CryptoLocker

Discussion in 'malware problems & news' started by DX2, Sep 10, 2013.

  1. DX2
    Offline

    DX2 Registered Member

    I guess there is a new virus called Cryptolocker. It encrypts your whole computer. mrizos made a video about it..

    Anyone heard of this?
  2. JRViejo
    Offline

    JRViejo Global Moderator

  3. treehouse786
    Offline

    treehouse786 Registered Member

    backup, backup, backup.
  4. mantra
    Offline

    mantra Registered Member

    it's scarry
    but do the av company detect them ?
    like eset nod32?
  5. treehouse786
    Offline

    treehouse786 Registered Member

    there are a few companies which are detecting it but that's not the issue here seeing as they will be updating their exe's to bypass signature based protection. the kerfuffle is to do with what happens once it gets on to a system (especially business pc's), cryptolocker will encrypt all sorts of different file types so that its going to be impossible (at least for a while) for you to access your files again without paying the authors of cryptolocker a ransom fee. the files are being encrypted using a 2048 bit RSA algorithm

    everyone should be backing up their data anyway but if they were not then they really should be now!


    here is the video which DX2 mentioned
    http://www.youtube.com/watch?v=Uzl_h-Nc8Ps
  6. GrafZeppelin
    Offline

    GrafZeppelin Registered Member

    Just to remind our fellow computer users who are worried and is currently using a HIPS program, enable that file/folder protection feature if you haven't, NOW! :isay:
  7. DX2
    Offline

    DX2 Registered Member

    I have my stuff backed up on 2 different hard drives and online. .can't be too sure
  8. TheKid7
    Offline

    TheKid7 Registered Member

    Is there any way to password protect access to other internal hard drives?

    I have several internal hard drives that I use for Backup, and it has always concerned me that Malware, such as CryptoLocker, may be able to encrypt files on all of my internal hard drives.
  9. Keatah
    Offline

    Keatah Registered Member

    Safest form of backup is off-line.
  10. TheKid7
    Offline

    TheKid7 Registered Member

    How is CryptoLocker spread?

    If you use USB Flash Drives which are 'Vaccinated' with Panda USB Vaccine, is there any danger of CryptoLocker being spread via these USB Flash Drives as long as no unknown executables are executed?
  11. Keatah
    Offline

    Keatah Registered Member

    Social engineering. User clicking on attachments.
  12. treehouse786
    Offline

    treehouse786 Registered Member

    cryptolocker spreads through a local network so USB's are almost certain to be used as an infection vector and as an infection target. not sure if panda vaccine will stop the spread of it but it wont protect the USB from getting infected in the first place.

    regarding your password protecting the hard drive question. i dont think that will work too well against cryptolocker as the password protecting program will get infected and you will not be able to log back in again to the hard drive.

    your best bet is to backup online (see this post if you do) and to backup to an external hard drive periodically, remember to unplug the external hard drive when the backup has finished
  13. agoretsky
    Offline

    agoretsky Eset Staff Account

    Hello,

    This is a family of malware, and ESET adds detection for variants as they appear. I think there will be a blog post coming soon on it.

    Regards,

    Aryeh Goretsky


  14. SweX
    Offline

    SweX Registered Member

    http://www.welivesecurity.com/2013/09/23/filecoder-holding-your-data-to-ransom/
  15. mick92z
    Offline

    mick92z Registered Member

    Cryptolocker.

    EDIT sorry for posting , what i thought was a new topic ( it was merged ) I did a search for cryptolocker here and got no hits.I might have known you guys were already onto it :D

    Somehow ( can't remember how ) came across this new malware called crypolocker. Unlike other ransomware, it can actually encrypt your files .
    http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/
    Another link from malwarebytes http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

    I would assume sandboxie would stop this, yeah ? I heard it was spread through pdf attachments
    Last edited: Oct 15, 2013
  16. EASTER
    Offline

    EASTER Registered Member

    Thanks GrafZeppelin for once again stressing the always useful (IMHO) importance of a very dependable HIPS, in spite of the common sense contingency practice every windows user should already schedule for their machines.

    Yes it's a small and easy matter to simply restore an image but for pity sakes it just seems more smarter to have a good solid HIPS software that can intervene and interrupt these type and other threats at pre-entry first and prevent potential serious system compromise in the first place, not to mention capturing and immediately identifying the intrusion that a strong well designed HIPS can accomplish with a detailed report which is useful for keeping an end user alert to the particular paths those malware writers are trying to target and disrupt.

    .......and is yet another in a string of reason's why i miss those super HIPS like EQSYSECURE, MalwareDefender, and the like on XP which are sorely missed in x64 bit systems like Windows 7 and now 8.

    They still are more useful as ever as i see it.
  17. kC_
    Offline

    kC_ Registered Member

    2 companies we support have been hit by this last week.

    Both sites use ESET endpoint av on workstations and eset file security on servers.
    Unfortunately this didn't detect the infection, 1 user infected managed to encrypt all the shared data they had access to on their servers.

    We restored from backups (shadow protect)

    We have since implemented group policies to block this In both the appdata path and registry on all our other customers.
    Don't trust any av to protect against this.
    Backup! And implement group policies to stop it.
  18. siljaline
    Offline

    siljaline Registered Member

  19. Keatah
    Offline

    Keatah Registered Member

    I wonder how many have been successful with undoing the encryption. My guess is none, so backup & restore is the only solution. Reverting to earlier versions via things like system restore, vss, or rollback rx would work too, within the scope of their protection envelope.
    Last edited: Oct 15, 2013
  20. Peter2150
    Offline

    Peter2150 Global Moderator

    Sandboxie also will help, because if the malware runs in the sandbox, all the encrypted files will be contained in the sandbox, and when the sandbox is deleted they are gone.

    Pete
  21. siljaline
    Offline

    siljaline Registered Member

    http://arstechnica.com/security/201...o-see-your-data-again-pay-us-300-in-bitcoins/
  22. siljaline
    Offline

    siljaline Registered Member

  23. siljaline
    Offline

    siljaline Registered Member

    Sophos shows the Ransomeware in action:

    -https://www.youtube.com/watch?feature=player_embedded&v=Gz2kmmsMpMI-
  24. Corrine
    Offline

    Corrine Spyware Fighter

    Grinler's guide has been updated with new information. Of particular interest it the information about CryptoPrevent. CryptoPrevent is a free utility by FoolishIT LLC that automatically adds the suggested Software Restriction Policy Path Rules (listed in the guide) to your computer. The added Software Restriction Policies are to prevent CryptoLocker and Zbot from being executed in the first place.
  25. tgell
    Offline

    tgell Registered Member

    Thanks for the info.

    For reference, here is the link to the CyrptoPrevent Page.

    http://www.foolishit.com/vb6-projects/cryptoprevent/