I wanted to update as I have started to develop a way to monitor for Cryptolocker activity on our file servers. It's taken a fair bit of testing and is certainly not complete, but I also wanted to pass this knowledge on as a starting point for anyone who might be interested in doing the same on their networks.
I used the FIM connector on our main file servers and had it set up to monitor all relevant directories and looked for specific file masks so that my entire log wouldn't be filled with various file writes throughout the network. I used some of the common file behavior as referenced here as well as a few other sources.
I then created a rule to monitor for some the file changes that I filtered for. I currently only have mine set to email when activity is detected since it was recently created and I'm still somewhat testing it. You could also have it lock out the account performing the activities or some other action if you felt confident in that. One thing to note about the above screenshot, for the files you need to put in *\{filename} like in the DECRYPT_INSTRUCTION examples. LEM/FIM reports the FileName field as the full path, so without it you'll never get matching results.
A couple other thoughts I have are to monitor for things like file writes on all files, and then have the rule set to only trigger on a set (abnormally high) number of writes, which would indicate a script or virus activity. This, as I mentioned earlier, would generate a TON of events, so I opted against it. If that doesn't bother you then it would be another good option. Also something I'm considering doing is creating a few "honeypot" type files that would not be edited by any normal user, probably put them alphabetically first in some of the common shares for good measure, and set off an alert on ANY activity these files encounter. Since in my case these are file shares being written to by other workstations on the domain, I have yet to pinpoint the source workstation doing the editing, but it may not be possible with the the way FIM works/logs.
Has anyone else set up something similar for Cryptolocker activity? I'm still working to refine mine so input would be appreciated. In any case I hope this is helpful for someone else looking to begin monitoring for some common malicious activity.