Was it this article? http://www.nytimes.com/2015/01/04/opinion/sunday/how-my-mom-got-hacked.html?_r=1
Here's the essential bit about CryptoWall from the grc.com discussion: "So in a series of four tweets, Christian wrote: "If system protection and system restore run on all drives, including shadow copy services, on non-admin account there is hope." That's the first tweet. Second tweet was: "Under non-admin account, CryptoWall cannot see, delete, or alter any shadow copies used by system restore and system protection." Tweet No. 3: "Remove malware, then login as admin, use the shadow explorer utility to restore previous versions, before infection." And finally, "Access to read, modify, or delete shadow copies requires full disk access privilege, which non-admin accounts do not have, but admin does." So thank you, Christian. Essentially, the short of that is, if users are running as everyone knows they should be, rather than as an administrator, as a non-admin account, if you get hit by CryptoWall, you're able to restore yourself using the shadow copy system because CryptoWall will only have the privileges of the logged-in user when you get yourself infected. And so if you disinfect yourself, even though your files are all still scrambled, you can then restore from backup shadow copies. So good to know for anybody to whom that happens and who was properly running as a non-admin account."
I would suggest to use CryptoPrevent. It will block any crypto-attack or similar attack by other malware. You may try it: http://www.foolishit.com/vb6-projects/cryptoprevent/
"Ransom malware could be beaten with simple file-system security, study concludes Encryption and file deletion programmes not as unstoppable or frightening as some believe.... The interesting aspect of this is that these techniques interact with the file system in predictable but unusual ways on Windows NTFS (default since Vista in 2007) and that a program monitoring the Master File Table (MFT) would be able to spot unusual behaviour as it was unfolding and block it." http://www.computerworlduk.com/news...tem-security-study-concludes-3619287/?olo=rss
Very interesting! Looks like HMPA and CryptoMonitor are both using some of these techniques. Here is the correct link to the PDF: http://seclab.ccs.neu.edu/static/publications/dimva2015ransomware.pdf
@hawki - I don't find the notion of behavioral protection of filesystem access convincing. IMO, what's actually needed is a form of disk firewall, which would restrict process permissions, individually and automatically encrypt files, preferably with options for TFA and presence notifications.
If combined with file/folder protection, I think it's quite good protection. It would be also cool if you can "trust" certain apps who need to modify files, it shouldn't interfere with normal operations.
Sorry but anything to deal with grc.com and Steve Gibson should be removed from this forum. He is not a credible source for security information or news.
I assume you're referring to the information quoted in #29. Is there something inaccurate in the statements about CryptoWall from the grc.com discussion?
Thanks for the link. The article is a good reminder that this kind of malware has not and is not going away.
Has the government paid off hackers to remove malware from agency computers? http://www.nextgov.com/cybersecurit...ckers-remove-malware-agency-computers/124227/