Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,” the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.
According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.
The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).
Also see this other thread I posted 2 weeks ago: https://community.webroot.com/t5/Security-Industry-News/You-re-infected-if-you-want-to-see-your-data...
Also having Webroot SecureAnywhere will protect you from this infection!
Recently one of our customers was infected by a ransomware that was missed by WSA. It encrypted all files giving them the extension .omg! (Link to discussion if some wants to know more about this ransomware: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/).
It's a shame that Webroot missed it but there's no point crying over a spilt milk. I wonder what can we do to avoid it in future. If WSA is not 100% malwareproof maybe there are some other ways? I'm not an expert so I don't know if my way of thinking is right...but it seems to me that file encryption is quite a long process and operating system must be aware of this. So maybe Webroot should alert user everytime it detects the process of encryption? If it is initiated by a user then he can ignore it. If not then he can kill the process immediately. I don't know if it makes sense so I hope to hear from experts.
Did you contact Webroot when that machine was infected?
To me it seems that even if Webroot missed it, the Rollback and Journaling should be able to clean this up if the originated file is marked as bad.
Last week my computer was infected by "Cryptolocker" and I lost all my files. This happened before I installed WSA on my computer. I had all my files backed up so all is well, but it was a hassle for a couple days as I had to do a complete reinstall on my hard drive. Can someone update me as to whether WSA is now updated so as to defeat this ransomware? From this three week old thread, it isn't clear WSA was up to the task at the time. I've installed WSA on the recommendation of several different people, but I really need a product that can protect me from "Cryptolocker" and similar ransomware (the only infection I've ever gotten, by the way). Thanks.
One of the greatest things about Webroot is that when Support is notified about something getting past Webroot, it prompts our threat researchers to immediately jump on the files in question and get them blacklisted. We are usually out in front of these sort of issues before they become apparent, but in the instance something does slip past, the turnaround time for blacklisting an infection is nearly immediate once the issue lands in Support's capable hands. Two weeks out, yes, this variant is certainly classified by now. There will always be new variants of most any sort of infection, and we do our best to keep up with them. Thanks to the support dynamic, in the event any threat makes it past WSA, the first person to notify us ends up protecting all of the other WSA-protected computers in the world by bringing it to our attention.
The biggest problem with ransomware is that you really cannot remedy the damage. When you have your files encrypted with RSA-1024 you're pretty much screwed. In this case Webroot didn't do a good job. I heard from our customers that signature-based AVs (Kaspersky, Eset) were able to detect this ransomware after about 10 days from the moment it appeared. One of our clients using WSA was infected with it 3 WEEKS after it was reported for the first time. Signatures vs Behavioral Analysis - 1:0. But still I believe in WSA
WSA can detect and block Cryptolocker, and if an unknown variant happens to slip through, WSA should be able to roll back the changes as part of the cleanup routine using journalling as long as WSA was installed prior to the files being encrypted. WSA can not decrypt files encrypted by Cryptolocker on a system that was infected prior to WSA being installed. We have improved and continue to improve WSA in order to handle these types of threats.
If Cryptolocker was able to run and encrypted network files, does WSA restore that as well? Also, I've heard of gigabytes and gigabytes of data being encrypted on local and network drive. How does WSA respond to that, when it would never have enough capacity to journal it?
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Find me on Twitter!