Ransomware

Discussion in 'other anti-virus software' started by Houley456, Apr 23, 2015.

  1. Houley456

    Houley456 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    130
    What settings do you use in Kaspersky IS 2015 to protect from ransomware?
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,727
    Location:
    localhost
    Default settings are already enough to cover ransomware but you can turn ON trusted application for a stronger barrier.
    http://support.kaspersky.com/11158

    https://securelist.com/analysis/publications/64608/a-new-generation-of-ransomware/
     
  3. harlan4096

    harlan4096 Registered Member

    Joined:
    May 6, 2008
    Posts:
    113
    Location:
    Almería (Spain)
  4. tns

    tns Registered Member

    Joined:
    Mar 19, 2015
    Posts:
    21
    How other AV protects form ransomeware?
     
  5. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,219
    Best way to protect from ransomware is through a backup/image restoration. Most computers nowadays are sold with a recovering solution (other than an installation CD) which should be easy to activate even for laymen. This should be the first concern upon buying a new computer, but for some reasons most people think AVs come first...
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Automatic backups can be disastrous as well. They can backup infected files and replace original backups with them. Depends on settings of course.
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,219
    I wasn't really talking about automatic backups and besides who is going to backup a system infected with ransomware? It's something that would be evident to anybody. Ransomware is about documents, and even documents alone could be copied directly to another external drive without any backup technology.
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Well there is not any reason to backup anything else, when talking about ransomware, system files are the least of the concern.
    I stopped using autobackups, because they destroy files. Google Drive is a stupidity by itself, deletes original and backups all together.
     
  9. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    Newb ransomeware question.

    If you are a victim and your screen is locked, does the lock come before or after the system attempts to boot into the OS. In other words, can you eliminate the problem by reinstalling Windows and then restoring the encrypted material via a back up?

    Will a re-ininstall of the OS eliminate the encrypted files from your PC?
     
  10. Rakanisheu

    Rakanisheu Guest

    It depends on the version, some will block your screen and you can bring up task manager and end the process. Some will modify the Shell entry so as soon as Explorer.exe gets loaded (ie on boot) it will load the malware so you cant do much. In the worse case scenario you can use a boot-able Linux Distro and find the file and remove the infection. Reboot and you will be good to go.

    You don't need to re-install Windows, remove the malware, clean-up any dropped files then restore from backups. The Encrypted files are no threats to your PC.
     
    Last edited by a moderator: Apr 27, 2015
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
  12. Rakanisheu

    Rakanisheu Guest

    ^ Agreed if its a file infector your best bet it to nuke it and start again. You can try to clean it out but its nearly always quicker and more effective to format and re-install.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Indeed, I do not get all the fuss about it. It is a virus like millions before it, a prevention is fairly simple. It drops files to Temp folder and executes them after startup, unless it was run by a user (no UAC), then it gets a little complicated. So deleting startup items and cleaning Temp folders (~CCleaner) before shutdown is just fine.
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Have a look at HitmanPro Alert. It has a feature called CryptoGuard (paid feature) which blocks the encryption process itself regardless of the malware type. There's also CryptoPrevent that uses software restriction policies to block crypto-ransomware. Both of these can be used along with antivirus and antimalware real time apps.
     
  15. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,439
    The most effective measure is security policies to block crypto malware from executing from the %AppData% folder.

    You can disallow executable files from running there and whitelist the few legitimate applications that do run from there.
     
  16. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,439
    If you have a backup system like Rollback RX or Commodo Time Machine installed - in the event you are infected somehow, you can revert back in time to an earlier clean snapshot and then delete the infected snapshot.

    No need to go to the extreme to do a clean install of Windows.
     
  17. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    I am fairly certain that this is how Bitdefender's free Anti-Ransomware program works, yet the claim is that it only protects against CryptoWall and CTB-Locker.
     
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,169
    RejZoR

    Do you recommend this program for newbies or great grandpas?
     
  20. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    A friend was infected with Ransomware a couple of years ago. I put MBAM on a CD and then transferred it to his system. A Quick Scan got rid of it in one pass. I do not remember what it was.
    Jerry
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Removing the virus is usually not hard. The problem is how to decrypt the data.
     
  22. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Not sure what that means?
    Jerry
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    There are different types of ransomware. Some, like the so called "FBI virus" are only a bluff. They lock the computer and try to scare people into sending money. Then there's crypto-ransomware which actually encrypts all of the data on the computer. In this situation it's not removing the virus that's the main problem, it's finding a way to get your data back. That's what I was referring to.
     
  24. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks.
    Jerry
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Came across some older HIPS registry rules that will protect you against Winlock which is one of the more prevent version of ransomware. I supplemented what Kapersky posted for x64 WIN 7. These rules would be applicable to any HIPS. Make sure you set the created rule to "ask."

    ref: http://support.kaspersky.com/viruses/common/7193#block3

    In order to secure your computer protection, it is required to create a rule that will control applications' access to some registry keys. It is recommended to create rules for the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsNT\CurrentVersion\Winlogon\
    Shell
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsNT\CurrentVersion\Windows\
    AppInit_DLLs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsNT\CurrentVersion\Winlogon\
    Userinit
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\*
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\*\
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\*\*
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\*

    Notes:
    1. If using 32 bit OS, eliminate WOW6432Node registry keys.
    2. Some older software plus at least Zemana Antilogger and some Intel drivers will store stuff inAppInit_DLLs registry key. However this is a well know key where malware installs stuff.

    Also the above "Image File Execution Options\*" keys could cause a lot of alerts from the HIPS since application software installs an entry there. For a bit less protection and less HIPS interaction, you could only cover these keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\userinit.exe\*
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\userinit.exe\*
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\explorer.exe\*
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\explorer.exe\*
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\taskmgr.exe\*
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\taskmgr.exe\*
     
Loading...