Unsolved
This post is more than 5 years old
3 Apprentice
•
15.2K Posts
2
560826
CryptoLocker, CryptoPrevent
Remark: The following is a composite summary/compilation of important information gleaned from various sources (which are cited at the end of this post).
“CryptoLocker” is the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom... The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand.
It is therefore absolutely critical that Cryptolocker be PREVENTED from impacting your system... because "after the fact", while the malware itself can be removed, your data canNOT be restored :-(
For example, the FREE version of MBAM, which detects Cryptolocker infections as Trojan.Ransom, may be able to remove the infectious malware, but it cannot recover your encrypted programs/data files. Fortunately, users of Malwarebytes Anti-Malware Pro are protected from Crytolocker via the PRO version's realtime malware-execution-prevention and blocking of malware sites and servers.
It is now being recommended that all home users download and run CryptoPrevent , a tiny (and FREE) utility, which will PREVENT CryptoLocker infections, by setting software policy restrictions that should block Cryptolocker from running from the known locations it has been using. [Note: Some security software, including McAfee's SiteAdvisor, currently "red-flag" the CryptoPrevent site as being potentially dangerous. All indications are that this is a false positive. Avast users may find that its Behavior Shield might flag CryptoPrevent (likely based on its limited "file reputation"), resulting in Avast auto-sandboxing (in avast 8) or DeepScanning (avast 2014) the program.]
Download the most current version --- it's being updated frequently --- then run it using the default/checked options, and click APPLY. That's all there is to it!
Disclaimers: 1) Since CryptoPrevent's methodology (of setting software restriction policies) is publicly known, I have no idea what's to prevent the CryptoLocker malware from editing one's registry, countering these software restriction policy changes, and then implementing its notorious deed. Likewise, what's to stop CrytoLocker from dropping its loaders in alternative [random] directories that don't have corresponding software restriction policies set? Of course, CryptoPrevent could then counter with an update which includes the new locations... but that puts it in the position of always "playing catch-up" to the malware. I welcome a definitive answer from security experts.
2) I am not yet in a position to guarantee the safety for average users to deploy CryptoPrevent. My questions: Can it... either via enabling... or especially via its UNdo feature... do any harm? Specifically, can its UNdo inadvertently remove protection that was placed there previously by another program, if CryptoPrevent happens to protect the identical registry entry?... or are all of CryptoPrevent's registry entries unique to that program? [EDIT: As it's highly unlikely that Home Users have separately invoked any "Group Policy" restrictions, there's little chance of my UNdo fears here being realized.]
In short, while CryptoPrevent appears to be an extremely important tool (WinXP [SP2/SP3], Vista, 7, 8, 8.1), be advised I can take no responsibility should anything go wrong. [For what it's worth, I *HAVE* deployed CryptoPrevent on my primary Win7x64 Pro SP1 and my secondary WinXP Pro SP3 systems... so I'm not suggesting people be "guinea-pigs" for something that I haven't already tried myself. So far, I really like what I see :emotion-1: .]
SOURCES:
Definitive Guide to CryptoLocker (by Lawrence Abrams [aka "Grinler" ]): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
CryptoPrevent: http://www.foolishit.com/vb6-projects/cryptoprevent/
joe53
1 Rookie
1 Rookie
•
5.8K Posts
0
November 3rd, 2013 16:00
I first heard about CrypoLocker about a week ago, when the only prevention offered was to use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables. Hardly an easy fix for the average user (or me either, for that matter)!
So thanks for this excellent update and review, ky. Particularly since I never could get MBAM Pro to run in real-time on my XP/sp3, without severely slowing down my system and browsers. Installing CryptoPrevent was as easy as you said. Since it only makes the necessary changes to the Software Restriction Policies, and does not run in real-time, I can't see it impacting system performance. I will include running its internal updater to my weeekly maintenance.
Question: Do you think it adds anything to systems already protected with MBAM Pro?
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 3rd, 2013 17:00
What I like about MBAM PRO is that it can be set to automatically update its database multiple times daily. This way, you essentially have ongoing protection against new variants of CryptoLocker (as well as other malware). Users who opt for CryptoPrevent have to be vigilant in manually checking for updates... frequently... and not assume that once installed, they're "permanently inoculated". Indeed, the list of recent changes shows 10 different versions of CryptoPrevent between 2.2 and 3.1 (inclusive)!
As you noted, since the registry changes made by CryptoPrevent don't "run" in real time, it should not slow down one's system. Given the potential total devastation if one were to be infected by CryptoLocker, I'd rather have the peace-of-mind of two layers --- MBAM PRO plus CryptoPrevent --- just in case CryptoLocker somehow gets by one of them. Hopefully, MBAM would take care of CryptoLocker by itself... but I see no reason not to have a "quiet" backup plan ready, just in case.
Even for those who believe they're protected by making (regular) backup copies [or entire system images], the article by Brian Krebs points out that "if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well". Talk about scary?!!!
And since CryptoPrevent is completely free, so there's no reason why EVERYONE shouldn't take advantage of it immediately.
iroc9555
1K Posts
0
November 3rd, 2013 18:00
This has been going on for a while now and really the only valid detection and removal is through MBAM Pro. It is said that avast! will detect it if Hardened Mode is set to Agressive and PUP cofiguration is active since it is a ransonware.
