CryptoLocker Detect Management Pack for Operations Manager 2012 R2

CryptoLocker is a virus that encrypt all of your files with a hard key locker. Targets are Office docs, images, pdf and videos. The only way to rescue your documents is pay the unlock key but this is not suggest. When a user run the virus, all files into mapped drive are locked.


A couple of my customers had “take” this virus and they discovered the problem many hours after damage. So I created this Management Pack for System Center 2012 R2 Operations Manager to prevent this behavior for all File Server with share folders enabled.


How Works

If your File Server has a file with a potential risk extension, the automatic recovery task will stop three important services of File Server to avoid the total loss of data.


  • Server: this service manage File & Printing Sharing role. This service will be stopped to block files encryption
  • DFS: this service manage DFS Namespace. This service will be stopped to because there’s a dependencies with Server service
  • DFSR: this service manage replica between servers. This service will be stopped to avoid the replica of bad files


If DFS is not present the Recovery Task will skip the control.


What Kind of Extension?

The extension under monitor are: .cryptolocker and .encrypted. These are the most important format. For your information there are many others type of virus that use random extension, this means that is not possible detect all the critical extensions.


If you have feedback, please use the module into Community Project page.


You want test it? Check this page!