Virus & Spyware

7 Gold

CryptoLocker, CryptoPrevent

Remark: The following is a composite summary/compilation of important information gleaned from various sources (which are cited at the end of this post).

“CryptoLocker” is the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom... The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand.

It is therefore absolutely critical that Cryptolocker be PREVENTED from impacting your system... because "after the fact", while the malware itself can be removed, your data canNOT be restored :-(

For example, the FREE version of MBAM, which detects Cryptolocker infections as Trojan.Ransom, may be able to remove the infectious malware, but it cannot recover your encrypted programs/data files. Fortunately, users of Malwarebytes Anti-Malware Pro are protected from Crytolocker via the PRO version's realtime malware-execution-prevention and blocking of malware sites and servers.

It is now being recommended that all home users download and run CryptoPrevent , a tiny (and FREE) utility, which will PREVENT CryptoLocker infections, by setting software policy restrictions that should block Cryptolocker from running from the known locations it has been using.   [Note:   Some security software, including McAfee's SiteAdvisor, currently "red-flag" the CryptoPrevent site as being potentially dangerous.   All indications are that this is a false positive.   Avast users may find that its Behavior Shield might flag CryptoPrevent (likely based on its limited "file reputation"), resulting in Avast auto-sandboxing (in avast 8) or DeepScanning (avast 2014) the program.]

Download the most current version --- it's being updated frequently --- then run it using the default/checked options, and click APPLY.   That's all there is to it!

 

 

Disclaimers:   1)  Since CryptoPrevent's methodology (of setting software restriction policies) is publicly known, I have no idea what's to prevent the CryptoLocker malware from editing one's registry, countering these software restriction policy changes, and then implementing its notorious deed.   Likewise, what's to stop CrytoLocker from dropping its loaders in alternative [random] directories that don't have corresponding software restriction policies set?   Of course, CryptoPrevent could then counter with an update which includes the new locations... but that puts it in the position of always "playing catch-up" to the malware.  I welcome a definitive answer from security experts.

2) I am not yet in a position to guarantee the safety for average users to deploy CryptoPrevent.   My questions:  Can it... either via enabling... or especially via its UNdo feature... do any harm?  Specifically, can its UNdo inadvertently remove protection that was placed there previously by another program, if CryptoPrevent happens to protect the identical registry entry?... or are all of CryptoPrevent's registry entries unique to that program?  [EDIT:   As it's highly unlikely that Home Users have separately invoked any "Group Policy" restrictions, there's little chance of my UNdo fears here being realized.] 

In short, while CryptoPrevent appears to be an extremely important tool (WinXP [SP2/SP3], Vista, 7, 8, 8.1), be advised I can take no responsibility should anything go wrong.  [For what it's worth, I *HAVE* deployed CryptoPrevent on my primary Win7x64 Pro SP1 and my secondary WinXP Pro SP3 systems... so I'm not suggesting people be "guinea-pigs" for something that I haven't already tried myself.   So far, I really like what I see :emotion-1: .]

 

SOURCES:

Definitive Guide to CryptoLocker (by Lawrence Abrams [aka "Grinler" ]): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

CryptoPrevent:  http://www.foolishit.com/vb6-projects/cryptoprevent/

 

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

Replies (62)
6 Gallium

I first heard about CrypoLocker about a week ago, when the only prevention offered  was to use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables. Hardly an easy fix for the average user (or me either, for that matter)!

So thanks for this excellent update and review, ky. Particularly since I never could get MBAM Pro to run in real-time on my XP/sp3, without severely slowing down my system and browsers. Installing CryptoPrevent was as easy as you said. Since it only makes the necessary changes to the Software Restriction Policies, and does not run in real-time, I can't see it impacting system performance. I will include running its internal updater to my weeekly maintenance.

Question: Do you think it adds anything to systems already protected with MBAM Pro?

_________________________________________


Dell Forum Member since 2,000


 Use OpenDNS   MalwareBytes' Anti-Malware Free


Windows 10 Pro (64- Bit): Malwarebytes 4.x Premium, Windows Defender AV, Windows Firewall, WinPatrol PLUS, Emsisoft Emergency Kit Free and HitmanPro Free (on-demand scanners), OpenDNS, MVPS Hosts file, SpywareBlaster, Pale Moon web browser, Sandboxie, CCleaner Free.


"In the future, everyone will be anonymous for 15 minutes" - Banksy

7 Gold

What I like about MBAM PRO is that it can be set to automatically update its database multiple times daily.   This way, you essentially have ongoing protection against new variants of CryptoLocker (as well as other malware).   Users who opt for CryptoPrevent have to be vigilant in manually checking for updates... frequently... and not assume that once installed, they're "permanently inoculated".   Indeed, the list of recent changes shows 10 different versions of CryptoPrevent between 2.2 and 3.1 (inclusive)!