Discussions are going on in Bleeping: http://www.bleepingcomputer.com/forums/t/506924/cryptolock
Removal istructions by G2G with permission from MBAM:
http://www.geekstogo.com/forum/topic/333960-removal-instructions-for-cryptolocker/page__view__findpost__p__2337992
All you want to know about CryptoLocker: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
Already the creators of Cryptolocker opened a service to be able to pay the decryption key for encrypted files:
http://www.bleepingcomputer.com/forums/t/512668/cryptolock
Please do not pay for anything or you will encouge more criminal like this to develop other similar programs. The best that you can do against this is to have a secure back up of you files and system apart from your computer in case you are attacked and need to restore the files that were encripted after you clen your system.
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 3rd, 2013 18:00
Just want to emphasize that the "Removal" instructions by G2G (Geeks to Go) also concede: "Malwarebytes' Anti-Malware [Free] removes Cryptolocker [infection] completely, but it can not undo the encryption".
Grinler's research paper at BleepingComputer is considered the definitive analysis of CryptoLocker. He was the one who concluded that application of software restriction policies would be effective (at least, against current variants). CryptoPrevent was developed based on Grinler's analysis, and Grinler himself acknowledges and recommends its use in Section 15: How to prevent your computer from becoming infected by CryptoLocker . So while I'm personally am an advocate of MBAM PRO (in general), I would not question Grinler's statement that CryptoPrevent (by itself) works [at present] in blocking Cryptolocker.
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 4th, 2013 04:00
A VirusTotal analysis of a one particular CryptoLocker sample executable shows that it is currently being detected by 41 of 47 antivirus/antimalware products.
The most popular free a/v programs (Avira, Avast, AVG, MSE, and Panda) all caught it. Avira's detection (TR/Fraud.Gen2) appears to fall in a "generic" (heuristic) category, while the other 4 apparently have a more specific Ransomeware/CryptoLocker signature.
As mentioned several times in this thread, MBAM can detect (and its PRO version protect against) CryptoLocker... interestingly, SAS was one of the 6 security programs that did NOT detect CryptoLocker.
https://www.virustotal.com/en/file/d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9/analysis/
Regardless of anti-virus coverage, I believe it would still be prudent for everyone to download and run CryptoPrevent.
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 6th, 2013 04:00
v4.0 – Added Event Log to check event history of blocked applications.
Remark: While obviously informative, this doesn't enhance the protection already offered by version 3.1
Annie70
2.7K Posts
0
November 6th, 2013 16:00
IROC955, I cannot open your link.
Edit: Your link disappeared.
dalem29
1 Rookie
1 Rookie
•
2.2K Posts
0
November 6th, 2013 16:00
Just wanted to verify that MBAM Pro will prevent my getting this pest. I also have the Crypto Prevent utiliy...should I uninstall the older version before I install an updated version, or will it do this automatically.
iroc9555
1K Posts
0
November 6th, 2013 16:00
Interesting news about OpenDNS actions against CryptoLocker. One more up to stop this critter.
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/?__utma=247635969
�
�
Annie70
2.7K Posts
0
November 6th, 2013 16:00
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/?__utma=247635969
I think this is the link.
iroc9555
1K Posts
0
November 6th, 2013 18:00
Annie70
2.7K Posts
0
November 7th, 2013 02:00
iroc9555, Your second link came through. Thanks for sharing.
What are the little blue diamonds with a question mark before and after your link?
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 7th, 2013 03:00
v4.1 – Added RLO (Right to Left Override) exploit protection to Fake File Extension protection function.
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 7th, 2013 04:00
Just to clarify, "UMBRELLA" is a separate, PAID service --- aimed as businesses --- from OpenDNS. The article indicates that while UMBRELLA protected (businesses) against CryptoLocker, "plain" OpenDNS did not:
"A number of users of our free DNS service were infected with the [CryptoLocker] malware... OpenDNS customers using Umbrella are protected against losing their valuable data to Cryptolocker because we successfully cut off the outbound communication initiated by the malware for retrieving the encryption key".
Quoted from the 4th paragraph in http://labs.umbrella.com/2013/11/05/cryptolocker-remains-at-large/
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 7th, 2013 04:00
Dale,
Yes, MBAM PRO should automatically protect you against CryptoLocker. Likewise, CryptoPrevent should also protect you.
But one needs to keep in mind that malware can (and does) change, always trying to outsmart the anti-malware blockers. So if/when a new "variation" of CryptoLocker first begins circulating, it may be able to infect systems until the anti-malware programs learn about it and revise their protection to include the latest "morph".
As we know, the MBAM team is highly vigilant, and will likely become aware of the new malware --- and then offer updated detection/prevention to PRO users --- within just hours. That's about the best one can hope for. CryptoPrevent seems to be offering a "fair" number of updates so far... but keep in mind, that unless users monitor their site (or sites like this) to discover, download, and apply the latest updates when new updates become available, they will not be protected against the newest variant(s).
As for the matter of installing/uninstalling: The CryptoPrevent site offers two versions of its program. The one, labeled "Download CryptoPrevent", offers a .ZIP file, from which the program must then be extracted. The extracted progam, CryptoPrevent.exe , can be run directly without any "installation". The alternative version, "Download CryptoPrevent Installer", offers a "setup" file which "installs" CryptoPrevent on your system. I would speculate that the installer will overwrite the existing/older version. But if you want to be 100% sure, just uninstall the old one. And perhaps give thought to using the .ZIP-based version in the future, to avoid this question. [If you go for .ZIP, you have to remember where you placed the file, to manually locate it again... the installer places an entry in your START-MENU list.]