Virus & Spyware

7 Gold

CryptoLocker, CryptoPrevent

Remark: The following is a composite summary/compilation of important information gleaned from various sources (which are cited at the end of this post).

“CryptoLocker” is the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom... The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand.

It is therefore absolutely critical that Cryptolocker be PREVENTED from impacting your system... because "after the fact", while the malware itself can be removed, your data canNOT be restored :-(

For example, the FREE version of MBAM, which detects Cryptolocker infections as Trojan.Ransom, may be able to remove the infectious malware, but it cannot recover your encrypted programs/data files. Fortunately, users of Malwarebytes Anti-Malware Pro are protected from Crytolocker via the PRO version's realtime malware-execution-prevention and blocking of malware sites and servers.

It is now being recommended that all home users download and run CryptoPrevent , a tiny (and FREE) utility, which will PREVENT CryptoLocker infections, by setting software policy restrictions that should block Cryptolocker from running from the known locations it has been using.   [Note:   Some security software, including McAfee's SiteAdvisor, currently "red-flag" the CryptoPrevent site as being potentially dangerous.   All indications are that this is a false positive.   Avast users may find that its Behavior Shield might flag CryptoPrevent (likely based on its limited "file reputation"), resulting in Avast auto-sandboxing (in avast 8) or DeepScanning (avast 2014) the program.]

Download the most current version --- it's being updated frequently --- then run it using the default/checked options, and click APPLY.   That's all there is to it!

 

 

Disclaimers:   1)  Since CryptoPrevent's methodology (of setting software restriction policies) is publicly known, I have no idea what's to prevent the CryptoLocker malware from editing one's registry, countering these software restriction policy changes, and then implementing its notorious deed.   Likewise, what's to stop CrytoLocker from dropping its loaders in alternative [random] directories that don't have corresponding software restriction policies set?   Of course, CryptoPrevent could then counter with an update which includes the new locations... but that puts it in the position of always "playing catch-up" to the malware.  I welcome a definitive answer from security experts.

2) I am not yet in a position to guarantee the safety for average users to deploy CryptoPrevent.   My questions:  Can it... either via enabling... or especially via its UNdo feature... do any harm?  Specifically, can its UNdo inadvertently remove protection that was placed there previously by another program, if CryptoPrevent happens to protect the identical registry entry?... or are all of CryptoPrevent's registry entries unique to that program?  [EDIT:   As it's highly unlikely that Home Users have separately invoked any "Group Policy" restrictions, there's little chance of my UNdo fears here being realized.] 

In short, while CryptoPrevent appears to be an extremely important tool (WinXP [SP2/SP3], Vista, 7, 8, 8.1), be advised I can take no responsibility should anything go wrong.  [For what it's worth, I *HAVE* deployed CryptoPrevent on my primary Win7x64 Pro SP1 and my secondary WinXP Pro SP3 systems... so I'm not suggesting people be "guinea-pigs" for something that I haven't already tried myself.   So far, I really like what I see :emotion-1: .]

 

SOURCES:

Definitive Guide to CryptoLocker (by Lawrence Abrams [aka "Grinler" ]): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

CryptoPrevent:  http://www.foolishit.com/vb6-projects/cryptoprevent/

 

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Replies (62)
5 Rhenium

4 Beryllium

http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/?__utma=247635969 

I think this is the link. 

Thanks. That is the one. It is for the Umbrella Web Security Business.  I am having problems with links. This is another interesting reading. Hope it sticks.

Hernan.

Dim9200/XPS 410.C2D 2.40GHz.2GB RAM.XP Pro_86 SPk3. IE8 & FF38

Avast!Free 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. WOT. OpenDNS. SAS(o/d)

"We are all ignorant, but we don't all ignore the same things..." Albert Einstein

"When you've excluded the impossible, whatever remains, however improbable, must be the truth..." Sherlock Holmes.

5 Rhenium

iroc9555, Your second link came through. Thanks for sharing.

What are the little blue diamonds with a question mark before and after your link?

Forum Member Since 2001

7 Gold

v4.1 – Added RLO (Right to Left Override) exploit protection to Fake File Extension protection function.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

Just to clarify, "UMBRELLA" is a separate, PAID service --- aimed as businesses --- from OpenDNS.   The article indicates that while UMBRELLA protected (businesses) against CryptoLocker, "plain" OpenDNS did not:

"A number of users of our free DNS service were infected with the [CryptoLocker] malware... OpenDNS customers using Umbrella are protected against losing their valuable data to Cryptolocker because we successfully cut off the outbound communication initiated by the malware for retrieving the encryption key".

Quoted from the 4th paragraph in http://labs.umbrella.com/2013/11/05/cryptolocker-remains-at-large/ 

 

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

Dale,

Yes, MBAM PRO should automatically protect you against CryptoLocker.   Likewise, CryptoPrevent should also protect you.

But one needs to keep in mind that malware can (and does) change, always trying to outsmart the anti-malware blockers.   So if/when a new "variation" of CryptoLocker first begins circulating, it may be able to infect systems until the anti-malware programs learn about it and revise their protection to include the latest "morph".

As we know, the MBAM team is highly vigilant, and will likely become aware of the new malware --- and then offer updated detection/prevention to PRO users --- within just hours.   That's about the best one can hope for.   CryptoPrevent seems to be offering a "fair" number of updates so far... but keep in mind, that unless users monitor their site (or sites like this) to discover, download, and apply the latest updates when new updates become available, they will not be protected against the newest variant(s).

As for the matter of installing/uninstalling:   The CryptoPrevent site offers two versions of its program.   The one, labeled "Download CryptoPrevent", offers a .ZIP file, from which the program must then be extracted.   The extracted progam, CryptoPrevent.exe , can be run directly without any "installation".   The alternative version, "Download CryptoPrevent Installer", offers a "setup" file which "installs" CryptoPrevent on your system.   I would speculate that the installer will overwrite the existing/older version.   But if you want to be 100% sure, just uninstall the old one.   And perhaps give thought to using the .ZIP-based version in the future, to avoid this question.   [If you go for .ZIP, you have to remember where you placed the file, to manually locate it again... the installer places an entry in your START-MENU list.]

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

Dale,

re: uninstalling, here is a quote I just "rediscovered" from the program's website:

"After [an] update, it is then necessary to re-apply the protection to your system.  It is not necessary to undo the previous protection in place before doing this, (n)or even to uninstall the app before updating.  If you have an older version of the app before the update functionality was introduced, simply download and install the latest version, then re-apply protection".

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

v4.1.5 – Misc changes to whitelisting functionality

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

4 Ruthenium

Thanks David!  :emotion-5:

7 Gold

v4.2 – Added "Start Menu > All Programs > Startup folder" protection.  

         Added reboot prompt after automatic update / re-application of protection.

---------------

Comment:   Since this program seems to be getting updated almost daily, I don't know that we'll continue to cite all its many updates here.   Users are encouraged to check for updates, either by going to the program's home page http://www.foolishit.com/vb6-projects/cryptoprevent/ , or by using the program's internal updater (Updates! / Check for updates).

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Top Contributor
Latest Solutions