CryptoLocker Ransomware + CryptoPrevent Q&A

MikeW · November 25, 2013, 01:30:41 PM

I receive my first cryptoLocker email. Per porting to be from DHL as an undelivered parcel report

winchester73 · November 25, 2013, 11:29:25 PM

No worries, Mike ... That package was from me :hysterical:

Corrine · November 26, 2013, 02:02:52 AM

* Corrine blocks Win73's email address. :lol:

Seriously, with the approaching holidays, I expect there will be an increase in fake UPS, Amazon, etc. emails.

MikeW · November 26, 2013, 12:30:40 PM

Quote from: winchester73 on November 25, 2013, 11:29:25 PM
No worries, Mike ... That package was from me :hysterical:

I have returned it to you, your file are now encrypted. Release fee 2 cases of beer :mitch: :Hammys pint:

ky331 · December 03, 2013, 03:11:28 PM

BillP (WinPatrol) posted the following on Facebook, in response to the question: [Can] WinPatrol can block the CryptoLocker viruses?

"At this time, I wouldn't feel comfortable saying WinPatrol will protect you against this kind of threat. WinPatrol's protection by design is focused on a program infiltrating your computer so it can hide and mess with your system on a regular basis.

Crypto style programs aren't really sophisticated in the way they remain on your system. In fact, if you remove the Trojan part of the threat it could prevent you from seeing the instructions on how to save your files. While I highly recommend daily backups over paying an extortionist it would be possible to restore their files via our History button.

I'm currently spending a lot of time researching this threat so I do have a bit of experience. Using WinPatrol PLUS I have been able to detect the infiltration in time before any damage was done. Using the free version some files were compromised. However, this was under lab conditions and not by a typical user who would have allowed CryptoLocker to run in the first place. My experience is that typical users could fall prey to the download but instinct would kick in the moment they clicked.

I'm pleased to note I have not received any reports of attacks by WinPatrol users. That either means WinPatrol users are very careful or Scotty has alerted them in time. I still wouldn't try it unless I knew everything was backed up or I was running in a virtual sandbox. The target audience for CrytoLocker may not be the same as those using WinPatrol.
If your files have already been encrypted WinPatrol will not be able to help at this time.

I am actually been looking at a solution to Cryptolocker and other attacks I expect to see in the future. Using some older code from WinPatrol. I believe it would possible to provide a solution for CryptoLocker however it uses the same technology common in root kits. I'm not sure if most users would find that acceptable. I do have an idea for a better solution but need some funding before I can make this happen.

For now, use extra care and if you own a business train your users and keep a firewall between your employees."

Basil · December 20, 2013, 05:59:17 PM

Interesting article by ESET on Cryptolocker 2.0 :thud:

QuoteCryptolocker 2.0 vs. Cryptolocker

Both malware families operate in a similar manner. After infection, they scan the victim's folder structure for files matching a set of file extensions, encrypt them and display a message window that demands a ransom in order to decrypt the files. Both use RSA public-key cryptography. But there are some implementation differences between the two families.

ky331 · December 21, 2013, 01:45:34 PM

Just noting that CryptoPREVENT has not been updated since v4.3... quite a while back. Wonder if it's gonna be updated for this newer/alternate CryptoLocker version???

Basil · December 21, 2013, 02:55:05 PM

I have been having the same exact thought.....but maybe we are both wrong ky331... :lol:
This is a comment made by Corrine on another site:

Quote...this "Cryptolocker 2.0" appears to be a copycat rather than a new version

ky331 · December 23, 2013, 01:21:04 PM

My understanding of the use of "copycat" here means that CL2 was created by a different "vendor" (of malware), having similar impact/appearance to the original CryptoLocker -- meaning it will scramble/encrypt one's files using a practically unbreakable code.

That does NOT necessarily imply that they are using the same mechanism to inflict the damage. Keep in mind that CryptoPrevent monitors a fixed set of directory locations, from which "ordinary" programs don't launch, but from which CryptoLocker does. If the "copycat" chooses to launch itself from different locations, CryptoPrevent (in its current form) will not stop it.

Basil · December 23, 2013, 06:30:34 PM

An interesting interview on Ransomware by ESET's welivesecurity.

http://www.welivesecurity.com/podcasts/ransomware-101/

Paddy · December 24, 2013, 03:10:57 PM

Dell SecureWorks have a good read on this..

CryptoLocker Ransomware:
http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/

And the BBC Technology:
http://www.bbc.co.uk/news/technology-2550620

Paddy... :Hammys pint:

Basil · December 29, 2013, 05:28:03 PM

An interesting Article by ESET

Cryptolocker 2.0 – new version, or copycat?

Corrine · January 03, 2014, 10:47:54 PM

Worryingly, CryptoLocker ransomware turns from a Trojan.. into a worm
In part:

QuoteAs Trend Micro describes, new versions of CryptoLocker have been seen that have wriggled out of its Trojan horse form, and adopted the skin of a USB-spreading worm instead.

Up until this, CryptoLocker couldn't travel under its own steam. You would encounter it by opening an email attachment or clicking on a link perhaps claiming to come from your bank or a delivery company.

However, the new version can spread between removable drives – posing as activation keys for tools such as Adobe Photoshop and Microsoft Office, seeded on P2P file-sharing networks.

Trend Micro report: New CryptoLocker Spreads Via Removable Drives | Security Intelligence Blog | Trend Micro

ky331 · January 04, 2014, 01:15:54 PM

So getting to the bottom line (with a question that may be difficult to answer), where do these changes leave users in terms of optimal protection vs. CryptoLocker? Is it best to rely on a combination of CryptoPrevent and MBAM PRO? Would MBAE (Anti-EXPLOIT) add anything here? I not asking for a 100% guaranteed solution, only where you believe we currently stand in terms of best practice to follow.

Corrine · January 04, 2014, 06:32:14 PM

From the MBAE Beta FAQ (Bold added):

14- Will MBAE stop rogue antiviruses and ransomware?

Quote14- Will MBAE stop rogue antiviruses and ransomware?

There are two types of attacks when it comes to rogue antivirus and ransomware campaigns. In the first type of attack, using social engineering to fool users, a webpage simulating an antivirus scan is shown and the user is prompted to download and install the solution to the problem (which is the malicious or rogue antivirus). In the second, more advanced and dangerous type of attack, the user is lured into visiting a malicious webpage which exploits one or multiple vulnerabilities to automatically and transparently run the rogue antivirus or ransomware on the target system without any user interaction. In the first type of attack it is the responsibility of the antivirus to detect malicious executables, since MBAE is designed to prevent applications from being exploited automatically, when there is no user intervention involved. MBAE is not a white-listing or anti-exe solution which requires maintenance and user-based input. The second type of attack will be blocked by MBAE as it does rely on exploiting software vulnerabilities to run automatically and transparently without user interaction.

MBAE won't help with infected removable drives or a socially-engineered intentional install by the user.