CryptoLocker Malware: What you still need to know

I do have one update I am trying to post everywhere possible, cryptolocker has been putting exe's and inf's onto any USB HDD, cd's, and flash drives, (not SD cards so far) and making it look as if those are not infected in any way and even hiding those. This is a danger that definitely needs to be taken care of. Because once that media gets put into another computer it will download a different public key and use a different private key. This means it will make you pay double, I think we root needs to try and override windows from scanning hardware before it does as it will happen before we root catches it and I'd rather not have to rely on the journaling only for protection in that instance.

Imagine this scenario:


We have 2 machines: a Windows Server with Webroot running and a Windows client with Webroot running.


The client gets infected by CryptoLocker 2.0 that then will encrypt files that are on the shared folder of the Windows Server mapped as drive X: on the client.


As Joe Jaroch, Webroot VP of Engineering said above:

"WSA currently doesn't reverse the changes on a network drive because of the risk with data loss if another user changed a file. The best scenario would be to install WSA everywhere, including the system hosting the network drive if possible. Even if gigabytes of data are encrypted, WSA will continue happily journaling it." - Joe Jaroch, Webroot VP of Engineering


We know that CryptoLocker 2.0 is not going to infect the Windows Server machine So CryptoLocker will stay running on the client only. But running on the client it will encrypt files on the mapped drive.


So what is the meaning of installing Webroot on the Windows file server in this scenario? Will that be able to roll back encryption of the files changed by a CryptoLocker running on another machine?


Kind regards,


Webroot Ambassador & Community Guide


It would still have to run a service to encrypt it so I'd assume so.... But I honestly would not like to try

how webroot saves from crytolocker malware?

Microsoft Windows

Watch the video I posted here: also they keep updating the client to protect Generically:


So you are well protected there is one more Video but you would have to join BrightTalk to watch and it's by Grayson Milbourne Director, Security Intelligence Webroot also CryptoLocker: Your Money or Your Life




Daniel Smiley Wink


Regarding GyozoKs comment; I also thought about this topic. Would Webroot be able to roll back a Cryptolocker infection on a server caused by a client? I would say no, because for the server it's just a normal rw-access to its network share and I don't think that Webroot would track such actions. Otherwise every changed file would be journaled. 


I'm rather relying on a good backup plan/solution to recover from a Cryptolocker infection, which should already be in place regardless of Cryptolocker. 

I could well be wrong, but I believe the rollback will only work on computers that have WSA installed.  If the server also has WSA installed (A server running a version of Windows compatible with WSA), then it should be covered.


If the server does NOT have WSA installed, then I do not believe the rollback could work.


I am far from being highly knowledgeable in this area and I hope to see additonal responses from Webroot.


Well if I would run Cryptolocker on a secured Server Webroot would journal everything and I could rollback. But as the client causes the Cryptolocker infection the Webroot installation on the server wouldnt recognize it as there's no executable,process or service on the server which could be monitored; it's just a "normal" rw-action.

Well, ....  you have me.  I am admittedly learning the Endpoint...  Let me 'ping' and Endpoint expert and see if he is able to provide a more expert opinion on this.  @Explanoit are you able to help with this?

I asked the folks here and that isn't a situation we'd be able to journal, even with Cryptolocker installed on the server.  Since it is a file server, there are many different clients accessing and altering the files, so it wouldn't be practical to journal all those individual changes, especially since the processes doing them live on the clients.  Best bet is good backups, and make sure all your machines have endpoint installed to catch Cryptolocker before it gets started.

Thanks Nic!

Microsoft Windows


And this Video does answer some of your questions but you have to join to watch them




Thanks for the clarification Nic!


The following is a update on CryptoLocker Malware.


By Ian Barker Posted June 12 2014




It's not really surprising then that the bad guys are seeking to exploit these fears. Security company BullGuard has uncovered a major new spam campaign supposedly offering Cryptolocker decryption keys.


The email urges users to download a tool that it claims can unlock any files encrypted with Cryptolocker. Of course that isn't what you get. If you download the tool it installs a registry scanner which, naturally, tells you there are lots of problems with your PC which can only be solved by purchasing the spammers' offering.



BetaNews/Full Read Here/