CryptoPrevent is no longer based solely on Windows software restriction policies

Thanks for the reply, and tip about ActiveX filtering; I wasn't aware of that option:

http://www.sevenforums.com/tutorials/149053-internet-explorer-activex-filtering-turn-off.html

 

I didn't know about it either. Very useful, indeed.

 

A lot of people might be in for a big surprise tomorrow when they boot their PCs for the first time. Looks like Emsisoft right on top of this one.

http://www.bleepingcomputer.com/for...ight-on-may-25th-and-then-encrypts-your-data/

http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/

 

I would sure like to see a new Class of HIPS only land on the scene again. I have nothing whatsoever against commercial name brands but sometimes it's that layered approach without a suite that suits some best. Too bad i'm not a programmer per say myself or i would have already devised one on the order of what we used to have in Malware Defender, EQS etc. for 64 bit systems. I think with the introdction of MS patchguard, that pretty much finished those development teams as well as virtualization technologies. With a good HIPS it was nice to get alert pop ups (chatty or not) with details such as name, path, etc and also have the local option to kill n delete or even while trapped, close the process and confiscate the offending file for research.

 

Whoa! Nice catch and whatta read

 

Hmmm. Well i value your experiences in that regard and you already are aware of mine Pete. Until time that some new inventors step up again i really am torn between either an AV like ESET of course due to some HIPS granularity fun on my part to tighten the channels and Emsisoft's with it's BB integrations (Paranoid mode always worked very well). I'll try to stay Mr Crypto free until making up my mind. You know what a H U G E! Classical HIPS proponant that i been, am, and always will be. Prevention and Protections is key.

 

I just created HIPS rules for the folders mentioned in the BleepingComputer.com web site article. You also want to add C:\ProgramData\Digger folder to those mentioned. Most people infected also had that folder created.

-EDIT-

Here are the four folders the malware creates:

C:\ProgramData\Steg\
C:\ProgramData\Tor\
C:\ProgramData\rkcl\
C:\ProgramData\Digger\

 

You can also create a path rule in GPO disallowing executables from running to the above folders.

 

Thanks for the heads up. I was leaving C:\ProgramData\* wide open previously in my Bouncer rules but after reading this, I am going to be much more careful there.

 

You can just block the creation of the folder and executable for instance - %ProgramData%\Steg\*exe

A rule that will prevent executables created there from running.

You don't want to block legitimate %ProgramData% applications, just malware dropped to new folders in that folder.

 

Correct. I've got rules to allow legitimate applications and block everything else from executing. Thanks.

 

Oh wow that is scary ! Thanks for the heads up.

Now busy creating policy rules for the ProgramData folder

 

A common theme running through people infected with this latest Locker crypto malware is Minecraft. So, gamers beware.

Also unfortunately, a lot of people appear to be paying the ransom. Malwaretips web site does offer a few suggestions for possible file recovery.

 

Note that it was a "cracked" version of Minecraft.

 

I've been following both of the threads there at bleepingcomputer.com as well. It's unfortunate that many users are resorting to paying the ransom. And it is troublesome that they still haven't been able to track down the dropper. Since it hasn't showed up yet on many security blogs, it's hard to see just how widespread it really is. But I imagine it's going to be quite widespread. I'm assuming that the security blogs are waiting until they have more details on it before posting. It will be interesting to see how this goes though.

It's too bad that a lot of those users didn't have the tools or knowledge to prevent this. And it seems that a lot of data has been lost.

 

I'm following that thread too and I hope they will eventually be able to fully understand the attack vectors for this "Locker" ransomware. An obvious takeaway is downloading cracked games is a bad idea, but there may be other ways people became infected. This is the first time I've heard of a crypto-ransomware virus having a date/time trigger. An upside to that is it may have been possible to detect and remove the dropper before it was triggered.

 

I would like to continue to discuss this more because it's quite interesting, especially regarding the time bomb and to see how wide spread it is. But I think that we need a thread for this particular ransomware in the appropriate sub forum.

 

Good idea; would you like to create it, perhaps in "malware problems and news"? I'll keep an eye out.

 

Here it is: https://www.wilderssecurity.com/threads/new-locker-ransomware.376544/

I just didn't want to take away from CryptoPrevent thread itself. I have a feeling that there will be quite a lot to discuss on it. I will update the OP there bit by bit.

 

I've never whitelisted ProgramData folder in my SRP rules and never experienced any problem. Only when I create Macrium reflect boot disk I have to disable SRP for that folder. Do a lot of legit applications store executable files in that folder?

 

Not very many seem to store executables there, and a few .dll files as well.

Below is what I have whitelisted now. These are the only directories on mine which contained executables. Whether they are utilized often, if at all, I have no idea. They may have just been utilized during installation and may only be used again if those programs upgrade or uninstall, but I'm not entirely sure.

Code:

C:\ProgramData\Adobe\*
C:\ProgramData\Intel\*
C:\ProgramData\Microsoft\*
C:\ProgramData\Package Cache\*
C:\ProgramData\CanonBJ\*

 

Those exact names and path are now entered to another Bouncer config file (Blacklist*) set of lines that i will be testing it with, provided of course that i have the right dropper that i think i do now.

 

I have checked my WIN 7 x64, SP1 install and the only .exe files in ProgramData are some old Adobe Updater and Reader files; nothing related to current versions. I believe SRP rules for C:\ProgramData\*.exe and C:\ProgramData\*\*.exe could be safely created with zip impact.

By definition, no active .exe's should be stored in the C:\ProgramData\ directory.

However, a lot more needs to be explored on this latest Locker malware. If you look at the permissions on ProgramData folder, they are System and Admins only for all activities. This tells me that this malware had to be overtly installed; most likely via the cracked MineCraft Extreme installer. In other works, this is not your run of the mill CryptoLocker variant. Bottom line - I wouldn't spin your wheels over covering every protection angle on this one unless you use cracked software. If you do, I have no sympathy for you when you're hacked.