CryptoLocker Tripwire: Free Cryptolocker Prevention Tool

The Cryptolocker Ransomware has been morphing into more dangerous forms and even started targeting other operating systems like Android. While those affected are always looking out for ways to get rid of or remove Cryptolocker ransomware, the old proverb still stands – Prevention is better than cure!

We have earlier seen how you can block or prevent Cryptolocker ransomware attacks using CryptoPreventCryptolocker Prevention Kit and HitmanPro.Alert – and by following some steps to take to stay protected & secure, by preventing Ransomware from getting onto your Windows computer.

Via this post, we would like to inform you about another Cryptolocker Prevention Tool called CryptoLocker Tripwire.

Cryptolocker Prevention Tool

Cryptolocker Prevention

The author of this tool follows a different approach. Seeing all the reports of various forms of the CryptoLocker ransomware, made him think of a different way to protect file servers. Every time a new virus definition is released or a new software group policy restriction placed on a Windows system, Cryptolocker finds a way to circumvent it.

The recent variants of CryptoLocker go a step further and even purge the Windows Shadow Copy stores. This makes it even more difficult for System and IT administrators to recover and restore files and data.

CryptoLocker Tripwire runs on the file server.  After loading your data share folders, the free tool will copy a witness file that you choose, to a hidden subfolder in each of the folders you have selected.  The Hidden folder is prefaced with ########, so that the folder is placed right at the top of the list. The Witness file is copied within this folder and also named ########.  Now, the tool will start a file system watcher for the Witness folder, and once there is a modification of the witness file the following things can be triggered, depending on the options you select:

  1. The Server service is shut down and disabled
  2. The Volume Shadow Copy service is shut down and disabled
  3. The Server is shut down
  4. An email alert is sent via SMTP.

The author says:

I’ve tested this thoroughly within a private test network.  Although CryptoLocker managed to get past the initial witness file, it didn’t get far before the server stopped and disabled both services and shut down. But since the VSS service was stopped I was able to easily restore the files it touched after the witness file via shadow copy restore.

CryptoLocker Tripwire free download

You can read more about CryptoLocker Tripwire at its home page. It is a portable tool that does not require to be installed. Use this freeware at your own discretion, as the author does not offer any warranties or guarantees with it.

The CryptoLocker Decryption Tool may help you decrypt your Cryptolocker encrypted file.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.


  1. ErnieK

    This looks to be a good wee program but am reluctant to remove crypto prevent [pro] and was wondering if two lines of defence are better than one in this instance. So could you tell me would it be possible to run this at the same time as crypto prevent? or would they clash?

  2. alexappleton

    As far as I am aware these two programs should not clash with each other.

  3. DumasLein

    In corporate environments with Active Directory, you can configure a SRP Group Policy to prevent Cryptolocker infection.

    Here is an explanation (in Spanish):

  4. Ryan

    Um, correct me if I’m wrong, but doesn’t the ransomware now just have to add a check to skip all files/folders beginning with “###” to evade detection by this tool?

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 5 =