CryptoLocker

Discussion in 'malware problems & news' started by DX2, Sep 10, 2013.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    162,650
    Location:
    Texas
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  3. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    CryptoLocker Creators Infected Nearly 250,000 Systems, Earned $300k Since September http://threatpost.com/cryptolocker-...000-systems-earned-30m-since-september/103261
    • Further reading: (referenced above but segregated out for clarity ) -
    http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/
     
  4. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Comments on torrent sites will now include tears of anger and hardcore drama.
    Using a crack, which hides a trojan which contains cryptolocker, to 'activate' the OS?
    Data loss deserved imo.
     
  5. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,029
    Wouldn't it be best to right-click attachments and open them with a program you specify? Or manually pick the program that is associated with the extension? If you got a .Doc, then use Word. PDF = Adobe Reader. And so on..

    If the file is malicious and not a real .Doc, then Word would choke on it. It would not open it, or it might ask to convert it or maybe display garbage.

    It gets around the multiple and hidden and incorrect filetype extension "problem". And this method doesn't let code execute - it is simply read by the selected program passively. This seems stupid-simple. What am I missing?
     
  6. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    735
    Location:
    South Park, CO
    That is how I open files usually.

    This security website (now somewhat dated) is where I git the idea: http://www.claymania.com/safe-hex.html#4
     
  7. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    The guy who runs Foolshit had to do what the idiots at Microsoft never did:

    Allow home users to create Software Restriction Policies for home versions of Windows. These can easily be created on business and enterprise versions of Windows but Microsoft never saw fit to extend the protection to individual PC users.

    Until now, there's been no easy way to do that on home versions of Windows. Microsoft could have offered a tool to allow Windows AppData% folders to be easily secured but thought it wasn't needed. Microsoft has learned a very expensive lesson - that in future versions of Windows, it will need to provide the same security tools for ALL Windows environments.

    The problem of sophisticated ransomware is a growing one. Ultimately best computing practices will always save the day and NEVER download a file from someone you don't know or that looks too good to be true. Cryptlocker has been successful because it doesn't require an elevated privilege to execute and when it does run - it runs silently without need of user interaction and by the time its discovered, its too late to mitigate the damage.

    That said, prevention works:

    NEVER download files from untrusted sources. Have your ISP's mail settings configured to disallow spam e-mail with attachments and disallow ANY e-mail with double extensions - no legitimate e-mail is going to ever use a double extension!

    Install hardening tools like K-9 Web Protection to wall off compromised and infected domains - SpywareBlaster also lets you set a custom blocklist on what sites can access your browser. Legitimate programs can be secured with EMET to harden them against unknown exploits.

    Keep your Windows, Java and Flash patches up to date. Install a classical HIP to block malware from running at the source. Cryptprevent can institute software restriction policies to vulnerable files to keep Cryptlocker from running there and modifying them. Make you have AV installed and keep it up to date. And have your firewall set up to allow outbound access only to Internet-facing programs that really require them.

    And a virtual restore product like Rollback RX is far superior to Windows Restore so if a ransomware should somehow get through, you can go back in time to a date BEFORE any files encryption occurred. Finally, do regular backups and if they're critical data - make hard copies of them and put them in a safe place. You might not be able to always stop malware as its a never ending evolutionary arms raise between malware coders and Internet security companies.

    But with common sense you can avoid falling prey on the Internet to the cybercriminals who roam it.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    I've been preaching this for years :)

    Ultimately a backup is probably the most important step. Not only will it rescue one from Crypto or other malware, but it will also bail one out of a borked h/drive or system.
     
  9. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  10. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
  11. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    An AV Specific expert or Panda AV specific expert would have to field that query.
     
  12. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    If I were to install CryptoPrevent, is there also an "uninstall" provision should I have problems - or, how do you remove/reverse all the registry entries it makes?
     
  13. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    735
    Location:
    South Park, CO
    CryptoPrevent has an "undo" feature that is supposed to reverse the changes, although I have not tested it.
     
  14. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,165
    Location:
    U.S.A.
    TomAZ, there's a portable version as well. Just FYI.
     
  15. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    How is the portable version different? Ultimately, don't they both do about the same thing?
     
  16. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,165
    Location:
    U.S.A.
    TomAZ, while both versions do the same thing, with the portable version, there's no need to uninstall the software.
     
  17. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Of course. Guess I thought you were somehow referring to another way of reversing the entries.
     
  18. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,165
    Location:
    U.S.A.
    In their CryptoPrevent page, under the Undo section, it states: You may undo the protection at any time by using the Undo button in the main interface.
     
  19. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    You can undo those policies.

    A better option is to whitelist legitimate Internet-facing programs that might need to write to the AppData% folder.

    The reason for the policies restriction is to keep ransomware like Crytolocker from installing to certain areas on your PC in the first place.

    But new variants of Cryptolocker will try to defeat efforts to block it so anti-Cryptolocker software will be have to be kept updated to effectively counter new threats.
     
  20. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    So how do you do this?
     
  21. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    166
    Location:
    Frankfurt, Germany
    I guess NormanF means using "default deny" via SRP / GPO.
     
  22. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    this is really a boody ~snipped~!

    but do the antivirus keep to update their database to cover all the variants?

    or it's better buy an antimalware?
     
    Last edited by a moderator: Dec 28, 2013
  23. guest

    guest Guest

    Better use SRP/AppLocker default-deny, with LUA if possible.
     
  24. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    735
    Location:
    South Park, CO
    You can check CryptoPrevent for updates manually from within the program. A premium version is also available that updates automatically.

    CryptoPrevent is not an AV or antimalware program -- it's just a tool to change Windows software execution policies on non-business versions to reduce the risk surface.
     
  25. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    Is it ok to have CryptoPrevent and HMP.Alert running together.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.