a computer that's been compromised. The only safe thing to do is wipe and reimage.

As for prevention, the most effective technique so far is to prevent executable files from running in the %APPDATA% space using either Software Restriction Policies or Applocker.

For mitigation, some people are putting canaries on the network - files that are monitored for changes likely caused by cryptolocker. See http://www.reddit.com/r/sysadmin/comments/1qf7yi/cryptolocker_using_powershell_as_a_tripwire/ for an example.

Please or Register to post comments.

What's Windows IT Pro Guest Blogs?

Timely insights from our Platinum Sponsors

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×