Author Topic: How To Avoid CryptoLocker Ransomware  (Read 1072 times)

0 Members and 1 Guest are viewing this topic.

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • Posts: 8308
How To Avoid CryptoLocker Ransomware
« on: November 03, 2013, 07:46:42 am »

Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/



Microsoft MVP - Consumer Security

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2694
Re: How To Avoid CryptoLocker Ransomware
« Reply #1 on: November 03, 2013, 02:31:43 pm »
I installed CryptoPrevent from Foolish IT today.  I will let you know if I have any issues with it after running it for a bit.  Also, do you think WinPatrol would also prevent a crytolock from occurring?
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • Posts: 8308
Re: How To Avoid CryptoLocker Ransomware
« Reply #2 on: November 03, 2013, 04:49:48 pm »
 
Quote
Also, do you think WinPatrol would also prevent a crytolock from occurring?
I'll look into it.

Microsoft MVP - Consumer Security

Offline ky331

  • Dell Community Colleague
  • Dell Support Group
  • Bronze Member
  • Posts: 287
  • Rascal & Biscuit
Re: How To Avoid CryptoLocker Ransomware
« Reply #3 on: November 03, 2013, 05:23:22 pm »
I have prepared my own composite summary of the essential information --- gleaned from the various articles I've read in the past 24 hours --- which I've posted at DeLL:

http://en.community.dell.com/support-forums/virus-spyware/f/3522/t/19530796.aspx

(I've opted not to copy everything over here, as I didn't want to have to deal with reformatting everything from DeLL's board to this one.)

Offline BillP

  • Microsoft® MVP
  • Bronze Member
  • Posts: 3
Re: How To Avoid CryptoLocker Ransomware
« Reply #4 on: November 03, 2013, 09:08:11 pm »
Thanks for the confidence in WinPatrol as a tool against CryptoLocker. 
I wouldn't feel comfortable  saying WinPatrol will protect you against this kind of threat.  WinPatrol's protection by design is focused on a program infiltrating your computer so it can hide and mess with your system on a regular basis. As it's been pointed out, Crypto style programs aren't sophisticated in the way they remain on your system. In fact, if you remove the Trojan part of the threat it could prevent you from seeing the instructions on how to save your files. While I highly recommend daily backups over paying an extortionist it would be possible to restore their files via our History button.

I'm currently spending  a lot of time researching this threat so I do have a bit of experience.  Using WinPatrol PLUS I have been able to detect the infiltration in time before any damage was done. Using the free version some files were compromised. However, this was under lab conditions and not by a typical user who would have allowed CryptoLocker to run in the first place. My experience is that typical users could fall prey to the download but instinct would kick in the moment they clicked.

I'm pleased to note I have not received any reports of attacks by WinPatrol users.  That either means WinPatrol users are very careful or Scotty has alerted them in time.  I still wouldn't try it unless I knew everything was backed up or I was running in a virtual sandbox. The target audience for CrytoLocker may not be the same as those using WinPatrol.
I can confirm if your files have already been encrypted WinPatrol will not be able to help at this time.

I can also confirm while these kinds of threats have  always been around, the visibility of CyptoLocker is not good for the bad guys. I have been recruited to join with others to prevent this kind of behavior in the future.  For now, use extra care and if you own a business train your users and keep a firewall between your employees.

Bill

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2694
Re: How To Avoid CryptoLocker Ransomware
« Reply #5 on: November 04, 2013, 01:18:19 am »
Bill
Thanks for the information.  I will add that information to my closing security posts.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • Posts: 8308
Re: How To Avoid CryptoLocker Ransomware
« Reply #6 on: November 04, 2013, 04:17:12 am »
CryptoLocker ransomware crooks offer "late payment penalty" option

The crooks behind the CryptoLocker malware seem to have introduced a second chance option.

Victims, it seems, can now change their minds about not paying up...Apparently the crooks will now let you buy back your key even if you didn't follow their original instructions.

Word on the street, however, is that the crooks want five times as much as they were charging originally to decrypt your data after you change your mind.

Complete article: http://nakedsecurity.sophos.com/2013/11/04/cryptolocker-ransomeware-crooks-offer-late-payment-penalty-option/

Microsoft MVP - Consumer Security

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7935
Re: How To Avoid CryptoLocker Ransomware
« Reply #7 on: November 04, 2013, 12:41:24 pm »
WARNING:  In recent days, you might have noticed some very strange wedding invitations showing up in your email inbox.  They may have originated from unusual places such as Russia.  THE ATTACHMENTS TO THOSE EMAIL MESSAGES CONTAIN CRYPTOLOCKER - DO NOT OPEN THEM.  DELETE THEM IMMEDIATELY AND THEN EMPTY YOUR TRASH.
Don't Read?  Can't learn!

