I thought I'd share with you what steps I've taken to alert me to a likely Cryptolocker infection.

Generally, if someone gets a virus on their computer it's a pain in the ass but it's not threatening to the company on the whole. The computer is isolated and reinstalled or otherwise cleaned up, and you're off again.

With Cryptolocker, 9 times out of 10 the person seems to also have a link to at least one network share. Because it's encrypting everything it can (not -infecting- everything, just encrypting), it will go out to those shares and do it's thing.

Now, if you're familiar with this, hopefully not first hand, you'll know they drop two files in every folder with encrypted files - INSTALL_TOR.txt and DECRYPT_INSTRUCTION.txt. You can use this to your advantage as a sort of 'early warning system'. This works on Server 2008+﻿, don't know what facilities exist for this for earlier or different OS's.

EDIT: I guess I should mention it's a good way to quickly tell who the culprit is, if it's useful for nothing other than that.

DOUBLE EDIT: Updated Jan 7/2015 with clearer instructions and screenshots

EDIT AGAIN: Updated Jan 29/2015 to add help_decrypt*.* to the file screen, thanks go to +blefler for that!

C-C-C-C-C-COMBO EDIT: March 19/2015 With the release of new cryptolocker-like variants, they've taken to dropping randomly named files into the encrypted folders, making this method useless against those variants. Just FYI!

KEEP ON EDITING: August 19/2015 Added additional filenames that a new variant is using (restore_Flies*.*, *djqfu*.*, *.aaa). Thanks to +Mconn for the heads up: http://community.spiceworks.com/topic/1135679-new-trojan-crypto-virus

NEVER STOP EDITING: November 5, 2015 Added additional filenames that Cryptowall 4.0 uses (help_your_files*.*) Thanks to +Lawrence Abrams for the heads up: http://community.spiceworks.com/topic/1274312-cryptowall-v4-0-released-now-encrypts-the-file-names-as-well

MORE EDIT!: February 16, 2016 Added additional filenames various crypto infections use. Credit goes to quietman7 at bleepingcomputer and Jaymesned at Reddit.

ANOTHER EDIT!: June 17, 2016