Author Topic: CryptoLocker Ransomware + CryptoPrevent Q&A  (Read 31327 times)

0 Members and 1 Guest are viewing this topic.

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: CryptoLocker Ransomware
« Reply #30 on: November 25, 2013, 11:30:41 AM »
I receive my first cryptoLocker email. Per porting to be from DHL as an undelivered parcel report   
Win 7 Home Premium  IE11 MSE  Mbam Pro

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7332
  • Liverpool FC - YNWA
    • View Profile
Re: CryptoLocker Ransomware
« Reply #31 on: November 25, 2013, 09:29:25 PM »
No worries, Mike ... That package was from me  :hysterical:
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #32 on: November 26, 2013, 12:02:52 AM »
* Corrine blocks Win73's email address.  :lol: 

Seriously, with the approaching holidays, I expect there will be an increase in fake UPS, Amazon, etc. emails.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: CryptoLocker Ransomware
« Reply #33 on: November 26, 2013, 10:30:40 AM »
No worries, Mike ... That package was from me  :hysterical:


I have returned it to you, your file are now encrypted. Release fee 2 cases of beer  :mitch:  :Hammys pint:
Win 7 Home Premium  IE11 MSE  Mbam Pro

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 665
    • View Profile
Re: CryptoLocker Ransomware
« Reply #34 on: December 03, 2013, 01:11:28 PM »
BillP (WinPatrol) posted the following on Facebook, in response to the question:  [Can] WinPatrol can block the CryptoLocker viruses?

"At this time, I wouldn't feel comfortable  saying WinPatrol will protect you against this kind of threat.  WinPatrol's protection by design is focused on a program infiltrating your computer so it can hide and mess with your system on a regular basis.

Crypto style programs aren't really sophisticated in the way they remain on your system. In fact, if you remove the Trojan part of the threat it could prevent you from seeing the instructions on how to save your files. While I highly recommend daily backups over paying an extortionist it would be possible to restore their files via our History button.

I'm currently spending  a lot of time researching this threat so I do have a bit of experience.  Using WinPatrol PLUS I have been able to detect the infiltration in time before any damage was done. Using the free version some files were compromised. However, this was under lab conditions and not by a typical user who would have allowed CryptoLocker to run in the first place. My experience is that typical users could fall prey to the download but instinct would kick in the moment they clicked.

I'm pleased to note I have not received any reports of attacks by WinPatrol users.  That either means WinPatrol users are very careful or Scotty has alerted them in time.  I still wouldn't try it unless I knew everything was backed up or I was running in a virtual sandbox. The target audience for CrytoLocker may not be the same as those using WinPatrol.
If your files have already been encrypted WinPatrol will not be able to help at this time.

I am actually been looking at a solution to Cryptolocker and other attacks I expect to see in the future. Using some older code from WinPatrol. I believe it would possible to provide a solution for CryptoLocker however it uses the same technology common in root kits. I'm not sure if most users would find that acceptable. I do have an idea for a better solution but need some funding before I can make this happen.

For now, use extra care and if you own a business train your users and keep a firewall between your employees
."

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #35 on: December 20, 2013, 03:59:17 PM »
Interesting article by ESET on Cryptolocker 2.0   :thud:

Quote
Cryptolocker 2.0 vs. Cryptolocker

Both malware families operate in a similar manner. After infection, they scan the victim’s folder structure for files matching a set of file extensions, encrypt them and display a message window that demands a ransom in order to decrypt the files. Both use RSA public-key cryptography. But there are some implementation differences between the two families.

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 665
    • View Profile
Re: CryptoLocker Ransomware
« Reply #36 on: December 21, 2013, 11:45:34 AM »
Just noting that CryptoPREVENT has not been updated since v4.3... quite a while back.   Wonder if it's gonna be updated for this newer/alternate CryptoLocker version???

