Current Version: 4.3
CryptoPrevent is a tiny utility to lock down any Windows OS (XP, Vista, 7, 8, and 8.1) to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.
Incidentally, due to the way that CryptoPrevent works, it actually protects against a wide variety of malware, not just Cryptolocker!
UPDATE: Feb 6th 2014:
YES, CryptoPrevent still protects against the latest strains of CryptoLocker!!! See video at the bottom of this page for a demonstration if interested.
Malware gets updates, shouldn’t you be updating CryptoPrevent too?
Click here to learn more…
For current MD5/SHA256 hashes and analysis of CryptoPrevent v4.3, visit this VirusTotal.com link for the portable EXE, or this link for the installer version. For a nice little utility to examine and compare file hashes you can download my tool, QuickHash.
- v4.3 – separated protection option for %userprofile% / %programdata% / Startup Folder and added whitelisting capabilities for those locations – also removed unnecessary reboot prompt after automatic update on Vista+ OSes.
- v4.2.6 – removed the *.com file rule for %userprofile% as this was causing some issues with user accounts with .com in the path name under certain circumstances.
- v4.2.5 – Fixed a minor bug in that using the /w= command line parameter was also forcing /whitelist whether it was specified or not.
- v4.2.4 – Fixed a recent bug causing email alerts to not be sent properly.
- v4.2.3 – Misc. changes to the White-Label edition. Added IP address / Computer Name to the optional alert email when an application is blocked (Premium edition.)
- v4.2 – Added Start Menu > All Programs > Startup folder protection. Added reboot prompt after automatic update / re-application of protection.
- v4.1.5 – Misc changes to whitelisting functionality and added a link to the Email Setup FAQ inside the program.
- v4.1 – Added RLO (Right to Left Override) exploit protection to Fake File Extension protection function.
- v4.0 – Added Event Log to check event history of blocked applications. In the Premium Edition (formerly Automatic Update Edition), added email alert capability when an application is blocked.
There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains and OSes that have access to group policy editor (Professional versions of Windows) leaving Home versions without a method of protection. It also isn’t the most intuitive of installations for the average Joe, either. The methodology CryptoPrevent uses to lock down a system was presented by Lawrence Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately, like the other Cryptolocker Prevention Kit mentioned, the guide by Lawrence Abrams involves usage of the Group Policy Editor available in Professional versions of Windows, and is a time consuming manual task.
CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes, while being easy enough for the average Joe to do, and optionally providing silent automation options for system admins and those who need to immunize a lot of computers automatically. Further, CryptoPrevent has been improved to include upwards of 200 rules instead of just 6.
CryptoPrevent is a single executable and is fully portable (of course unless you download the installer based version) and will run from anywhere, even a network share.
The User Interface
The User Interface allows you to select to apply the blocks to executable files as listed under Prevention Methodology below. You may also automatically whitelist all EXEs located in %appdata% / %localappdata% and first level subdirectories. There also exists an Undo feature, and a Test feature, a Whitelist Options dialog allowing you to selectively whitelist individual items, and a feature to automatically check for and apply updates to the application itself.
CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. The number of rules created by CryptoPrevent is somewhere between 150 and 200+ rules depending on the OS and options selected, not including whitelisting! Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there! Executables now protected against (starting with v2.6) are *.exe *.com *.scr and *.pif, and these executables are blocked in the paths below where * is a wildcard:
%appdata% / %localappdata% / Recycle Bin - These locations are used by Cryptolocker and other malware as launch points.
- %appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
- %localappdata% (and on Windows XP, any first-level subdirectories in there.) NOTE beginning with v2.2, any time %localappdata% is referred to on this page, it also refers to %userprofile%\Local Settings\Application data on Windows XP, where %localappdata% is not an actual environment variable.
- The All Users application data and local settings\application data paths on XP.
- The Recycle Bin on all drives, and multiple nested subfolders.
%userprofile% / %programdata% / Startup Folder
- the %userprofile% and %programdata% paths (no nested subfolders.)
- the Startup folder located in the Start menu > All Programs > Startup
Fake File Extension Executables: (ex. document.docx.exe)
- *.x.y where:
- x = pdf, doc, docx, xls, xlsx, ppt, pptx, txt, rtf, zip, rar, 7z, jpeg, jpg, png, gif, avi, mp3, wma, wmv, wav, divx, mp4
- y = exe, com, scr, and pif.
- with v4.1, now includes RLO (Right to Left Override) exploit protection.
Temp Extracted Executables in Archive Files:
- %temp%\rar* directories
- %temp%\7z* directories
- %temp%\wz* directories
- %temp%\*.zip directories
The final four locations above are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well; however this option may interfere with certain program installations (e.g. Firefox) and for this reason this option is NOT recommended for most people.)
