To put it simply, CryptoLocker encrypts the files on the computer and holds them for ransom. There is only one private key available to unencrypt the public key and it is stored on a secret server with a time bomb set to destroy the key if the ransom isn't paid by the deadline. Depending on the version, the ransom is $100 to $300 with a deadline for payment of between ~72 to 100 hours.
Additional information an references are available in my blog post, CryptoLocker Ransomware (http://securitygarden.blogspot.com/2013/10/cryptolocker-ransomware.html).
Due to the incorrect and vague information available on CryptoLocker, Grinler published a guide containing all the known information on CryptoLocker to this date.
CryptoLocker Ransomware Information Guide and FAQ (http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information)
Corrine, I see from the BC link that at present this is aimed at business networks. is it likely this will spread to home users and is there anything we should do to minimise the risk.
Corporate networks are being targeted because there is a better chance of collecting the ransom in order to decrypt the files. Seeing as how malware writers sell their wares, it wouldn't surprise me to see a variant hit the general population. New variants are being installed via ZBot infections that install CryptoLocker through via spam emails and hacked websites. Even though the home users are currently not likely to receive the type of phishing attacks targeting corporations, they are not exempt from hacked websites.
The first step is ensuring that important files are backed up. Since you use Malwarebytes PRO, the likelihood of infection is significantly diminished via the malware execution prevention and blocking of malware sites and servers that it provides. Another option is Emsisoft Anti-Malware or Online Armor which use behavior blocking.
Malwarebytes: A license is currently a one-time fee of $24.95 for one computer.
See Cryptolocker Ransomware: What You Need To Know | Malwarebytes Unpacked (http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/) and the related Stopping Malware Distribution at the Source | Malwarebytes Unpacked (http://blog.malwarebytes.org/intelligence/2012/05/stopping-malware-distribution-at-the-source/).
Emsisoft: A one-year license for one computer for either Emsisoft Anti-malware or Online Armor is $39.95. They also have "package" deals for both.
See CryptoLocker - a new ransomware variant | Emsisoft Blog (http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/)
CryptoPrevent: Home users can also install CryptoPrevent.
Thank you Corrine,
I have just downloaded/installed CryptoPrevent. Despite the fact that I have MBAM PRO, this is a nasty infection that has been worrying me. I feel more relaxed now.... :thumbsup:
Thanks Corrine
Another update today:
QuoteUpdated the CryptoLocker guide to include updated info on the new Registry keys, updates to CryptoPrevent, and the message on the Command & Control Server.
Just updated. Thank you.
This has been incredibly well designed. It really does put emphasis on prevention is better than a cure.
Quoteprevention is better than a cure
That's for certain!
Update: CryptoLocker guide updated to fix issues with %Temp% SRP rules and info on known bitcoin payment wallet addresses.
New version 2.2.1 available
http://www.foolishit.com/vb6-projects/cryptoprevent/
Quotev2.2.1 – made changes to prevent duplicate rules from being created when protection is applied multiple times without undoing the protection first. No harm would come from the duplicate rules, but my OCD was bothering me.
Thanks, Basil!
Interesting development: DNS Sinkhole campaign underway for CryptoLocker - News (http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/)
Quote
A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server.
There are a couple of issues with the sinkhole. First, of course, would be those caught in the middle having paid the $300 ransom but still waiting for the key to decrypt their files. Another is that CryptoLocker will merely move on to another domain that isn't in the sinkhole.
At this time, it is unknown who is responsible for setting up the sinkhole.
Thank you Corrine !
Very interesting article. I had to do a bit of reading, to understand what a DNS Sinkhole is..... :goodie:
All this stuff is a bit above my pay grade.... :cheers:
To me, it starts sounding like the beginning of a new "Star Wars" type script ........ :thud:
Version 5, has an additional item which is not ticked by default:
"Temp Extracted Executables in Archive Files"
I don't fully understand its significance. Should I tick it?
Thank you
Temp Extracted Executables in Archive Files refers to executables (e.g., .exe, .pdf) that are opened directly from a downloaded .zip, .rar, etc. rather than extracting first. An executable opened that is opened directly from the "archive" is opened in a temp file.
Thank you Corrine...I ticked it ...Just in case !
I just came across this article and it is worth a read.
QuoteOver the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from "CryptoLocker," the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.
http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
An unfortunately development: CryptoLocker developers charge 10 bitcoins to use new Decryption Service (http://www.bleepingcomputer.com/forums/t/512668/cryptolocker-developers-charge-10-bitcoins-to-use-new-decryption-service/)
QuoteThe price for the decryption key, though, has been significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD.
