Cryptolocker for Terminal Servers
Content
CRYPTOLOCKER
PROTECTION ON
TERMINAL SERVERS
Dangerous new virus
This is a follow up document to the prior document warning about CryptoLocker. This virus also impacts
Terminal Server environments and thus the group policy helping to block the spread needs to be set up
slightly differently.
Figure 1 - Encryption warning on screen
Actions to take on Terminal Servers
Even on a Terminal server your clients are at risk from CryptoLocker or other encryption malware that attacks
the user profile
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
1
Mere antivirus may not detect these. You may need to use a third party tool such as Microsoft Safety
Scanner to stop it from running. Many times they are located in the user profile AppData folder
It will typically target Office documents as noted on the Excel blog:
"Excel cannot open the file [filename] because the file format or file extension is not valid." opening Office
files - The Microsoft Excel Support Team Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2013/09/07/quot-cannotopen-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
There is currently an ongoing situation where users may encounter an error when trying to open Office
documents. The error can happen opening any Office file type, not just Excel files. For Excel file types,
the error says: "Excel cannot open the file [filename] because the file format or file extension is not valid.
Verify that the file has not been corrupted and that the file extension matches the format of the file."
For Microsoft Word, the error may read differently: "The file cannot be opened because there are problems
with the contents" or "The file [FileName] cannot be opened because there is a problem with the contents".
We have confirmed that this can also affect PowerPoint files, AutoCAD files and JPEG images.
This problem has been confirmed to be caused by malware on the affected machine. There are now two
known variants of malware which causes this problem: Win32/Crilock.A and Win32/Buma!rts. They have
both been identified as a new family of ransomware.
In order to clean your machine, run Microsoft Safety Scanner
(http://www.microsoft.com/security/scanner/en-us/default.aspx). If infected, Safety Scanner should clean
the virus from the system, however it will not repair corrupted files. You will still need to restore those from
a backup. A detailed analysis of affected files submitted to Microsoft for investigation has revealed the files
are encrypted with a private and public key. The files cannot be recovered without the private key, which is
more than likely held by the attacker. The premise of ransomware is such that if a person pays the ransom
the key is provided to "unlock" the files.
Other resources:
Microsoft Word Support Blog: http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quotcannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
Microsoft PowerPoint Support Blog: http://blogs.technet.com/b/bgp/archive/2013/09/09/3595491.aspx
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
2
Proactive steps to take
You can use Software Restriction Policies to block executables from running when they are located in the
%AppData% folder, or any other folder.
File paths of the infection are:
C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe
First we need to build a WMI filter to only apply to Terminal Servers
You could put your Remote Desktop Servers in a specific Organisational Unit and link your Group Policies
there or you could create a WMI Filter to filter by name i.e.
SELECT * FROM Win32_ComputerSystem WHERE ((Name = 'RDSERVER01') OR (Name = 'RDSERVER02'))
Alternatively we can call the WMI Filter against the root\CIMV2\TerminalServices Namespace:
Select * From Win32_TerminalServiceSetting Where TerminalServerMode=1
Go down to the WMI filter section and add a new WMI filter
Figure 2 - Set up new WMI filter
Describe the filter
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
3
Click on Add to add the new filter
In the namespace section add
root\CIMV2\TerminalServices
In the query section add:
Select * From Win32_TerminalServiceSetting Where TerminalServerMode=1
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
4
Figure 3 set up WMI query
It should look as above.
Click okay and then save.
Figure 4 Set up WMI
Now go to your Server OU structure, right mouse click and choose Create a GPO in this domain and link it
here
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
5
Figure 5 - Create the policy
Name the policy
Figure 6 Name the policy
Click OK
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
6
Now go back to the policy, right mouse click and click on edit
Figure 7 Edit the new policy
Drill down to the Software Restriction policy section
Figure 8 Add SRP
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
7
It will be under Computer Configuration>Policies>Windows Settings>Security Settings>Software Restriction
policies.
