CryptoLocker – File Screens

by bfadmin

Posted on at 08:45am

*** Please note, this is not a cure for CryptoLocker, it is simply one of a number of steps you can take to protect your school.  Up-to-date Anti-Virus and User Education are the most effective tools at your disposal ***

Catalytic IT have seen a number of schools come up against the dreaded CryptoLocker virus, which has been out in the wild for some time.  As a general rule your best protection is firstly end user education, and secondly the use of a solid centralised AV solution to provide reporting.

In this BYO(D/T/whatever) world, increasingly we see unmanaged or semi-managed devices introduced onto the school network.  We can perform compliance checks to ensure that they have an Anti-Virus program installed, however some vendors are better than others, and we’ve seen machines that claim to be fully protected utterly filled with malware.  Now combine this CryptoLocker infested machine with access to school file shares and you have a recipe for disaster.

A machine that can access school shares, with read/write access, can encrypt those same files and hold you to ransom.  Here’s the kicker: even if you run Anti-Virus on your file server, you won’t be told there’s an infection out there as it’s not actually infecting your files with a virus – it’s simply encrypting them.  If you combine this with encryption on public shares (perhaps in an infrequently accessed location) and relatively short backup windows (say we keep backups for 2 to 3 weeks) it’s entirely conceivable that you won’t be able to restore those encrypted files from backup!

However, there is something you can do (above and beyond making sure your clients have good Anti-Virus and only the access they require).  For a long time, Windows Server has had “File Screen” functionality built-in to the file server role.  We outline a process below to ensure you are notified if CryptoLocker (as we’ve seen it) encrypts those files on your network shares:

Firstly, you need to ensure that your file server can notify you if a file system event occurs that you want to be told about:

1)   Launch the File Server Resource Manager (this usually sits under Control Panel->Administrative Tools-.File Server Resource Manager)






2)   Right click on File Server Resource Manager (Local) and select “Configure Options”






3)   Configure the Email Notifications tab of your file server with the appropriate details for your school/company









4)   Send Test E-mail to ensure that your settings are correct and working as expected.  You should receive a test email.

Now that you have configured e-mail notification on your file server, you need to configure the File Group, which is essentially the string that you’re looking for on the server to let you know that CryptoLocker has crept onto your shares:

5)   Right click on File Screening Management->File Group and select “Create File Group”









6)   Enter the File Group name as “CryptoLocker” and under “Files to include:” enter “*DECRYPT*.*” then select Add









7)   Select OK and you now have a File Group

Now that you have created a File Group you will want to create a “File Screen Template”

8)   Right Click on File Screening Management->File Screen Templates and select “Create File Screen Template”








9)   In the Settings Tab set your Template Name to whatever you like (i.e. CryptoLocker-Template) and set your screening to Passive Screening, then select CryptoLocker from your file groups below









10)   Check the “Send e-mail to the following administrators” check box on the E-mail Message tab









11)   Select the Send warning to event log check box on the Event Log tab:









12)   Select OK and you have now created your File Screen Template

Finally your last step is to actually apply this template to folders that your staff/students can access.

13)   Right click on File Screening Management->File Screens and select “Create File Screen”








14)  Define the path to the shared folder you wish to protect through the Browse button, and choose your newly created template from the drop down list under “Derive properties from this file screen template (recommended)” then select Create









15)  Repeat this process for each of the shared folders that could be conceivably written to by staff/students
16)  You’re done – from now on you should be notified when a staff member or student with CryptoLocker encrypts a folder on your shared drives

Note: The above process addresses the file names that we have seen, however variants may use different file names, which may require you to modify the file groups regular expression to capture.  As always you should ensure that you rely on multiple approaches to protect your network.