Prevention along with backing up important data are definitely the only way solution.
Having just started to read about CrytoPrevent, let me ask an obvious question: Since its basis (setting software restriction policies) is publicly known, what's to prevent this malware [or future malware] from editing one's registry, countering these software restriction policy changes, and then implementing its notorious deed? [Note: If this is something that can't/shouldn't be discussed publicly, I will accept that as an answer.]
Separately, how safe is it for average users to use CryptoPrevent? Can it... either via enabling... or especially via its UNdo feature... do any harm? --- Specifically, can its UNdo inadvertently remove protection that was placed there previously by another program, if CryptoPrevent happens to protect the identical registry entry?
Is CryptoPrevent something about which we should be actively spreading the word? --- e.g., Should we be posting at DeLL [or other forums at which we participate], advocating "everyone" download and apply it immediately?
ky331, personally, I believe home users should be encouraged to use CryptoPrevent. As here, I would link to Grinler's Guide at Bleeping Computer and either include information about CryptoPrevent or point to that section of the Guide.
Programs should not be run from %appdata% and the other locations that CryptoPrevent is adding blocks to. Granted, when first released, CryptoLocker was being distributed by itself with enterprise networks the target. However, it appears that newer malware attachments appear to be Zbot infections which then install the CryptoLocker infection. In addition, since other malware use the same tactics and launch points, CryptoPrevent will block those as well.
I would venture to suggest that 99.9 percent of home users do not use Group Policy. So, concerns about undoing a Group Policy added by another program would be at the bottom of the list when compared to having files encrypted and held for ransom. In addition, with the update to v2.1.1 it "runs gpupdate /force after the Undo features to ensure group policy is refreshed, and then protection is tested for again to determine if a reboot prompt will be displayed."
Thanks for your response, Corrine.
I spent last night and this morning reading through a few of the articles on CryptoLocker, after which I deployed CryptoPrevent on two of my home systems. I have also prepared my own composite summary of the essential information, which I've posted at DeLL:
http://en.community.dell.com/support-forums/virus-spyware/f/3522/t/19530796.aspx
Hi Corrine, I am curious about the undo feature in Cryptoprevent. Is it not likely that new versions of this type of ransom ware will simply undo the restrictions before it begins is encryption?
First, Mike, in order for a new variant of CryptoLocker to undo the restrictions placed by CryptoPrevent, it would need to be installed in a legitimate location not in one of the blocked locations such as %appdata%, %userprofile%, %programdata%, Recycle Bin, etc. Security experts are monitoring the file paths that have been used by this infection and its droppers. Second, the infection would need to undo the Group Policy changes which requires Administrator approval.
As I mentioned before, the likelihood of infection is significantly diminished via the malware execution prevention and blocking of malware sites and servers that Malwarebytes Pro provides.
Thanks Corrine
Via Bleeping Computer (https://twitter.com/BleepinComputer/status/400391780073365504):
CryptoLocker emails now including password protected attachments to evade av software. Email pretends to be new outlook settings.
QuoteThe past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.
We have identified one possible factor in this growth: the arrest of Paunch, the creator of the Blackhole Exploit Kit. Paunch's arrest led to a significant reduction in spam campaigns using exploit kits. Clearly, this caused a vacuum in the spam-sending world – spammers would not all of a sudden stop sending spam. So they would need to send something out; what would this be?
More at CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest | Security Intelligence Blog | Trend Micro (http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-emergence-connected-to-blackhole-exploit-kit-arrest/)
Thank you for these up-dates.
Joe :)
Thank you.. :)
UK crime agency issues national warning
http://www.nationalcrimeagency.gov.uk/news/256-alert-mass-spamming-event-targeting-uk-computer-users
I receive my first cryptoLocker email. Per porting to be from DHL as an undelivered parcel report
No worries, Mike ... That package was from me :hysterical:
/me blocks Win73's email address. :lol:
Seriously, with the approaching holidays, I expect there will be an increase in fake UPS, Amazon, etc. emails.
Quote from: winchester73 on November 25, 2013, 11:29:25 PM
No worries, Mike ... That package was from me :hysterical:
I have returned it to you, your file are now encrypted. Release fee 2 cases of beer :mitch: :Hammys pint:
BillP (WinPatrol) posted the following on Facebook, in response to the question: [Can] WinPatrol can block the CryptoLocker viruses?
"At this time, I wouldn't feel comfortable saying WinPatrol will protect you against this kind of threat. WinPatrol's protection by design is focused on a program infiltrating your computer so it can hide and mess with your system on a regular basis.
