Ilya's take on DefenseWalls protection against this....... http://gladiator-antivirus.com/forum/index.php?showtopic=128595
I agree with Pete https://www.wilderssecurity.com/showpost.php?p=2292859&postcount=20 You can also read what Tzuk has to say about it. http://www.sandboxie.com/phpbb/viewtopic.php?t=16878 Bo
Im just trying out Sandboxie for the first time right now. Adding another layer of protection against this diabolical virus, is great news.
CryptoLocker ransomware crooks offer "late payment penalty" option http://nakedsecurity.sophos.com/201...are-crooks-offer-late-payment-penalty-option/ Those with Twitter accounts may follow Paul Ducklin: https://twitter.com/duckblog
Oh man, talk about taking malware to another level. If nothing else comes of this newest twist in public extortion, it should without doubt encourage it's victims to finally establish a preventive backup plan for the future. Just when you think you seen it all...
EXE Radar: Only have a brief trial with this. Didn't manage to try the whole thing because the custom whitelist bug made me lose my interest. It seems to be fixed a few months ago. AppGuard: A brief trial as well, but I got my hands on it... well, sort of. If you guarded the browser and enabled the "privacy mode" with your personal folders are in the... uhm, protected area rules and set the access to "deny access" or "read-only", then it should prevent it if the malware enters by exploiting the browser. Of course, the obvious thing to do first is to prevent CryptoLocker or any other malware to be installed/executed. Then protect the trusted processes from being hijacked/manipulated. Then block unauthorized access to your personal files and folders. Oh BTW, found how to restrict access in Sandboxie: https://www.wilderssecurity.com/showpost.php?p=1923325&postcount=5
Clicking on links in emails (one way we are infected) is pretty much the same old same old ... I don't think it needs to be "special" to have a big reach, but I wonder what the actual figures are? From what Ive heard its pretty much hitting world wide. I think it would be safe to say its causing a lot of people a lot of grief. Sure is a scumbag. Thanks for that Graf, Im just learning Sandboxie now.
The folks at Bitdefender have a prevention tool at the below link. http://labs.bitdefender.com/2013/10/cryptolocker-ransomware-makes-a-bitcoin-wallet-per-victim/
I have a question - instead of using CryptoPrevent Tool, or manually adding the rules in SRP, wouldn't it be enough to just change the policy to "disallowed", which makes it default-deny any execution from user-area folders or temp folders?
HitmanPro.Alert with CryptoGuard We've just launched a beta version of our universal solution against crypto ransomware, called CryptoGuard: http://www.hitmanpro.com/alert/cryptoguard or see my post here: https://www.wilderssecurity.com/showpost.php?p=2301675&postcount=798
@Reality Don't thank to me, thank to Bo. It's his post, I just dug the older threads. Backup first before playing with it just in case. @erikloman That's nice to know.
OK graf one little word missing... thx for the link. Hopefully that's better? So since we are told to backup backup backup (with cryptolocker this advice has never been so important) has anyone got any recos on a good freebie backup ut? Agreed...its a pretty rotten deal this one. What next?
I guess you've answered your own question ? Immunity On | Off ? Your AV solution should be blacklisting most of this at this juncture. The AV supplied solutions are their own and I cannot attest if they are viable solutions. Safe Hex prevails at all times.
Re: HitmanPro.Alert with CryptoGuard No way to tell if i should go with CG or BD Anti-CryptorLocker. I have BDACL running now but AppGuard won't let it start with Windows..so i have to start it after boot. Maybe AG will let it start with Windows. I will find out in 12 hours . Can CG and BDACL both run together without any problems? I have them both running now but don't know what would happen when they had CLocker to deal with.
Less acronym jargon for those looking in, might help those less inclined, learn more. According to some sources: CryptoLocker is now the most prolific malware threat.
I was just about to say this myself... the best way to prevent it is to create SRP rules for AppData & UserProfile. Or if you're like me and have a default deny SRP in place already, this can't touch you. Stop it from getting there in the first place instead of trying to shoot it down later. That's how you have to roll these days.
As Luciddream alluded to with the default deny approach, it is the best way to set up SRP rules. For the most part avoid using "Deny" rules (although there can be certain cases to use them, especially for blocking executables on removable media), and stick with "Allow" rules only, especially concerning the unprotected user directories, where you may want to create more granular rules. Think of the whitelist as a guest list for a private function, where only those on the list are allowed in. If not on the list, you're denied access. Even stronger than Path rules are Hash rules, but of course those require a lot of ongoing maintenance to update the hash values when whitelisted files are updated. BTW, I see nothing about CryptoLocker that makes it any more special nor any more difficult to prevent than other mainstream malware, other than how it infects with its encryption method, otherwise it's attack vector is really no different than those rogue AV malware and such. It seems to be getting a lot of undeserved hype.
What's sad is that most write-ups, other than warning about opening email attachments, don't stress the types of protection that many have listed here. These would protect in case of an accident, where someone was fooled by the enticement to open an attachment. If the OS was configured not to show extensions ("Hide extensions for known file types"), then the double extension trick could be effected, where the .exe extension wouldn't display and a fake extension (.pdf in many of the samples) would display: http://www.ghacks.net/2013/10/24/prevent-cryptolocker-ransomware-hit-pc/ For those who haven't seen this trick before: Hide Extensions checked: All Extensions display: As krebsonsecurity.com and others have noted, the executable payload also can arrive via booby-trapped web sites exploiting vulnerable browser plug-ins. In both cases, with protection enabled that many have described, this exploit fails. I notice that some organizations filter .exe files. From Northeastern University: http://www.northeastern.edu/securenu/?p=2823 I also notice that analyses are not consistent in describing the malware. Some call it a virus, some a trojan. Technically, it appears to be a trojan. Aryeh Goretsky of eset writes: https://forum.eset.com/topic/1210-just-hit-by-cryptolocker/#entry6969 And from nakedsecurity: http://nakedsecurity.sophos.com/201...-learn-about-prevention-cleanup-and-recovery/ Of course, to the victim, it doesn't matter what you call it! ---- rich