Right mouse click and click on New Software Restriction Polices
Figure 9 Add new policy
Now find the Additional rule and right mouse click and click on new path rule
Figure 10 Add new rule
For Server 2008/2008R2 and MultiPoint remote desktop servers set the following rules:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
8
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
Figure 11 Add new rule
Click okay
Add additional rules as follows:
Block executables run from archive attachments opened with WinRAR:
Path: %Temp%\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
9
Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
When complete it should look like this:
Figure 12 Final policy
Now close the editing window and to back to the policy and change the WMI filter to only apply to
Terminal Servers
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
10
Figure 13 Add WMI filter
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
11
When you are complete, the policy should apply to the server category, to authenticated users and
then only to Terminal servers.
Figure 14 Final policy
Additional path locations
You can additional path locations such as appdata local, and locallow in Windows 2008 Remote Desktop
Services and higher to protect those as well, but be aware that there may be impact to line of business apps
in these locations. For example remote access tools such as Copilot.com will be blocked in the local file
location is blocked.
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
12
You may optionally wish to block %localappdata% as an additional location and make it just applicable to the
Windows 7 machines.
Server 2003 locations
For Server 2003 the policy is as follows:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
Block executables run from archive attachments opened with WinRAR:
Path: %Temp%\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
13
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
Post disaster review
Review the damage to the system, restore files from shadow copies or backups as needed and review
security settings in the office.
Please note, you may need to remove the drive to an enclosure to scan and edit while the system is not
mounted.
But you need to ask yourself if you are truly assured that you have cleaned the system. Without totally
rebuilding or rolling back to an image from known good sources, you will always question the health and
security of this system.
Talk to your client. Go with your gut. If you do not feel that it is completely secure, (and it probably isn’t)
rebuild the machine or roll back to a backup where you know it is preinfection.
From “Help: I got Hacked. Now what do I do?” http://technet.microsoft.com/en-us/library/cc512587.aspx
“You can’t clean a compromised system by removing the back doors. You can never guarantee that you found
all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know
where to look, or that the system is so compromised that what you are seeing is not actually what is there.”
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
14
PROTECTION ON
TERMINAL SERVERS
Dangerous new virus
This is a follow up document to the prior document warning about CryptoLocker. This virus also impacts
Terminal Server environments and thus the group policy helping to block the spread needs to be set up
slightly differently.
Figure 1 - Encryption warning on screen
Actions to take on Terminal Servers
Even on a Terminal server your clients are at risk from CryptoLocker or other encryption malware that attacks
the user profile
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
1
Mere antivirus may not detect these. You may need to use a third party tool such as Microsoft Safety
Scanner to stop it from running. Many times they are located in the user profile AppData folder
It will typically target Office documents as noted on the Excel blog:
"Excel cannot open the file [filename] because the file format or file extension is not valid." opening Office
files - The Microsoft Excel Support Team Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2013/09/07/quot-cannotopen-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
There is currently an ongoing situation where users may encounter an error when trying to open Office
documents. The error can happen opening any Office file type, not just Excel files. For Excel file types,
the error says: "Excel cannot open the file [filename] because the file format or file extension is not valid.
Verify that the file has not been corrupted and that the file extension matches the format of the file."
For Microsoft Word, the error may read differently: "The file cannot be opened because there are problems
with the contents" or "The file [FileName] cannot be opened because there is a problem with the contents".
We have confirmed that this can also affect PowerPoint files, AutoCAD files and JPEG images.
This problem has been confirmed to be caused by malware on the affected machine. There are now two
known variants of malware which causes this problem: Win32/Crilock.A and Win32/Buma!rts. They have
both been identified as a new family of ransomware.
In order to clean your machine, run Microsoft Safety Scanner
(http://www.microsoft.com/security/scanner/en-us/default.aspx). If infected, Safety Scanner should clean
the virus from the system, however it will not repair corrupted files. You will still need to restore those from
a backup. A detailed analysis of affected files submitted to Microsoft for investigation has revealed the files
are encrypted with a private and public key. The files cannot be recovered without the private key, which is
more than likely held by the attacker. The premise of ransomware is such that if a person pays the ransom
the key is provided to "unlock" the files.
