The blackmail Trojan Locky is currently causing havoc and disruption on many PCs. The business model of the hacker is very simple. Locky encrypts files on the computer, and the decryption of these files is only offered after a payment of the ransom has occurred.

So far so good, but only if after payment the actual decryption takes place, though this cannot be guaranteed. Consequently, the best strategy against ransomware such as Locky, is to not get infected in the first place. How to do that or how one succeeds with reasonable probability, has already been described in many blogs and articles with key phrases such „only click on what you know“, „Keep your An- ti-virus up to date”, „Keep operating system on most current patch level“, etc.

This article describes how our VP of Product Management, Thomas Reichert, has another more comprehensive way to protect yourself from malware such as Locky.

The security software DriveLock by German software specialists CenterTools Software SE includes the module „Application Control“. With this, individual applications or processes can be pro- actively recognized for their execution *before* and will be blocked. DriveLocks Application Control can be operated in both whitelist and blacklist mode.

As the name suggests, all applications or processes are executed, except those that are explicitly blacklisted. A blacklist approach is not particularly promising for malware such as Locky, because one does not know exactly what to block and secondly, succession occurs at the earliest after first infection/appearance of said malware.

Therefore we recommend the approach via whitelist

Here all applications or processes are blocked in principle, except those that are specifically whitelisted. The crux lies in the detail, as you cannot obviously block everything, without the PC being „bricked“ i.e. made inoperative. And of course such a whitelist must also be maintained. DriveLock offers very granular, but at the same time easily usable mechanisms. DriveLock Application Control allows, for example, the ability to de ne that only applications that are digitally signed by the so-called Trusted Vendors, such as Microsoft, Adobe, VMware, etc., can be run. Furthermore, there is a solution from DriveLock which scans a specific PC or a reference PC in the company and creates an initial whitelist or modifies an existing one.

In conclusion it can be said that the granularity, flexibility and, above all, the ease with which DriveLock Application Control creates whitelists automatically and enforces can make all the difference. A Windows PC with DriveLock Application Control and a current whitelist minimizes the risk that ransomware such as Locky can be executed.