Crypto style programs aren't really sophisticated in the way they remain on your system. In fact, if you remove the Trojan part of the threat it could prevent you from seeing the instructions on how to save your files. While I highly recommend daily backups over paying an extortionist it would be possible to restore their files via our History button.
I'm currently spending a lot of time researching this threat so I do have a bit of experience. Using WinPatrol PLUS I have been able to detect the infiltration in time before any damage was done. Using the free version some files were compromised. However, this was under lab conditions and not by a typical user who would have allowed CryptoLocker to run in the first place. My experience is that typical users could fall prey to the download but instinct would kick in the moment they clicked.
I'm pleased to note I have not received any reports of attacks by WinPatrol users. That either means WinPatrol users are very careful or Scotty has alerted them in time. I still wouldn't try it unless I knew everything was backed up or I was running in a virtual sandbox. The target audience for CrytoLocker may not be the same as those using WinPatrol.
If your files have already been encrypted WinPatrol will not be able to help at this time.
I am actually been looking at a solution to Cryptolocker and other attacks I expect to see in the future. Using some older code from WinPatrol. I believe it would possible to provide a solution for CryptoLocker however it uses the same technology common in root kits. I'm not sure if most users would find that acceptable. I do have an idea for a better solution but need some funding before I can make this happen.
For now, use extra care and if you own a business train your users and keep a firewall between your employees."
Interesting article by ESET on Cryptolocker 2.0 (http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-new-version-or-copycat/) :thud:
QuoteCryptolocker 2.0 vs. Cryptolocker
Both malware families operate in a similar manner. After infection, they scan the victim's folder structure for files matching a set of file extensions, encrypt them and display a message window that demands a ransom in order to decrypt the files. Both use RSA public-key cryptography. But there are some implementation differences between the two families.
Just noting that CryptoPREVENT has not been updated since v4.3... quite a while back. Wonder if it's gonna be updated for this newer/alternate CryptoLocker version???
I have been having the same exact thought.....but maybe we are both wrong ky331... :lol:
This is a comment made by Corrine on another site:
Quote...this "Cryptolocker 2.0" appears to be a copycat rather than a new version
My understanding of the use of "copycat" here means that CL2 was created by a different "vendor" (of malware), having similar impact/appearance to the original CryptoLocker -- meaning it will scramble/encrypt one's files using a practically unbreakable code.
That does NOT necessarily imply that they are using the same mechanism to inflict the damage. Keep in mind that CryptoPrevent monitors a fixed set of directory locations, from which "ordinary" programs don't launch, but from which CryptoLocker does. If the "copycat" chooses to launch itself from different locations, CryptoPrevent (in its current form) will not stop it.
An interesting interview on Ransomware by ESET's welivesecurity.
http://www.welivesecurity.com/podcasts/ransomware-101/
Dell SecureWorks have a good read on this..
CryptoLocker Ransomware:
http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/
And the BBC Technology:
http://www.bbc.co.uk/news/technology-2550620
Paddy... :Hammys pint:
An interesting Article by ESET
Cryptolocker 2.0 – new version, or copycat? (http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-new-version-or-copycat/)
Worryingly, CryptoLocker ransomware turns from a Trojan.. into a worm (http://grahamcluley.com/2014/01/cryptolocker-ransomware-worm/?utm_source=rss&utm_medium=rss&utm_campaign=cryptolocker-ransomware-worm)
In part:
QuoteAs Trend Micro describes, new versions of CryptoLocker have been seen that have wriggled out of its Trojan horse form, and adopted the skin of a USB-spreading worm instead.
Up until this, CryptoLocker couldn't travel under its own steam. You would encounter it by opening an email attachment or clicking on a link perhaps claiming to come from your bank or a delivery company.
However, the new version can spread between removable drives – posing as activation keys for tools such as Adobe Photoshop and Microsoft Office, seeded on P2P file-sharing networks.
Trend Micro report: New CryptoLocker Spreads Via Removable Drives | Security Intelligence Blog | Trend Micro (http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker-spreads-via-removable-drives/)
So getting to the bottom line (with a question that may be difficult to answer), where do these changes leave users in terms of optimal protection vs. CryptoLocker? Is it best to rely on a combination of CryptoPrevent and MBAM PRO? Would MBAE (Anti-EXPLOIT) add anything here? I not asking for a 100% guaranteed solution, only where you believe we currently stand in terms of best practice to follow.
From the MBAE Beta FAQ (https://forums.malwarebytes.org/index.php?showtopic=136424) (Bold added):
14- Will MBAE stop rogue antiviruses and ransomware?
