Did You Know?



Reply
TripleHelix
Posts: 5,399
Topics: 404
Kudos: 3,291
Ideas: 5
Registered: ‎02-03-2012

How To Avoid CryptoLocker Ransomware

[ Edited ]

01-11-2013 3-54-04 PM.png

 

Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

A Cryptolocker prompt and countdown clock. Photo: Malwarebytes.org

A CryptoLocker prompt and countdown clock.

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).

 

Full Article

 

Also see this other thread I posted 2 weeks ago: https://community.webroot.com/t5/Security-Industry-News/You-re-infected-if-you-want-to-see-your-data...

 

Also having Webroot SecureAnywhere will protect you from this infection!

 

Daniel :smileywink:

coollogo_com-133794099.gif


asapvip.png   SigSVIP.png    Sr.Expert Advisor Jan 23 2014.png


Webroot® SecureAnywhere™ Internet Security Complete 2014 Beta Tester v8.0.4.70 on my main system Windows 7 Ultimate 64bit & on Win XP 32bit, Win Vista 32bit, Win 7 32bit, Win 8.1 Pro 32bit & 64bit all on VM's. 


MVP.gif.pngMicrosoft® MVP Consumer Security 2012/15


New to the Community? Register now and start posting!

Please use plain text.
Frequent Voice
przemek83
Posts: 65
Registered: ‎01-22-2013

Cryptolocker infection

[ Edited ]

Hi

Recently one of our customers was infected by a ransomware that was missed by WSA. It encrypted all files giving them the extension .omg! (Link to discussion if some wants to know more about this ransomware: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/).

It's a shame that Webroot missed it but there's no point crying over a spilt milk. I wonder what can we do to avoid it in future. If WSA is not 100% malwareproof maybe there are some other ways? I'm not an expert so I don't know if my way of thinking is right...but it seems to me that file encryption is quite a long process and operating system must be aware of this. So maybe Webroot should alert user everytime it detects the process of encryption? If it is initiated by a user then he can ignore it. If not then he can kill the process immediately. I don't know if it makes sense so I hope to hear from experts.

Please use plain text.
Community Guide
jgouverneur
Posts: 180
Registered: ‎01-17-2013

Re: Cryptolocker infection

Did you contact Webroot when that machine was infected?

 

To me it seems that even if Webroot missed it, the Rollback and Journaling should be able to clean this up if the originated file is marked as bad.

Johan Gouverneur
Webroot Account Manager
Dekkers Intermediair B.V.

Community Guide

Please use plain text.
Frequent Voice
przemek83
Posts: 65
Registered: ‎01-22-2013

Re: Cryptolocker infection

Yes Webroot Support is working hard on this case but it seems that it's not as easy as it looks.

Please use plain text.
New Member
gonfish
Posts: 1
Registered: ‎10-15-2013

Re: Cryptolocker infection

Last week my computer was infected by "Cryptolocker" and I lost all my files.  This happened before I installed WSA on my computer.  I had all my files backed up so all is well, but it was a hassle for a couple days as I had to do a complete reinstall on my hard drive.  Can someone update me as to whether WSA is now updated so as to defeat this ransomware?  From this three week old thread, it isn't clear WSA was up to the task at the time.  I've installed WSA on the recommendation of several different people, but I really need a product that can protect me from "Cryptolocker" and similar ransomware (the only infection I've ever gotten, by the way). Thanks.

Please use plain text.
JimM
Posts: 2,308
Topics: 299
Kudos: 1,320
Registered: ‎01-19-2012

Re: Cryptolocker infection

[ Edited ]

One of the greatest things about Webroot is that when Support is notified about something getting past Webroot, it prompts our threat researchers to immediately jump on the files in question and get them blacklisted. We are usually out in front of these sort of issues before they become apparent, but in the instance something does slip past, the turnaround time for blacklisting an infection is nearly immediate once the issue lands in Support's capable hands. Two weeks out, yes, this variant is certainly classified by now. There will always be new variants of most any sort of infection, and we do our best to keep up with them.  Thanks to the support dynamic, in the event any threat makes it past WSA, the first person to notify us ends up protecting all of the other WSA-protected computers in the world by bringing it to our attention.

/// JimM ///
/// Former Community Manager - Now Humble Internet Citizen///
/// Also Formerly a Technical Support Escalations Engineer ///
Please use plain text.
New Member
jerryw
Posts: 3
Registered: ‎10-24-2013

Re: Cryptolocker infection

Is there any update from Webroot on this? 

 

If the product doesn't offer any protection, perhaps other things we can do to limit our exposure?

Please use plain text.
Frequent Voice
przemek83
Posts: 65
Registered: ‎01-22-2013

Re: Cryptolocker infection

The biggest problem with ransomware is that you really cannot remedy the damage. When you have your files encrypted with RSA-1024 you're pretty much screwed. In this case Webroot didn't do a good job. I heard from our customers that signature-based AVs (Kaspersky, Eset) were able to detect this ransomware after about 10 days from the moment it appeared. One of our clients using WSA was infected with it 3 WEEKS after it was reported for the first time. Signatures vs Behavioral Analysis - 1:0. But still I believe in WSA:smileyvery-happy:

Please use plain text.
Threat Researcher
DanP
Posts: 95
Registered: ‎08-29-2012

Re: Cryptolocker infection

WSA can detect and block Cryptolocker, and if an unknown variant happens to slip through, WSA should be able to roll back the changes as part of the cleanup routine using journalling as long as WSA was installed prior to the files being encrypted. WSA can not decrypt files encrypted by Cryptolocker on a system that was infected prior to WSA being installed. We have improved and continue to improve WSA in order to handle these types of threats.

 

-Dan

Webroot Threat Research
Please use plain text.
explanoit
Posts: 842
Topics: 58
Kudos: 492
Ideas: 51
Registered: ‎01-11-2013

Re: Cryptolocker infection

Hi Dan,

If Cryptolocker was able to run and encrypted network files, does WSA restore that as well? Also, I've heard of gigabytes and gigabytes of data being encrypted on local and network drive. How does WSA respond to that, when it would never have enough capacity to journal it?

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise and WSAWSS administrator of 1400+ computers
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Please use plain text.