cancel
Showing results for 
Search instead for 
Did you mean: 
Silver VIP

Re: How To Avoid CryptoLocker Ransomware

At work over the last couple of weeks we have been seeing quite a few calls regarding this bug.  Nasty Nasty!


David

         

New to the Community? Register now and start posting!



Helpful Webroot Links:


Download (PC)   Download (Best Buy Subscription)   Submit Trouble Ticket   Account Console   User Guides   



"If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!"

WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)
Bronze VIP

Re: How To Avoid CryptoLocker Ransomware

 @shorTcircuiT do tell.

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Frequent Voice

Re: How To Avoid CryptoLocker Ransomware

Was webroot useful in the removal and decryption of the malware infected machine or did you have to do a restore from backup?

 

I still don't get how a webroot could unecrypt an encrypted drive even if the webroot is installed during the infection process.

I mean ok, so the webroot sets the new undiscovered baddie in "Monitor" state, so while in monitor mode the baddie can't access specific files but it's free to go other places and encrypt those, so what happens after its encrypted?  I mean we can't just revert back from encrypted version, we don't know the encryption key we only know the salt (from registry).

 

I don't want any details etc...just paint me sceptical.  Untill I see some comparision or a case study of a webroot protected machine being infected, encrypted, then the malware discovered and the machine recoverd, I will remain high sceptical of any recovery of post infected machine.

Community Expert Advisor

Re: How To Avoid CryptoLocker Ransomware


@tempnexus wrote:

Was webroot useful in the removal and decryption of the malware infected machine or did you have to do a restore from backup?

 

I still don't get how a webroot could unecrypt an encrypted drive even if the webroot is installed during the infection process.

I mean ok, so the webroot sets the new undiscovered baddie in "Monitor" state, so while in monitor mode the baddie can't access specific files but it's free to go other places and encrypt those, so what happens after its encrypted?  I mean we can't just revert back from encrypted version, we don't know the encryption key we only know the salt (from registry).

 

I don't want any details etc...just paint me sceptical.  Untill I see some comparision or a case study of a webroot protected machine being infected, encrypted, then the malware discovered and the machine recoverd, I will remain high sceptical of any recovery of post infected machine.


Webroot does not unencrypt the files - it basically reverts them to their previous (unencrypted) state that they were in before the malware started it's nasty work.

___________________________________________________________
Corey B.
Protected by Webroot


Create New Trouble Ticket | Account Console | User Guides |

Bronze VIP

Re: How To Avoid CryptoLocker Ransomware

@tempnexus 

You can read more here:

http://www.webroot.com/shared/pdf/reinventing-antivirus.pdf

https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/How-exactly-does-Webroot-allow-you...

 

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Highlighted
Retired Webrooter

Re: How To Avoid CryptoLocker Ransomware

We arent seeing as much of the Crypto ransomware as some vendors as generally the infection vector for this has been the same as the FBI infections and we are blocking it before it can even execute. One of the benefits of operating in realtime in the cloud is we can see patterns emerging in realtime and we can go hunting for the malware before it really starts to spread. 

 

I have seen the client roll back the changes before I dont have any case details but I`ll save the next one I see.

 

However if the client is installed after the event there isnt much we can do.

 

My top tips for this infection:

 

Disable/uninstall Java -unless you really need it dont use it (you would be suprised how many sites dont use it anymore)

Use flashblock/Adblock in your browser (noscript is useful too)

Dont open any executable from your email -no exceptions even if the mail is from a friend (I dont touch pdfs/zips either)

If in doubt about a file dont open it and ask us or even google the MD5 

Backups, people seem to have forgotten about this lately

by backups I mean physical ones not online like Skydrive/Googledrive due to the files that get encrypted the changes get pushed to the backups 

 

In order to stop this type of infection we have to stop the incentive of these bad guys which is money. If nobody pays the ransom they will stop and move onto something else.

Re: How To Avoid CryptoLocker Ransomware

Thanks for the info Roy!

 

Daniel Smiley Wink

New Member

Re: Cryptolocker infection

I'm evaluating Webroot for our company. I'm curious what the window of opportunity is to retrospectively undo damage.

How far back can the journaling be used to restore to? Is it based on a given time frame, number of changes made, or something else?

Thanks,

Chris

Re: Cryptolocker infection

Hello cdishman and Welcome to the Webroot Community Forums! sgreeting_welcome_team_100-100.gif

 

In short journaling starts when and unknown Program and processes start and it doesn't stop until determined Good or Bad it this case it and can rollback to before the Program and processes executed. Also have a look at this short video: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/...

 

HTH,

 

Daniel Smiley Wink

New Member

Re: Cryptolocker infection

The force is strong in this one.

 

Thanks.