Quote14- Will MBAE stop rogue antiviruses and ransomware?
There are two types of attacks when it comes to rogue antivirus and ransomware campaigns. In the first type of attack, using social engineering to fool users, a webpage simulating an antivirus scan is shown and the user is prompted to download and install the solution to the problem (which is the malicious or rogue antivirus). In the second, more advanced and dangerous type of attack, the user is lured into visiting a malicious webpage which exploits one or multiple vulnerabilities to automatically and transparently run the rogue antivirus or ransomware on the target system without any user interaction. In the first type of attack it is the responsibility of the antivirus to detect malicious executables, since MBAE is designed to prevent applications from being exploited automatically, when there is no user intervention involved. MBAE is not a white-listing or anti-exe solution which requires maintenance and user-based input. The second type of attack will be blocked by MBAE as it does rely on exploiting software vulnerabilities to run automatically and transparently without user interaction.
MBAE won't help with infected removable drives or a socially-engineered intentional install by the user.
Just noting that CryptoPrevent hasn't been updated in quite a while... still at v4.3 Nonetheless, I see that the homepage has been updated to declare:
UPDATE: Feb 6th 2014: YES, CryptoPrevent still protects against the latest strains of CryptoLocker!!!
There is a new one out called CryptoBit. As usual, Grinler has done an excellent job: CryptorBit and HowDecrypt Information Guide and FAQ (http://www.bleepingcomputer.com/virus-removal/cryptorbit-ransomware-information).
Thanks Basil
Thanks! Do you think there will ever be an auto update feature for CryptoPrevent? Would be easier for use on friend/family/client computers.
We have no problems updating manually, but you know how some folks are about that. It will just never get done.
Hi Fran,
I think there is an auto update feature but only on the Premium version. ($19.95)
As I visit the Foolish IT website at least every couple of days, I personally do not need it, but I know exactly what you mean by people not updating... :wub:
CryptoPrevent Premium | Computer Technician - PC Repair Software |Foolish IT LLC (http://www.foolishit.com/vb6-projects/cryptoprevent/cryptoprevent-auto-update/)
Quote from: Basil on May 18, 2014, 06:36:08 PM
Hi Fran,
I think there is an auto update feature but only on the Premium version. ($19.95)
As I visit the Foolish IT website at least every couple of days, I personally do not need it, but I know exactly what you mean by people not updating... :wub:
CryptoPrevent Premium | Computer Technician - PC Repair Software |Foolish IT LLC (http://www.foolishit.com/vb6-projects/cryptoprevent/cryptoprevent-auto-update/)
Thanks Basil! :mitch:
Thanks for all the updates! :mitch:
Observation: CryptoPrevent offers TWO versions of its FREE program, a "portable" version (which can be run from any location), and an "installer" version (offering a setup installer with full uninstall support). Apparently, I'm running the "portable" version on my test system... and the portable version does not support the Filter Module, which is only available in the installer version. As such, I don't have to be concerned about the filter module running continually in real time. Indeed, I see where the author now warns: "if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent's [restriction of policy] settings."
ScreenShots attached show:
1) the "old" v 5.2.2 main screen
2) the new v 6.0 main screen, and
3) a sample of the new Advanced / Software Restriction Policies / Policy Editor (for path rules) screen:
Mbam shows a FP they have to be added to the exclude list
"if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent's [restriction of policy] settings."
Specifically, these registry keys may be detected as 'modified' or 'hijacked', and the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.
◦ scrfile\shell\open\command
◦ cplfile\shell\open\command
◦ piffile\shell\open\command
If using the experimental EXE/COM filter, you can also expect to see these keys:
◦ exefile\shell\open\command
◦ comfile\shell\open\command
And any key above may also have "runas" where "open" is, and affected values may include "(Default)" and "IsolatedCommand"
If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent's settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.
If you use WinPatrol and/or Malwarebytes Anti-Malware, you may not want to use the Filter Module settings. WinPatrol and MBAM will flag the name change for .pif in file associations. Although this is about the 6.0 preview, it applies to the recent update: FoolishTech.com • View topic - CryptoPrevent v6.0 Preview (http://foolishtech.com/viewtopic.php?f=34&t=1548&start=10)
Response from Malwarebytes
To avoid any confusion, since we already received a few mails about this...
We do not really detect this as malware, but as "Broken.OpenCommand", which means, any change that malware (and other programs) makes to an "executable - shell\open\command" valuedata which isn't set by default should be alerted to the user for safety sake. So this isn't a real false positive here, since we detect correctly as "Broken.OpenCommand".