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #37 on: December 21, 2013, 12:55:05 PM »
I have been having the same exact thought.....but maybe we are both wrong ky331... :lol:
This is a comment made by Corrine on another site:
Quote
...this "Cryptolocker 2.0" appears to be a copycat rather than a new version

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 665
    • View Profile
Re: CryptoLocker Ransomware
« Reply #38 on: December 23, 2013, 11:21:04 AM »
My understanding of the use of "copycat" here means that CL2 was created by a different "vendor" (of malware), having similar impact/appearance to the original CryptoLocker -- meaning it will scramble/encrypt one's files using a practically unbreakable code.

That does NOT necessarily imply that they are using the same mechanism to inflict the damage.   Keep in mind that CryptoPrevent monitors a fixed set of directory locations, from which "ordinary" programs don't launch, but from which CryptoLocker does.  If the "copycat" chooses to launch itself from different locations, CryptoPrevent (in its current form) will not stop it.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #39 on: December 23, 2013, 04:30:34 PM »
An interesting interview on Ransomware by ESET's welivesecurity.

http://www.welivesecurity.com/podcasts/ransomware-101/

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1575
    • View Profile
Re: CryptoLocker Ransomware
« Reply #40 on: December 24, 2013, 01:10:57 PM »
Dell SecureWorks have a good read on this..

CryptoLocker Ransomware:
http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/

And the BBC Technology:
http://www.bbc.co.uk/news/technology-2550620


Paddy... :Hammys pint:
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #41 on: December 29, 2013, 03:28:03 PM »
An interesting Article by ESET

Cryptolocker 2.0 – new version, or copycat?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #42 on: January 03, 2014, 08:47:54 PM »
Worryingly, CryptoLocker ransomware turns from a Trojan.. into a worm
In part:
Quote
As Trend Micro describes, new versions of CryptoLocker have been seen that have wriggled out of its Trojan horse form, and adopted the skin of a USB-spreading worm instead.

Up until this, CryptoLocker couldn’t travel under its own steam. You would encounter it by opening an email attachment or clicking on a link perhaps claiming to come from your bank or a delivery company.

However, the new version can spread between removable drives – posing as activation keys for tools such as Adobe Photoshop and Microsoft Office, seeded on P2P file-sharing networks.

Trend Micro report:  New CryptoLocker Spreads Via Removable Drives | Security Intelligence Blog | Trend Micro


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ky331

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 665
    • View Profile
Re: CryptoLocker Ransomware
« Reply #43 on: January 04, 2014, 11:15:54 AM »
So getting to the bottom line (with a question that may be difficult to answer), where do these changes leave users in terms of optimal protection vs. CryptoLocker?   Is it best to rely on a combination of CryptoPrevent and MBAM PRO?   Would MBAE (Anti-EXPLOIT) add anything here?   I not asking for a 100% guaranteed solution, only where you believe we currently stand in terms of best practice to follow.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #44 on: January 04, 2014, 04:32:14 PM »
From the MBAE Beta FAQ (Bold added):

14- Will MBAE stop rogue antiviruses and ransomware?

Quote
14- Will MBAE stop rogue antiviruses and ransomware?

There are two types of attacks when it comes to rogue antivirus and ransomware campaigns. In the first type of attack, using social engineering to fool users, a webpage simulating an antivirus scan is shown and the user is prompted to download and install the solution to the problem (which is the malicious or rogue antivirus). In the second, more advanced and dangerous type of attack, the user is lured into visiting a malicious webpage which exploits one or multiple vulnerabilities to automatically and transparently run the rogue antivirus or ransomware on the target system without any user interaction. In the first type of attack it is the responsibility of the antivirus to detect malicious executables, since MBAE is designed to prevent applications from being exploited automatically, when there is no user intervention involved. MBAE is not a white-listing or anti-exe solution which requires maintenance and user-based input. The second type of attack will be blocked by MBAE as it does rely on exploiting software vulnerabilities to run automatically and transparently without user interaction.

 

MBAE won't help with infected removable drives or a socially-engineered intentional install by the user.

 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.