CryptoLocker

Discussion in 'malware problems & news' started by DX2, Sep 10, 2013.

  1. DX2

    DX2 Guest

    I guess there is a new virus called Cryptolocker. It encrypts your whole computer. mrizos made a video about it..

    Anyone heard of this?
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,524
    Location:
    U.S.A.
  3. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,370
    Location:
    Lancashire
    backup, backup, backup.
     
  4. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    4,368
    it's scarry
    but do the av company detect them ?
    like eset nod32?
     
  5. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,370
    Location:
    Lancashire
    there are a few companies which are detecting it but that's not the issue here seeing as they will be updating their exe's to bypass signature based protection. the kerfuffle is to do with what happens once it gets on to a system (especially business pc's), cryptolocker will encrypt all sorts of different file types so that its going to be impossible (at least for a while) for you to access your files again without paying the authors of cryptolocker a ransom fee. the files are being encrypted using a 2048 bit RSA algorithm

    everyone should be backing up their data anyway but if they were not then they really should be now!


    here is the video which DX2 mentioned
    http://www.youtube.com/watch?v=Uzl_h-Nc8Ps
     
  6. guest

    guest Guest

    Just to remind our fellow computer users who are worried and is currently using a HIPS program, enable that file/folder protection feature if you haven't, NOW! :isay:
     
  7. DX2

    DX2 Guest

    I have my stuff backed up on 2 different hard drives and online. .can't be too sure
     
  8. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,394
    Is there any way to password protect access to other internal hard drives?

    I have several internal hard drives that I use for Backup, and it has always concerned me that Malware, such as CryptoLocker, may be able to encrypt files on all of my internal hard drives.
     
  9. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    737
    Safest form of backup is off-line.
     
  10. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,394
    How is CryptoLocker spread?

    If you use USB Flash Drives which are 'Vaccinated' with Panda USB Vaccine, is there any danger of CryptoLocker being spread via these USB Flash Drives as long as no unknown executables are executed?
     
  11. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    737
    Social engineering. User clicking on attachments.
     
  12. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,370
    Location:
    Lancashire
    cryptolocker spreads through a local network so USB's are almost certain to be used as an infection vector and as an infection target. not sure if panda vaccine will stop the spread of it but it wont protect the USB from getting infected in the first place.

    regarding your password protecting the hard drive question. i dont think that will work too well against cryptolocker as the password protecting program will get infected and you will not be able to log back in again to the hard drive.

    your best bet is to backup online (see this post if you do) and to backup to an external hard drive periodically, remember to unplug the external hard drive when the backup has finished
     
  13. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,030
    Location:
    California
    Hello,

    This is a family of malware, and ESET adds detection for variants as they appear. I think there will be a blog post coming soon on it.

    Regards,

    Aryeh Goretsky


     
  14. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,259
    http://www.welivesecurity.com/2013/09/23/filecoder-holding-your-data-to-ransom/
     
  15. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    462
    Location:
    Nottingham
    Cryptolocker.

    EDIT sorry for posting , what i thought was a new topic ( it was merged ) I did a search for cryptolocker here and got no hits.I might have known you guys were already onto it :D

    Somehow ( can't remember how ) came across this new malware called crypolocker. Unlike other ransomware, it can actually encrypt your files .
    http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/
    Another link from malwarebytes http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

    I would assume sandboxie would stop this, yeah ? I heard it was spread through pdf attachments
     
    Last edited: Oct 15, 2013
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,258
    Location:
    U.S.A. (South)
    Thanks GrafZeppelin for once again stressing the always useful (IMHO) importance of a very dependable HIPS, in spite of the common sense contingency practice every windows user should already schedule for their machines.

    Yes it's a small and easy matter to simply restore an image but for pity sakes it just seems more smarter to have a good solid HIPS software that can intervene and interrupt these type and other threats at pre-entry first and prevent potential serious system compromise in the first place, not to mention capturing and immediately identifying the intrusion that a strong well designed HIPS can accomplish with a detailed report which is useful for keeping an end user alert to the particular paths those malware writers are trying to target and disrupt.

    .......and is yet another in a string of reason's why i miss those super HIPS like EQSYSECURE, MalwareDefender, and the like on XP which are sorely missed in x64 bit systems like Windows 7 and now 8.

    They still are more useful as ever as i see it.
     
  17. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    440
    2 companies we support have been hit by this last week.

    Both sites use ESET endpoint av on workstations and eset file security on servers.
    Unfortunately this didn't detect the infection, 1 user infected managed to encrypt all the shared data they had access to on their servers.

    We restored from backups (shadow protect)

    We have since implemented group policies to block this In both the appdata path and registry on all our other customers.
    Don't trust any av to protect against this.
    Backup! And implement group policies to stop it.
     
  18. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  19. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    737
    I wonder how many have been successful with undoing the encryption. My guess is none, so backup & restore is the only solution. Reverting to earlier versions via things like system restore, vss, or rollback rx would work too, within the scope of their protection envelope.
     
    Last edited: Oct 15, 2013
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    15,207
    Sandboxie also will help, because if the malware runs in the sandbox, all the encrypted files will be contained in the sandbox, and when the sandbox is deleted they are gone.

    Pete
     
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    http://arstechnica.com/security/201...o-see-your-data-again-pay-us-300-in-bitcoins/
     
  22. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  23. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Sophos shows the Ransomeware in action:

    -https://www.youtube.com/watch?feature=player_embedded&v=Gz2kmmsMpMI-
     
  24. Corrine

    Corrine Spyware Fighter

    Joined:
    Jan 10, 2005
    Posts:
    106
    Location:
    Upstate NY
    Grinler's guide has been updated with new information. Of particular interest it the information about CryptoPrevent. CryptoPrevent is a free utility by FoolishIT LLC that automatically adds the suggested Software Restriction Policy Path Rules (listed in the guide) to your computer. The added Software Restriction Policies are to prevent CryptoLocker and Zbot from being executed in the first place.
     
  25. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    995
    Thanks for the info.

    For reference, here is the link to the CyrptoPrevent Page.

    http://www.foolishit.com/vb6-projects/cryptoprevent/