If you're aware that one of the programs you installed *does* change this valuedata, then add it to your whitelist. If you're not aware of this, then have Malwarebytes fix this (as this will restore the default valuedata set by Windows again).
Mieke Verburgh
Director of Research
Two users have experienced and reported this at the DeLL forum. The specific details, obtained by exporting the MBAM Threat-scan results to a .txt file, are:
Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5
Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5
Interestingly, there were only two objections from MBAM, despite CryptoPrevent changing (by default) 3 file-type settings [the 3rd being .CPL (Control Panel)].
For what it's worth, neither user mentioned any objections/interaction with WinPatrol.
Just updated to 6.0.1
I got two alerts from Scotty and accepted changes. All seems OK, now... :thumbsup:
Hmmm!!
Just run a MBAM scan and it detected two items.
Broken.O.... Registry Data HKCR\piffile\shell\open\comand
Broken.O.... Registry Data HKCR\scrfile\shell\open\command
Quarantined both (NOT deleted) and the machine seems to be working fine.
Restarted computer....still working fine....... :o
I don't intend to delete....just in case!!..
Basil,
Those are precisely the two entries I cited above (with more details). By quarantining them, you've effectively UNdone the FILTER module protection that you enabled upon updating CryptoPrevent to version 6.x
Yes, the machine will continue to "run fine" either way... as using CryptoPrevent is purely optional.
If you WANT CryptoPrevent's full Filter Module protection, you need to restore those entries from MBAM's quarantine [alternatively, run CryptoPrevent to RE-APPLY PROTECTION], and when MBAM finds these entries again, use the drop-down ACTION menu to select ADD EXCLUSION (instead of quarantine). Then click on APPLY ACTIONS.
If you prefer NOT to have CryptoPrevent's Filter module protection, you can leave the two items in MBAM's quarantine.
ky331
Thank you for the clarification. Very helpful.
I have done exactly as you suggested and the two entries are now excluded.
I have again run a MBAM scan and it returns clear results!... :D
Thanks again... :mitch:
P.S. Incidentally, I have just discovered that the "minimise" button of MBAM does not work. It just closes the programme. Is it only me??... :)
Yes, the "minimize" button is closing MBAM2(.0.2.1012) Free here as well.
Cryptolocker victims to get files back for free:
All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.
http://www.bbc.co.uk/news/technology-28661463
Paddy.. :Hammys pint:
Quote from: Paddy on August 06, 2014, 03:07:14 PM
Cryptolocker victims to get files back for free:
All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.
http://www.bbc.co.uk/news/technology-28661463
Paddy.. :Hammys pint:
Unfortunately, this isn't the end of the story.
QuoteIt didn't take long for an updated version of GameOver Zeus to make some headway in rebuilding itself.
Research published today from Arbor Networks demonstrates that cybercriminals behind GameOver Zeus, which was taken down by law enforcement in early June, have renewed the botnet with at least 12,353 unique IP addresses worldwide. Arbor's numbers come from five sinkholes it manages, and data collected periodically between July 18 and July 29.
NewGOZ Gameover Zeus Botnet Rebuilds (http://threatpost.com/gameover-zeus-botnet-rebuilds/107776)
CryptoPrevent Update information split from the discussion topic and added to the Index of Security Software Programs (http://www.landzdown.com/anti-spyware-software/index-of-security-software-programs-updates/msg169227/#msg169227).
Direct link here: CryptoPrevent (http://www.landzdown.com/anti-spyware-software/cryptoprevent/).
Earlier in this thread, it was noted that, effective with version 6.x, if the user INSTALLED CryptoPrevent and activated the real-time FILTER MODULE, there was the probability of F/P detections of the .PIF and .SCR filetype-associations by security programs including MBAM and WinPatrol.
CryptoPrevent also offered a "PORTABLE" [i.e., NON-installed] version, in which the real-time filter module was not available (thereby bypassing the question of generating these particular F/P detections). I was/am running the portable version.
A significant change in v7.x was that it was "Updated to not trigger Malwarebytes Anti-Malware detections with the installed version".
Reporting here that I've recently taken note that WinPatrol is listing, under File Types, that I now have both the .PIF and .SCR filetypes associated with CryptoPreventFilterMod.CryptoPreventEXEC. This has occurred on my primary Win7x64, as well as on my secondary 32-bit WinXP. I find this fascinating since 1) I believe I am still running the portable version of CryptoPrevent, and 2) relating to a separate WinPatrol issue, these filetype changes went through without any flagging/announcement from WinPatrol (despite my having set FileType protection to be monitored in Real-Time, and LOCKED my file types).