NOTE the variable %temp% is no longer used, and instead the actual temp file path is expanded after %userprofile%. There is an apparent bug in Microsoft’s software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata% or %userprofile%)… so protection for %temp% folders is now applied by expanding the full path to the user’s temp folder (after %userprofile%) in each rule set. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn’t working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.
Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will protect all user accounts on the system.
The Test Feature
When using the test feature, you are first presented with a dialog of simple success or failure. What actually happens is a temporary executable is extracted to %appdata% and the test feature attempts to launch it, if the launch fails then the prevention is successful. If the launch succeeds the temporary application silently returns errorlevel 9 back to CryptoPrevent to alert it that the app was successful in launching and the prevention has failed.
NOTE: Versions prior to v1.3 did not alert when the prevention was successful, only if it failed – this is explained in a dialog box which pops up prior to the test in those versions.
There are a handful of legitimate executables that developers have poorly decided to put in these locations, and the most popular seems to be ‘Spotify’ though there also there are a few remote support applications as well that can run from these locations. Due to this CryptoPrevent v2 comes with a whitelist editor and capabilities. From here you can view whitelisted items and add your own manually or via browse button, and also you may choose to automatically whitelist all items currently located in %appdata% / %localappdata% and their first level subdirectories. Note that manually entered whitelist items may NOT contain wildcards.
You may undo the protection at any time by using the Undo button in the main interface. You are given the option in v2.x to also undo the whitelist policies, selecting no will undo the protection only. Note that actually removing the protection is not consistent behavior. In my testing, when removing the protection sometimes the change is instantaneous, while other times a reboot is required just like applying the policies in the first place, and on rare occasion a group policy update is required, then a reboot. Windows is funny that way and there seems to be no way to predict this behavior. v2.1.1 now runs gpupdate /force after the Undo features to ensure group policy is refreshed, and then protection is tested for again to determine if a reboot prompt will be displayed.
Automation / Scripting
CryptoPrevent when run by itself will display a user interface, but command line parameters may be utilized (in v1.1 and above) for optionally silent automation. Command line parameters accepted are:
- /apply - this option applies the default settings (to block *.exe in both %appdata% locations and the four %temp% locations.)
- /silent - this option SILENTLY applies the default settings as listed above (or when combined with /undo it will silently undo the protection.)
- /reboot - this option SILENTLY applies the default settings as listed above, and executes a forced mandatory reboot.
- /noappdata - this option skips the block on both %appdata% locations as explained above.
/notempexes - this option skips the block on the four %temp% locations as explained above.(this option is skipped by default in v3.1)
- /nouserprof - this option skips the block on %userprofile% / %programdata% / and the Start menu > Startup folder.
- /includetempexes – (new in v3.1) – include the Temp Extracted Executables block.
- /nofakeexts – (new in v2.5!) this option skips the block on the fake file extension executables as explained above.
- /whitelist - whitelist all EXEs currently located in %appdata% / %localappdata% and their first level subdirectories.
- /w=[path\filename.exe] - whitelist a specific file in %appdata% or %localappdata%.
- The path/filename may not contain wildcards.
- If no path is specified (e.g. /w=foo.exe ) then both %appdata%\foo.exe and %localappdata%\foo.exe will be whitelisted.
- If a path is specified it should be only one first level subdirectory from either %appdata% or %localappdata% (e.g. /w=Foo\Bar.exe ) which will actually whitelist both %appdata%\Foo\Bar.exe and %localappdata%\Foo\Bar.exe
- /p=[filename.exe] - whitelist a specific file in %programdata%
- /u=[filename.exe] - whitelist a specific file in the %userprofile%
- /s=[filename.exe] - whitelist a specific file in the Start menu > Startup folder
- /undo - this option obviously removes the protection, and can be combined with the /silent parameter.
- /undoall – this option removes the protection and any whitelist policies defined as well.
- /nogpupdate – skip the group policy update after modifications are made.
- /test - obviously this runs the test feature, overriding any other command line parameters. v1.3 is required for this parameter to function. Scripters should use the new CryptoPreventTestCLI.exe included with v1.4 and above to silently test for the protection, as this command line parameter will output a dialog box just like the test button in the main user interface.
These parameters may be used in most any logical combination, e.g.
- CryptoPrevent.exe /whitelist /reboot
- CryptoPrevent.exe /undoall /silent
- CryptoPrevent.exe /silent /whitelist /notempexes /w=Foo\Bar.exe /w=Foo\Bar2.exe
IMPORTANT NOTE: If you are pushing out CryptoPrevent.exe through Labtech’s RMM tool, there may be a problem with the /whitelist parameter not working as intended. You must use the ‘Process Execute as Admin’ or ‘Shell as Admin’ option to deploy properly. This is confirmed to work properly when running under the local system account as deployed via Kaseya. I do not have any feedback on other RMM deployment tools or methods.
