light bulb

Did You Know?



Reply
Highlighted
Posts: 9,096
Topics: 640
Kudos: 8,021
Registered: ‎02-03-2012

How To Avoid CryptoLocker Ransomware

[ Edited ]

01-11-2013 3-54-04 PM.png

 

Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

A Cryptolocker prompt and countdown clock. Photo: Malwarebytes.org

A CryptoLocker prompt and countdown clock.

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).

 

Full Article

 

Also see this other thread I posted 2 weeks ago: https://community.webroot.com/t5/Security-Industry-News/You-re-infected-if-you-want-to-see-your-data...

 

Also having Webroot SecureAnywhere will protect you from this infection!

 

Daniel Smiley Wink

coollogo_com-133794099.gif


asapvip.png  SigSVIP.png EPA.png


Webroot® SecureAnywhere™ Internet Security Complete Beta Tester v9.0.0.65 on my main system Alienware 17R2, Windows 8.1 Pro x64 & HTC One M8 Android Lollipop 5.0.1 Phone v3.6.0.6722.


MVP.gif.png Microsoft® MVP Consumer Security  


Twitter1.png  Untitled-1.png  WBA.png

Frequent Voice
Posts: 65
Registered: ‎01-22-2013

Cryptolocker infection

[ Edited ]

Hi

Recently one of our customers was infected by a ransomware that was missed by WSA. It encrypted all files giving them the extension .omg! (Link to discussion if some wants to know more about this ransomware: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/).

It's a shame that Webroot missed it but there's no point crying over a spilt milk. I wonder what can we do to avoid it in future. If WSA is not 100% malwareproof maybe there are some other ways? I'm not an expert so I don't know if my way of thinking is right...but it seems to me that file encryption is quite a long process and operating system must be aware of this. So maybe Webroot should alert user everytime it detects the process of encryption? If it is initiated by a user then he can ignore it. If not then he can kill the process immediately. I don't know if it makes sense so I hope to hear from experts.

Community Guide
Posts: 181
Registered: ‎01-17-2013

Re: Cryptolocker infection

Did you contact Webroot when that machine was infected?

 

To me it seems that even if Webroot missed it, the Rollback and Journaling should be able to clean this up if the originated file is marked as bad.

Johan Gouverneur
Webroot Account Manager
Dekkers Intermediair B.V.

Community Guide

Frequent Voice
Posts: 65
Registered: ‎01-22-2013

Re: Cryptolocker infection

Yes Webroot Support is working hard on this case but it seems that it's not as easy as it looks.

New Member
Posts: 1
Registered: ‎10-15-2013

Re: Cryptolocker infection

Last week my computer was infected by "Cryptolocker" and I lost all my files.  This happened before I installed WSA on my computer.  I had all my files backed up so all is well, but it was a hassle for a couple days as I had to do a complete reinstall on my hard drive.  Can someone update me as to whether WSA is now updated so as to defeat this ransomware?  From this three week old thread, it isn't clear WSA was up to the task at the time.  I've installed WSA on the recommendation of several different people, but I really need a product that can protect me from "Cryptolocker" and similar ransomware (the only infection I've ever gotten, by the way). Thanks.

Posts: 2,308
Topics: 292
Kudos: 1,364
Registered: ‎01-19-2012

Re: Cryptolocker infection

[ Edited ]

One of the greatest things about Webroot is that when Support is notified about something getting past Webroot, it prompts our threat researchers to immediately jump on the files in question and get them blacklisted. We are usually out in front of these sort of issues before they become apparent, but in the instance something does slip past, the turnaround time for blacklisting an infection is nearly immediate once the issue lands in Support's capable hands. Two weeks out, yes, this variant is certainly classified by now. There will always be new variants of most any sort of infection, and we do our best to keep up with them.  Thanks to the support dynamic, in the event any threat makes it past WSA, the first person to notify us ends up protecting all of the other WSA-protected computers in the world by bringing it to our attention.

/// JimM ///
/// Former Community Manager - Now Humble Internet Citizen///
/// Also Formerly a Technical Support Escalations Engineer ///
New Member
Posts: 3
Registered: ‎10-24-2013

Re: Cryptolocker infection

Is there any update from Webroot on this? 

 

If the product doesn't offer any protection, perhaps other things we can do to limit our exposure?

Frequent Voice
Posts: 65
Registered: ‎01-22-2013

Re: Cryptolocker infection

The biggest problem with ransomware is that you really cannot remedy the damage. When you have your files encrypted with RSA-1024 you're pretty much screwed. In this case Webroot didn't do a good job. I heard from our customers that signature-based AVs (Kaspersky, Eset) were able to detect this ransomware after about 10 days from the moment it appeared. One of our clients using WSA was infected with it 3 WEEKS after it was reported for the first time. Signatures vs Behavioral Analysis - 1:0. But still I believe in WSASmiley Very Happy

Threat Researcher
Posts: 234
Registered: ‎08-29-2012

Re: Cryptolocker infection

WSA can detect and block Cryptolocker, and if an unknown variant happens to slip through, WSA should be able to roll back the changes as part of the cleanup routine using journalling as long as WSA was installed prior to the files being encrypted. WSA can not decrypt files encrypted by Cryptolocker on a system that was infected prior to WSA being installed. We have improved and continue to improve WSA in order to handle these types of threats.

 

-Dan

Webroot Threat Research
Posts: 902
Topics: 58
Kudos: 596
Ideas: 72
Registered: ‎01-11-2013

Re: Cryptolocker infection

Hi Dan,

If Cryptolocker was able to run and encrypted network files, does WSA restore that as well? Also, I've heard of gigabytes and gigabytes of data being encrypted on local and network drive. How does WSA respond to that, when it would never have enough capacity to journal it?

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise and WSAWSS administrator of 1700+ computers
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!