As you noted, since the registry changes made by CryptoPrevent don't "run" in real time, it should not slow down one's system.   Given the potential total devastation if one were to be infected by CryptoLocker, I'd rather have the peace-of-mind of two layers --- MBAM PRO plus CryptoPrevent --- just in case CryptoLocker somehow gets by one of them.   Hopefully, MBAM would take care of CryptoLocker by itself... but I see no reason not to have a "quiet" backup plan ready, just in case.

Even for those who believe they're protected by making (regular) backup copies [or entire system images], the article by Brian Krebs points out that "if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well".   Talk about scary?!!!

And since CryptoPrevent is completely free, so there's no reason why EVERYONE shouldn't take advantage of it immediately.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

4 Beryllium

This has been going on for a while now and really the only valid detection and removal is through MBAM Pro. It is said that avast! will detect it if Hardened Mode is set to Agressive and PUP cofiguration is active since it is a ransonware.

Discussions are going on in Bleeping: http://www.bleepingcomputer.com/forums/t/506924/cryptolock

Removal istructions by G2G with permission from MBAM:

http://www.geekstogo.com/forum/topic/333960-removal-instructions-for-cryptolocker/page__view__findpo...

All you want to know about CryptoLocker: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Already the creators of Cryptolocker opened a service to be able to pay the decryption key for encrypted files:

http://www.bleepingcomputer.com/forums/t/512668/cryptolock

Please do not pay for anything or you will encouge more criminal like this to develop other similar programs. The best that you can do against this is to have a secure back up of you files and system apart from your computer in case you are attacked and need to restore the files that were encripted after you clen your system.

Hernan.

Dim9200/XPS 410.C2D 2.40GHz.2GB RAM.XP Pro_86 SPk3. IE8 & FF38

Avast!Free 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. WOT. OpenDNS. SAS(o/d)

"We are all ignorant, but we don't all ignore the same things..." Albert Einstein

"When you've excluded the impossible, whatever remains, however improbable, must be the truth..." Sherlock Holmes.

7 Gold

Just want to emphasize that the "Removal" instructions by G2G (Geeks to Go) also concede:  "Malwarebytes' Anti-Malware [Free] removes Cryptolocker [infection] completely, but it can not undo the encryption".

Grinler's research paper at BleepingComputer is considered the definitive analysis of CryptoLocker.   He was the one who concluded that application of software restriction policies would be effective (at least, against current variants).   CryptoPrevent was developed based on Grinler's analysis, and Grinler himself acknowledges and recommends its use in Section 15:  How to prevent your computer from becoming infected by CryptoLocker .  So while I'm personally am an advocate of MBAM PRO (in general), I would not question Grinler's statement that CryptoPrevent (by itself) works [at present] in blocking Cryptolocker.

 

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

A VirusTotal analysis of a one particular CryptoLocker sample executable shows that it is currently being detected by 41 of 47 antivirus/antimalware products.

The most popular free a/v programs (Avira, Avast, AVG, MSE, and Panda) all caught it.    Avira's detection (TR/Fraud.Gen2) appears to fall in a "generic" (heuristic) category, while the other 4 apparently have a more specific Ransomeware/CryptoLocker signature.

As mentioned several times in this thread, MBAM can detect (and its PRO version protect against) CryptoLocker... interestingly, SAS was one of the 6 security programs that did NOT detect CryptoLocker.

https://www.virustotal.com/en/file/d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9/... 

Regardless of anti-virus coverage, I believe it would still be prudent for everyone to download and run CryptoPrevent.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

7 Gold

v4.0 – Added  Event Log  to check event history of blocked applications.

 

Remark:   While obviously informative, this doesn't enhance the protection already offered by version 3.1

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 20, MBAM4 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

4 Ruthenium

Just wanted to verify that MBAM Pro will prevent my getting this pest. I also have the Crypto Prevent utiliy...should I uninstall the older version before I install an updated version, or will it do this automatically.

4 Beryllium

Interesting news about OpenDNS actions against CryptoLocker. One more up to stop this critter.

http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/?__utma=247635969

Hernan.

Dim9200/XPS 410.C2D 2.40GHz.2GB RAM.XP Pro_86 SPk3. IE8 & FF38

Avast!Free 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. WOT. OpenDNS. SAS(o/d)

"We are all ignorant, but we don't all ignore the same things..." Albert Einstein

"When you've excluded the impossible, whatever remains, however improbable, must be the truth..." Sherlock Holmes.

5 Rhenium

IROC955, I cannot open your link. 

Edit:  Your link disappeared. 

Forum Member Since 2001

Top Contributor
Latest Solutions