CryptoLocker Ransomware Virus
CryptoLocker, also known as Trojan:Win32/Crilock.A, is ransomware that will encrypt files on your local disk or on any mapped shared folder attached to your computer. This message will actually instruct you to pay a ransom in order to decrypt your files. Once a system is infected, you will see a countdown like this.
CryptoLocker Detection with Scope Actions
CryptoLocker creates very specific registry keys and values that can be detected with a Goverlan Scope Action.
Here are the registry keys to search for:
Note: the “*” asterisk means that CryptoLocker can also be started in Safe Mode.
CryptoLocker stores a list of files that were encrypted in the following registry key:
Action Module for detection of CryptoLocker registry keys
Create a new scope action that queries for all of the registry keys and values listed.
Here are two really good examples of how to create Scope Actions.
Here is what the action module should look like.
Run the Scope Action to start the detection process.
When the Scope Action has finished, choose the Data Sheet Model report to see a list of systems that have the registry keys.
Click on a system to see the registry values.
With this information you can begin can begin to identify infected hosts and begin your remediation steps.
For further information on the CryptoLocker ransomware, go to these sites: