light bulb

Did You Know?



CryptoLocker Malware: What you still need to know

 

What is CryptoLocker?

CryptoLocker is most often spread through booby-trapped email attachments and uses military grade encryption. The malware can also be deployed by hacked and malicious web sites by exploiting outdated browser plugins. 

 

Webroot's Threat Brief on CryptoLocker

 

Can Webroot Protect Customers Against It?

 

Encrypting ransomware (Cryptolocker, CTB Locker, Crtroni, Cryptowall, ect.) is a very difficult infection to remediate because it uses the RSA public-key encryption algorithm to encrypt user files using unique encryption keys for each computer. Once a user’s files are encrypted this way, it is next to impossible to decrypt them without access to the private key that is stored on the remote servers in use by the malware author(s). There are no tools currently that are capable of decrypting these files without the private key.

As long as SecureAnywhere is installed prior to infection, All encrypting ransomware should be detected and removed before it is allowed to make any changes on the computer. Threat Research has many rules in place already to detect the known variants of Cryptolocker at or before execution, but it is important to remember that malware is constantly changing and we cannot guarantee that we will initially detect all new variants.
 
For best practices on securing your environment from encrypting ransomware please see our community post:
https://community.webroot.com/t5/Webroot-Education/Best-practices-for-securing-your-environment-agai...

 

 

 

Read more about CryptoLocker in these posts on the Webroot Community:

Additional Conversations About CryptoLocker
 
CryptoLocker malware targeting the UK - comment from Webroot 
 
NCA warns UK of mass CryptoLocker ransomware attacks - comment from Webroot

CryptoLocker Malware: What you still need to know

by Moderator Moderator on ‎11-21-2013 03:20 PM - edited on ‎07-14-2015 02:11 PM by Community Manager Community Manager
Comments
by Frequent Voice on ‎11-24-2013 04:36 AM
I do have one update I am trying to post everywhere possible, cryptolocker has been putting exe's and inf's onto any USB HDD, cd's, and flash drives, (not SD cards so far) and making it look as if those are not infected in any way and even hiding those. This is a danger that definitely needs to be taken care of. Because once that media gets put into another computer it will download a different public key and use a different private key. This means it will make you pay double, I think we root needs to try and override windows from scanning hardware before it does as it will happen before we root catches it and I'd rather not have to rely on the journaling only for protection in that instance.
by Community Guide GyozoK on ‎01-22-2014 04:33 PM

Imagine this scenario:

 

We have 2 machines: a Windows Server with Webroot running and a Windows client with Webroot running.

 

The client gets infected by CryptoLocker 2.0 that then will encrypt files that are on the shared folder of the Windows Server mapped as drive X: on the client.

 

As Joe Jaroch, Webroot VP of Engineering said above:

"WSA currently doesn't reverse the changes on a network drive because of the risk with data loss if another user changed a file. The best scenario would be to install WSA everywhere, including the system hosting the network drive if possible. Even if gigabytes of data are encrypted, WSA will continue happily journaling it." - Joe Jaroch, Webroot VP of Engineering

 

We know that CryptoLocker 2.0 is not going to infect the Windows Server machine So CryptoLocker will stay running on the client only. But running on the client it will encrypt files on the mapped drive.

 

So what is the meaning of installing Webroot on the Windows file server in this scenario? Will that be able to roll back encryption of the files changed by a CryptoLocker running on another machine?

 

Kind regards,
Gyozo

 

Webroot Ambassador & Community Guide

 

by Frequent Voice on ‎01-22-2014 04:41 PM
It would still have to run a service to encrypt it so I'd assume so.... But I honestly would not like to try
by Frequent Voice on ‎03-01-2014 10:22 AM

how webroot saves from crytolocker malware?

by Gold VIP ‎03-01-2014 12:36 PM - edited ‎03-01-2014 12:46 PM

Watch the video I posted here: https://community.webroot.com/t5/Introduce-yourself-to-the/cloud-computing/m-p/85695#M2238 also they keep updating the client to protect Generically: https://community.webroot.com/t5/Release-Notes/PC-Release-Notes-8-0-4-61/td-p/83417#.UxIy4oVnCSo

 

So you are well protected there is one more Video but you would have to join BrightTalk to watch and it's by Grayson Milbourne Director, Security Intelligence Webroot also CryptoLocker: Your Money or Your Life

 

Cheers,

 

Daniel Smiley Wink

by Community Guide regnor on ‎06-08-2014 12:32 AM

Regarding GyozoKs comment; I also thought about this topic. Would Webroot be able to roll back a Cryptolocker infection on a server caused by a client? I would say no, because for the server it's just a normal rw-access to its network share and I don't think that Webroot would track such actions. Otherwise every changed file would be journaled. 

 

I'm rather relying on a good backup plan/solution to recover from a Cryptolocker infection, which should already be in place regardless of Cryptolocker. 

by Silver VIP on ‎06-08-2014 09:08 AM

I could well be wrong, but I believe the rollback will only work on computers that have WSA installed.  If the server also has WSA installed (A server running a version of Windows compatible with WSA), then it should be covered.

 

If the server does NOT have WSA installed, then I do not believe the rollback could work.

 

I am far from being highly knowledgeable in this area and I hope to see additonal responses from Webroot.

by Community Guide regnor on ‎06-08-2014 01:06 PM

Well if I would run Cryptolocker on a secured Server Webroot would journal everything and I could rollback. But as the client causes the Cryptolocker infection the Webroot installation on the server wouldnt recognize it as there's no executable,process or service on the server which could be monitored; it's just a "normal" rw-action.

by Silver VIP on ‎06-08-2014 04:44 PM

Well, ....  you have me.  I am admittedly learning the Endpoint...  Let me 'ping' and Endpoint expert and see if he is able to provide a more expert opinion on this.  @Explanoit are you able to help with this?

by Community Manager Community Manager on ‎06-11-2014 01:12 PM

I asked the folks here and that isn't a situation we'd be able to journal, even with Cryptolocker installed on the server.  Since it is a file server, there are many different clients accessing and altering the files, so it wouldn't be practical to journal all those individual changes, especially since the processes doing them live on the clients.  Best bet is good backups, and make sure all your machines have endpoint installed to catch Cryptolocker before it gets started.

by Silver VIP on ‎06-11-2014 04:50 PM

Thanks Nic!

by Gold VIP ‎06-11-2014 08:21 PM - edited ‎06-11-2014 08:22 PM

 

And this Video does answer some of your questions but you have to join to watch them https://www.brighttalk.com/webcast/8241/95617

 

Daniel

by Community Guide regnor on ‎06-11-2014 10:41 PM

Thanks for the clarification Nic!

by Community Leader Antus67 on ‎06-12-2014 11:33 AM
by Community Leader Antus67 on ‎06-12-2014 11:38 AM

The following is a update on CryptoLocker Malware.

 

By Ian Barker Posted June 12 2014

 

 


Summary/

It's not really surprising then that the bad guys are seeking to exploit these fears. Security company BullGuard has uncovered a major new spam campaign supposedly offering Cryptolocker decryption keys.

 

The email urges users to download a tool that it claims can unlock any files encrypted with Cryptolocker. Of course that isn't what you get. If you download the tool it installs a registry scanner which, naturally, tells you there are lots of problems with your PC which can only be solved by purchasing the spammers' offering.

 

 

BetaNews/Full Read Here/ http://betanews.com/2014/06/12/hackers-try-to-exploit-fear-of-cryptolocker-with-spam-campaign/