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • Posts: 8308
Re: How To Avoid CryptoLocker Ransomware
« Reply #8 on: November 12, 2013, 07:09:31 pm »
It's not only wedding invitations. We're also seeing email attachments that pretend to be new outlook settings.

Microsoft MVP - Consumer Security

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7935
Re: How To Avoid CryptoLocker Ransomware
« Reply #9 on: November 13, 2013, 07:02:10 am »
That is certainly true.  There are several types of email and attachments reportedly being used that distribute CryptoLocker payloads.  It just happens that I have received a number (between 25-30) of so-called "wedding invitations", most all of which I have tracked back to Russian sources, that I have personally tested and validated as CryptoLocker.  I have not personally received, or tested, any other types.  I cannot comprehend why anyone would be foolish enough to open attachments like that, so clearly absurd and intended to be malicious.

All of this reinforces our advice of never to open email or attachments you do not expect and cannot validate from the source, no matter how appealing the "content" or curious you might be.  The distribution of CryptoLocker also speaks to the wisdom of using text only email clients to pre-check email.  There are a number of excellent text only email clients for the Windows platform, both freeware and shareware.  Freeware includes clients like Claws, and shareware includes clients like Mailwasher.
« Last Edit: November 13, 2013, 07:12:50 am by PCBruiser »
Don't Read?  Can't learn!

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2694
Re: How To Avoid CryptoLocker Ransomware
« Reply #10 on: November 15, 2013, 02:19:36 am »
Some follow-up on CryptoPrevent.  Had difficulty running and installing a program.  Got a group policy error.  Had to turn off CryptoPrevent to get it to install properly and run.  Was able to turn it on again after install.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline ky331

  • Dell Community Colleague
  • Dell Support Group
  • Bronze Member
  • Posts: 287
  • Rascal & Biscuit
Re: How To Avoid CryptoLocker Ransomware
« Reply #11 on: November 15, 2013, 06:14:02 am »
Bear,

What you're describing has been mentioned in  CryptoPrevent's Q & A:

Q:  My legitimate software isn’t working properly after applying the protection.  What do I do?

A:  Be CERTAIN you have the latest version of the app, which is getting better all the time at not blocking legitimate applications.  If you had an outdated version, after update then re-apply the protection and restart, then re-test your app.  If it still isn’t working, ensure you’ve done the whitelisting first, and reboot if new entries are added to the whitelist.  If it still isn’t working, then you may need to temporarily undo protection when using/installing that app.  If this is the case, I would appreciate you telling me what app isn’t working for you and if you can, the details on the app’s filename and where it is running from, maybe I can help alleviate the issue with a new version.

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • Posts: 2694
Re: How To Avoid CryptoLocker Ransomware
« Reply #12 on: November 15, 2013, 10:51:48 am »
Thank you.  And, yes, you are correct.  The problem was that I completely forgot I had installed CryptoPrevent.  It runs without notice in the background so it is not something I think about.  The problem and the solution makes perfect sense now.
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • Posts: 8308
Re: How To Avoid CryptoLocker Ransomware
« Reply #13 on: November 19, 2013, 09:43:56 pm »
US local police department pays CryptoLocker ransom

A local police department in Swansea, Massachusetts, has paid cybercrooks behind the CryptoLocker ransomware attack to decrypt files locked up by the malware on police computer systems, according to local press reports.

Complete article: http://nakedsecurity.sophos.com/2013/11/19/us-local-police-department-pays-cryptolocker-ransom/

Microsoft MVP - Consumer Security

Offline ky331

  • Dell Community Colleague
  • Dell Support Group
  • Bronze Member
  • Posts: 287
  • Rascal & Biscuit
Re: How To Avoid CryptoLocker Ransomware
« Reply #14 on: June 18, 2014, 04:05:27 am »
Please take special note of a major change introduced in CryptoPrevent version 6:

◦New real-time ‘Filter Module’ that can filter certain executables against hash based definitions, can also filter based on other criteria using a more complex rule set, and allow user the option to run the file anyway. Enabled for CPL, SCR, and PIF files by default – advanced options allow to enable for EXE/COM files also (experimental!)

 "if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent’s [restriction of policy] settings."

Specifically, these registry keys may be detected as ‘modified‘ or ‘hijacked‘, and the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.

     •scrfile\shell\open\command
     •cplfile\shell\open\command
     •piffile\shell\open\command

If using the experimental EXE/COM filter, you can also expect to see these keys:
 
     •exefile\shell\open\command
     •comfile\shell\open\command

And any key above may also have “runas” where “open” is, and affected values may include “(Default)” and “IsolatedCommand”

If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent’s settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.

 ===================

 Indeed, MBAM scans are coming up with [at least] the following two registry entries:

Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5

Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5

 which must then be added to MBAM's Exclusions list.