cancel
Showing results for 
Search instead for 
Did you mean: 

How To Avoid CryptoLocker Ransomware

SOLVED
Webroot Developer

Re: Cryptolocker infection


explanoit wrote:

Hi Dan,

If Cryptolocker was able to run and encrypted network files, does WSA restore that as well? Also, I've heard of gigabytes and gigabytes of data being encrypted on local and network drive. How does WSA respond to that, when it would never have enough capacity to journal it?


WSA currently doesn't reverse the changes on a network drive because of the risk with data loss if another user has changed a file. The best scenario would be to install WSA everywhere, including the system hosting the network drive if possible. Even if gigabytes of data are encrypted, WSA will continue happily journaling it - there will be a limit based on storage space but WSA compresses the data it journals and the storage requirements are limited to how much data is actually on the disk, so it shouldn't dramatically exceed the available storage space. The largest I've seen so far myself was 800MB which WSA restored 100% - it took a while (about 20 minutes during cleanup) but it was all replaced correctly.

Community Expert Advisor

Re: Cryptolocker infection

Thanks for the answer Joe.

What heuristics or protections does WSA have in place regarding unknown applications making mass changes to network drives?

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Webroot Developer

Re: Cryptolocker infection


explanoit wrote:

Thanks for the answer Joe.

What heuristics or protections does WSA have in place regarding unknown applications making mass changes to network drives?


WSA monitors network drive changes but I don't believe we trigger any upfront block actions on them automatically, due to the legitimate nature of many network-accessing applications (backup tools, other AVs, etc.)

Community Expert Advisor

Re: Cryptolocker infection

Thanks Joe. I understand. I wish there was another layer of protection, but I can't think of a solution that fits in your product scope.

Regards,

explanoit

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Webroot Developer

Re: Cryptolocker infection


explanoit wrote:

Thanks Joe. I understand. I wish there was another layer of protection, but I can't think of a solution that fits in your product scope.

Regards,

explanoit


I agree, I think there could be room for something to add here but an obvious solution isn't coming to mind immediately, without potentially creating a HIPS-like nightmare of prompts. Happy to take any suggestions if you have some, however. Thanks!

Community Expert Advisor

Re: Cryptolocker infection

I've thought about it a bit. I think the best way to do this is to set a threshold for files written to over a time period for monitored processes, then send an alert. Unfortunately, WSA reporting is only for detected threats. (Smiley Sad). Plus Webroot is all about set it and forget it so I'm sure the PMs would shoot it down.

 

My point about this is that network modification of files definitely seems to be your weakspot. And this kind of threat is likely to grow. If I was a Cryptolocker victim, heck yes I would pay them the money.

Customers are expecting your rollback functionality to work regardless of where the changes take place. I had a suspicion this was the case, and it makes sense, but it's still makes me uneasy knowing it for a fact now.

 

There has to be some kind of behavioral heuristics that can be applied, there can't be that many unknown processes out there that start wholesale replacing every file the user has access to on the network share. Frankly, I really don't want any process Webroot doesn't know about touching large numbers of files on network shares anyway.

 

Unfortunately, I can imagine exposing an option to business customers to allow them to chose the sandboxing restrictions isn't a very sexy feature request. So much of what I want improved in the product are deep-management stuff that the majority of even your business customers would be oblivious to.

 

Webroot should make a HIPS extension. It would be the first one ever that doesn't consume 20% CPU.

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Community Expert Advisor

Re: Cryptolocker infection


DanP wrote:

WSA can detect and block Cryptolocker, and if an unknown variant happens to slip through, WSA should be able to roll back the changes as part of the cleanup routine using journalling as long as WSA was installed prior to the files being encrypted. WSA can not decrypt files encrypted by Cryptolocker on a system that was infected prior to WSA being installed. We have improved and continue to improve WSA in order to handle these types of threats.

 

-Dan


Hi Dan.

 

I just want to verify that I am reading this correctly, so I can make sure that I cam tell my customers the correct information:

 

If a user is running Webroot, and a variant of the Cryptolocker malware gets past and encrypts their files, as soon as Webroot determines that it is a bad process it will be able to roll back everything including the encrypted files.

 

Is that correct? If so, how does Webroot decrypt the files? Does it store compacted previous versions somewhere or does it actually have the ability to decrypt the files using the data gleened from the initial encryption process?

 

Thanks,

Corey

___________________________________________________________
Corey B.
Protected by Webroot


Create New Trouble Ticket | Account Console | User Guides |

Highlighted
Webroot Developer

Re: Cryptolocker infection


cohbraz wrote:

DanP wrote:

WSA can detect and block Cryptolocker, and if an unknown variant happens to slip through, WSA should be able to roll back the changes as part of the cleanup routine using journalling as long as WSA was installed prior to the files being encrypted. WSA can not decrypt files encrypted by Cryptolocker on a system that was infected prior to WSA being installed. We have improved and continue to improve WSA in order to handle these types of threats.

 

-Dan


Hi Dan.

 

I just want to verify that I am reading this correctly, so I can make sure that I cam tell my customers the correct information:

 

If a user is running Webroot, and a variant of the Cryptolocker malware gets past and encrypts their files, as soon as Webroot determines that it is a bad process it will be able to roll back everything including the encrypted files.

 

Is that correct? If so, how does Webroot decrypt the files? Does it store compacted previous versions somewhere or does it actually have the ability to decrypt the files using the data gleened from the initial encryption process?

 

Thanks,

Corey


You're correct - with its journaling/rollback technology, Webroot stores the clean copy before it is modified by the infection, then it replaces it once it is determined to be bad. This works with any system change, whether it's a registry modification or file deletion/etc.

Community Expert Advisor

Re: Cryptolocker infection

Thanks for the clarification. That is really good to know as this little piece of malware is staring to cause havoc on some small to mid-scale networks.

 

I read a report from a Carbonite rep that said they are getting thounds of requests per day from users needing restores of their files.

___________________________________________________________
Corey B.
Protected by Webroot


Create New Trouble Ticket | Account Console | User Guides |

Bronze VIP

Re: How To Avoid CryptoLocker Ransomware


TripleHelix wrote:
Also having Webroot SecureAnywhere will protect you from this infection!

Happy, Happy, Happy. Thank you Webroot!  Smiley Wink


Dave

Bronze VIP


Late 2015 5K 27" Mac, 4GHz i7, 16GB RAM, 1TB Fusion Drive, El Capitan, 10.11.6  

Windows 7 X 64, 3.4GHz i7, 10GB RAM, 1TB HD