Other resources:
Microsoft Word Support Blog: http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quotcannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
Microsoft PowerPoint Support Blog: http://blogs.technet.com/b/bgp/archive/2013/09/09/3595491.aspx
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
2
Proactive steps to take
You can use Software Restriction Policies to block executables from running when they are located in the
%AppData% folder, or any other folder.
File paths of the infection are:
C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe
First we need to build a WMI filter to only apply to Terminal Servers
You could put your Remote Desktop Servers in a specific Organisational Unit and link your Group Policies
there or you could create a WMI Filter to filter by name i.e.
SELECT * FROM Win32_ComputerSystem WHERE ((Name = 'RDSERVER01') OR (Name = 'RDSERVER02'))
Alternatively we can call the WMI Filter against the root\CIMV2\TerminalServices Namespace:
Select * From Win32_TerminalServiceSetting Where TerminalServerMode=1
Go down to the WMI filter section and add a new WMI filter
Figure 2 - Set up new WMI filter
Describe the filter
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
3
Click on Add to add the new filter
In the namespace section add
root\CIMV2\TerminalServices
In the query section add:
Select * From Win32_TerminalServiceSetting Where TerminalServerMode=1
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
4
Figure 3 set up WMI query
It should look as above.
Click okay and then save.
Figure 4 Set up WMI
Now go to your Server OU structure, right mouse click and choose Create a GPO in this domain and link it
here
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
5
Figure 5 - Create the policy
Name the policy
Figure 6 Name the policy
Click OK
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
6
Now go back to the policy, right mouse click and click on edit
Figure 7 Edit the new policy
Drill down to the Software Restriction policy section
Figure 8 Add SRP
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
7
It will be under Computer Configuration>Policies>Windows Settings>Security Settings>Software Restriction
policies.
Right mouse click and click on New Software Restriction Polices
Figure 9 Add new policy
Now find the Additional rule and right mouse click and click on new path rule
Figure 10 Add new rule
For Server 2008/2008R2 and MultiPoint remote desktop servers set the following rules:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
8
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
Figure 11 Add new rule
Click okay
Add additional rules as follows:
Block executables run from archive attachments opened with WinRAR:
Path: %Temp%\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
9
Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
When complete it should look like this:
Figure 12 Final policy
Now close the editing window and to back to the policy and change the WMI filter to only apply to
Terminal Servers
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
10
Figure 13 Add WMI filter
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
11
When you are complete, the policy should apply to the server category, to authenticated users and
then only to Terminal servers.
Figure 14 Final policy
Additional path locations
You can additional path locations such as appdata local, and locallow in Windows 2008 Remote Desktop
Services and higher to protect those as well, but be aware that there may be impact to line of business apps
in these locations. For example remote access tools such as Copilot.com will be blocked in the local file
location is blocked.
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
12
You may optionally wish to block %localappdata% as an additional location and make it just applicable to the
Windows 7 machines.
Server 2003 locations
For Server 2003 the policy is as follows:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
Block executables run from archive attachments opened with WinRAR:
Path: %Temp%\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
13
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
Post disaster review
Review the damage to the system, restore files from shadow copies or backups as needed and review
security settings in the office.
Please note, you may need to remove the drive to an enclosure to scan and edit while the system is not
mounted.
But you need to ask yourself if you are truly assured that you have cleaned the system. Without totally
rebuilding or rolling back to an image from known good sources, you will always question the health and
security of this system.
Talk to your client. Go with your gut. If you do not feel that it is completely secure, (and it probably isn’t)
rebuild the machine or roll back to a backup where you know it is preinfection.
From “Help: I got Hacked. Now what do I do?” http://technet.microsoft.com/en-us/library/cc512587.aspx
“You can’t clean a compromised system by removing the back doors. You can never guarantee that you found
all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know
where to look, or that the system is so compromised that what you are seeing is not actually what is there.”
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
14
