Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ky331

3 Apprentice

 • 

15.6K Posts

561411

November 3rd, 2013 05:00

CryptoLocker, CryptoPrevent

Remark: The following is a composite summary/compilation of important information gleaned from various sources (which are cited at the end of this post).

“CryptoLocker” is the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom... The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand.

It is therefore absolutely critical that Cryptolocker be PREVENTED from impacting your system... because "after the fact", while the malware itself can be removed, your data canNOT be restored :-(

For example, the FREE version of MBAM, which detects Cryptolocker infections as Trojan.Ransom, may be able to remove the infectious malware, but it cannot recover your encrypted programs/data files. Fortunately, users of Malwarebytes Anti-Malware Pro are protected from Crytolocker via the PRO version's realtime malware-execution-prevention and blocking of malware sites and servers.

It is now being recommended that all home users download and run CryptoPrevent , a tiny (and FREE) utility, which will PREVENT CryptoLocker infections, by setting software policy restrictions that should block Cryptolocker from running from the known locations it has been using.   [Note:   Some security software, including McAfee's SiteAdvisor, currently "red-flag" the CryptoPrevent site as being potentially dangerous.   All indications are that this is a false positive.   Avast users may find that its Behavior Shield might flag CryptoPrevent (likely based on its limited "file reputation"), resulting in Avast auto-sandboxing (in avast 8) or DeepScanning (avast 2014) the program.]

Download the most current version --- it's being updated frequently --- then run it using the default/checked options, and click APPLY.   That's all there is to it!

 

 

Disclaimers:   1)  Since CryptoPrevent's methodology (of setting software restriction policies) is publicly known, I have no idea what's to prevent the CryptoLocker malware from editing one's registry, countering these software restriction policy changes, and then implementing its notorious deed.   Likewise, what's to stop CrytoLocker from dropping its loaders in alternative [random] directories that don't have corresponding software restriction policies set?   Of course, CryptoPrevent could then counter with an update which includes the new locations... but that puts it in the position of always "playing catch-up" to the malware.  I welcome a definitive answer from security experts.

2) I am not yet in a position to guarantee the safety for average users to deploy CryptoPrevent.   My questions:  Can it... either via enabling... or especially via its UNdo feature... do any harm?  Specifically, can its UNdo inadvertently remove protection that was placed there previously by another program, if CryptoPrevent happens to protect the identical registry entry?... or are all of CryptoPrevent's registry entries unique to that program?  [EDIT:   As it's highly unlikely that Home Users have separately invoked any "Group Policy" restrictions, there's little chance of my UNdo fears here being realized.] 

In short, while CryptoPrevent appears to be an extremely important tool (WinXP [SP2/SP3], Vista, 7, 8, 8.1), be advised I can take no responsibility should anything go wrong.  [For what it's worth, I *HAVE* deployed CryptoPrevent on my primary Win7x64 Pro SP1 and my secondary WinXP Pro SP3 systems... so I'm not suggesting people be "guinea-pigs" for something that I haven't already tried myself.   So far, I really like what I see :emotion-1: .]

 

SOURCES:

Definitive Guide to CryptoLocker (by Lawrence Abrams [aka "Grinler" ]): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

CryptoPrevent:  http://www.foolishit.com/vb6-projects/cryptoprevent/

 

No Responses!

Was this post helpful?

View All

0 events found

No Events found!

Top