Author Topic: CryptoLocker Ransomware + CryptoPrevent Q&A  (Read 31328 times)

0 Members and 1 Guest are viewing this topic.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #15 on: October 28, 2013, 06:16:44 PM »
Temp Extracted Executables in Archive Files refers to executables (e.g., .exe, .pdf) that are opened directly from a downloaded .zip, .rar, etc. rather than extracting first.  An executable opened that is opened directly from the "archive" is opened in a temp file.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #16 on: October 28, 2013, 06:30:20 PM »
Thank you Corrine...I ticked it ...Just in case !

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #17 on: November 01, 2013, 05:52:49 PM »
I just came across this article and it is worth a read.

Quote
Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #18 on: November 02, 2013, 12:45:37 PM »
An unfortunately development:  CryptoLocker developers charge 10 bitcoins to use new Decryption Service

Quote
The price for the decryption key, though, has been significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD.

Prevention along with backing up important data are definitely the only way solution.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 664
    • View Profile
Re: CryptoLocker Ransomware
« Reply #19 on: November 03, 2013, 01:09:19 AM »
Having just started to read about CrytoPrevent, let me ask an obvious question:   Since its basis (setting software restriction policies) is publicly known, what's to prevent this malware [or future malware] from editing one's registry, countering these software restriction policy changes, and then implementing its notorious deed?   [Note:  If this is something that can't/shouldn't be discussed publicly, I will accept that as an answer.]

Separately, how safe is it for average users to use CryptoPrevent?   Can it... either via enabling... or especially via its UNdo feature... do any harm? --- Specifically, can its UNdo inadvertently remove protection that was placed there previously by another program, if CryptoPrevent happens to protect the identical registry entry?

Is CryptoPrevent something about which we should be actively spreading the word?  --- e.g., Should we be posting at DeLL [or other forums at which we participate], advocating "everyone" download and apply it immediately?

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #20 on: November 03, 2013, 06:28:40 PM »
ky331, personally, I believe home users should be encouraged to use CryptoPrevent.  As here, I would link to Grinler's Guide at Bleeping Computer and either include information about CryptoPrevent or point to that section of the Guide.

Programs should not be run from %appdata% and the other locations that CryptoPrevent is adding blocks to.  Granted, when first released, CryptoLocker was being distributed by itself with enterprise networks the target.  However, it appears that newer malware attachments appear to be Zbot infections which then install the CryptoLocker infection.  In addition, since other malware use the same tactics and launch points, CryptoPrevent will block those as well.

I would venture to suggest that 99.9 percent of home users do not use Group Policy.  So, concerns about undoing a Group Policy added by another program would be at the bottom of the list when compared to having files encrypted and held for ransom.  In addition, with the update to v2.1.1 it "runs gpupdate /force after the Undo features to ensure group policy is refreshed, and then protection is tested for again to determine if a reboot prompt will be displayed."


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 664
    • View Profile
Re: CryptoLocker Ransomware
« Reply #21 on: November 03, 2013, 06:49:38 PM »
Thanks for your response, Corrine.

I spent last night and this morning reading through a few of the articles on CryptoLocker, after which I deployed CryptoPrevent on two of my home systems.  I have also prepared my own composite summary of the essential information, which I've posted at DeLL:
http://en.community.dell.com/support-forums/virus-spyware/f/3522/t/19530796.aspx

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: CryptoLocker Ransomware
« Reply #22 on: November 03, 2013, 09:09:59 PM »
Hi Corrine, I am curious about the undo feature in Cryptoprevent. Is it not likely that new versions of this type of ransom ware will simply undo the restrictions before it begins is encryption?
Win 7 Home Premium  IE11 MSE  Mbam Pro

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #23 on: November 03, 2013, 10:32:09 PM »
First, Mike, in order for a new variant of CryptoLocker to undo the restrictions placed by CryptoPrevent, it would need to be installed in a legitimate location not in one of the blocked locations such as %appdata%, %userprofile%, %programdata%, Recycle Bin, etc.  Security experts are monitoring the file paths that have been used by this infection and its droppers.  Second, the infection would need to undo the Group Policy changes which requires Administrator approval.   

As I mentioned before, the likelihood of infection is significantly diminished via the malware execution prevention and blocking of malware sites and servers that Malwarebytes Pro provides. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: CryptoLocker Ransomware
« Reply #24 on: November 04, 2013, 06:59:54 AM »
Thanks Corrine
Win 7 Home Premium  IE11 MSE  Mbam Pro

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #25 on: November 12, 2013, 08:53:12 PM »
Via Bleeping Computer:

CryptoLocker emails now including password protected attachments to evade av software. Email pretends to be new outlook settings.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #26 on: November 16, 2013, 03:40:32 PM »
Quote
The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.

We have identified one possible factor in this growth: the arrest of Paunch, the creator of the Blackhole Exploit Kit. Paunch’s arrest led to a significant reduction in spam campaigns using exploit kits. Clearly, this caused a vacuum in the spam-sending world – spammers would not all of a sudden stop sending spam. So they would need to send something out; what would this be?

More at CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest | Security Intelligence Blog | Trend Micro


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline zep516

  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 274
    • View Profile
Re: CryptoLocker Ransomware
« Reply #27 on: November 16, 2013, 05:23:24 PM »
Thank you for these up-dates.

Joe :)
You're only as safe as your last update.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #28 on: November 17, 2013, 09:15:29 AM »
Thank you.. :)

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: CryptoLocker Ransomware
« Reply #29 on: November 19, 2013, 07:27:58 AM »
Win 7 Home Premium  IE11 MSE  Mbam Pro