This is a console application designed to test for the protection, designed to be scripted, and included in the latest portable download. Perfect for usage with your RMM software (maybe, see note below,) when protection tests successful, it will output to the console “Prevention Successfully Applied!” and exit with errorlevel 0. If unsuccessful, it exits with errorlevel 1 and prints to the console “Prevention Not Applied or Unsuccessful!”
NOTE: This test will always return unsuccessful when run from the local system account, as many RMM tools will do by default. It must be run from a standard user or admin account to test properly. This is because the local system account is NOT restricted by the policies set by CryptoPrevent.
You released a new version. Should I update, and how?
YES! You should periodically check for and update to the latest version using the program’s internal update function in the top menu to stay current with the latest methodology in preventing this (and other) malware. After update it is then necessary to re-apply the protection to your system. It is not necessary to undo the previous protection in place before doing this, or even to uninstall the app before updating. If you have an older version of the app before the update functionality was introduced, simply download and install the latest version, then re-apply protection.
This process is entirely automatic for users of the Premium edition (which includes automatic updating functionality.)
Will this protect against other malware?
YES! A LOT of trojan based malware out there utilizes the same infection tactics and launch point locations as Cryptolocker, therefore CryptoPrevent will protect against all malware that fits the same or similar profile and behavior. This is especially true in v2.6+ when protection was increased to include other executable types.
My legitimate software isn’t working properly after applying the protection. What do I do?
Be CERTAIN you have the latest version of the app, which is getting better all the time at not blocking legitimate applications. If you had an outdated version, after update then re-apply the protection and restart, then re-test your app. If it still isn’t working, ensure you’ve done the whitelisting first, and reboot if new entries are added to the whitelist. If it still isn’t working, then you may need to temporarily undo protection when using/installing that app. If this is the case, I would appreciate you telling me what app isn’t working for you and if you can, the details on the app’s filename and where it is running from, maybe I can help alleviate the issue with a new version.
Does my existing Anti-Virus software protect against this threat?
I cannot answer that. Your existing Anti-Virus protection is only as good as the latest definition files, and I can’t tell you which products on the market are confirmed to protect against this threat. What I can tell you is that there is NO Anti-Virus software on the market today that provides the same type of protection that CryptoPrevent provides, it works in an entirely different manner. Since the two can co-exist on the same PC peacefully, why not utilize both methods of protection?
Does CryptoPrevent work with my existing Anti-Virus software?
Yes. Because CryptoPrevent is not an active monitor, it only writes these rules for Windows to follow and that’s it, it will sit peacefully along side any Anti-Virus software without issue.
Does CryptoPrevent work on Server operating systems?
Yes it can, same as a workstation OS. Still, I would recommend unless you need all of CryptoPrevent’s features, to utilize Group Policy and create your own rule set, as CryptoPrevent may cause unintended side effects. There is also an existing prevention kit by thirdteir.net available in Group Policy format here if you prefer. But my question is: WHY would you want to install the rules on a server, unless you actually allow people to check their email from the server, and there isn’t any other reason that malicious files will be executed from the server itself, then what would be the purpose of installing the rules?
How can I tell if CryptoPrevent is running?
It isn’t. Once you run CryptoPrevent and apply the protection, it doesn’t have a need to run again as Windows itself is now the one doing the protecting by following CryptoPrevent’s rules. CryptoPrevent will only run again if you launch the program to test, check for updates, or undo/re-apply the protection. The exception to this is that with Automatic Updates enabled, it will run once daily to check for and apply updates if necessary. Also if using v4 with email alerts enabled, a monitoring service will be running constantly in order to email you when an application is blocked, though this service is not part of the protection itself, just the alert feature.
Is this guaranteed protection?
NO! While the methods utilized by this program do protect and prevent infection of current strains of Cryptolocker (and a lot of other malware for that matter,) I cannot guarantee what the future will bring. Rest assured, I will continue to study the latest variants of this and other malware in an attempt to keep this program relevant and continue to provide an excellent additional layer of protection against this and other threats.
Video of v2.x with new whitelisting capabilities: http://www.youtube.com/watch?v=He4Evv7R2f4
Video of v2.2 protection against an earlier strain of the Cryptolocker malware in both Windows XP and Windows 7 environments. http://youtu.be/M4dNuZYGgMM
Video of v4.3 protection against the latest strain (as of Feb 6th 2014):
Malware gets updates, shouldn’t you be updating CryptoPrevent too?
Click here to learn more…
CryptoPrevent is completely FREE for personal and commercial usage. If you would like to give a little something for it, consider purchasing the Premium Edition (with Automatic Updates)
Download the portable version below (recommended for scripting/deployment):
Download a setup installer with full uninstall support below (recommended for most people.)