How Would Webroot Clean Ransomware?

  • 18 August 2013
  • 15 replies
  • 150 views

Userlevel 2
This is just a hypothetical question that an IT guy posed to me at work when I told him I was using Webroot to protect my home PC.
 
Can someone with a good knowledge of Webroot explain how it would clean up a piece of  nasty ransomware that it didn't catch and let slip by? For argument's sake, assume that the ransomware has locked up the PC and  the Webroot GUI cannot be accessed.
 
My thinking is that Webroot will eventually identify the ransomware on its own (working in the background via the cloud while the PC is locked up) and clean up the infection automatically. Is that correct? 
 
 

15 replies

Userlevel 7
Badge +6
1.) WSA is not like other solutions. It journals and monitors suspicious processes. So while it may let the program run temporarily, once the system is sure of its diagnosis, it can roll back pretty much all the changes to the PC it made.
 
2.) WSA reports its findings and current status to their servers. If you contact Webroot support they can look at what your PC has reported, mark it as bad, and the next time WSA checks in with the servers it will remove it. As a business customer, I have this ability as well. I have done this exact procedure where I review suspicious files reported, marked them as bad, and 15 minutes later WSA removed the infection. Pretty neato.
 
3.) Webroot support to remove viruses that make it past protections is free, so you should open a support case or give them a call. In the meantime I would leave the computer off until you hear back from them.
You can find information about contacting them here:
https:///t5/Webroot-SecureAnywhere-Antivirus/Virus-Removal-Options/ta-p/54074#.UhDhsZK1GuB
 
Userlevel 7
Badge +56
Great Reply explanoit! Also the first thing is not to panic and contact Webroot Support on another Computer or call them in your country closes to where you live: http://www.webroot.com/us/en/support/contact and there's even Twitter.
 
Cheers,
 
Daniel
Userlevel 5
To add to @'s response, I always loved this movie, that explains what happens if Webroot "misses" a virus: http://www.youtube.com/watch?v=uKMZ1Ukw_7I
Userlevel 2
Thanks to everyone for your replies. I just want to clarify what has been said so far. Let's say my computer gets locked up by one of these ransomware viruses where the only thing that's on my screen is a message from the FBI and I cannot access my desktop. Then, all I have to do is wait, and Webroot will, in time, detect the virus, remove it and restore my PC to its pre-virus state. Is that correct?
Userlevel 7
No you dont have to wait. These types of infections generally follow a certain pattern. We have a number of ways to remove them, worst case situation we can send you a recovery CD in the post or if you have a 2nd PC we can burn a copy of this recovery CD using that PC. Generally speaking thats only a last resort and doesnt happen too often
Userlevel 4
Wait. There's a Webroot recovery CD? How did I not know this?
 
Where can I get the .ISO?
Userlevel 7
There's also the manual mitigation option mentioned in this article.
 
Gorg, Rakanisheu is talking about a Linux boot cd we use sometimes for non-booting systems.  There's nothing particularly unique about it except it comes pre-loaded with remote access capabilities for our technicians to help get the computer back in working order.  It's something we send out only on an as-needed basis, which is pretty rare these days.
Userlevel 3
Badge +8
Ok, I'm going to resurrect this month old topic as I have a question - regarding cryptolocker ransomware. This malware encrypts end user files in the background before popping up and demanding, in its latest variant, $300.00 for the decryption key. You pay they decrypt, you don't, timer runs out, you're done. AES 256 and RSA2048 encryption, remote private key.
At what point would webroot stop this activity and how would it deal with the encrypted files, if any? Apparently the latest iteration does any shares you are mapped to with permissions as well.
 
In a nutshell, are webroot users protected and if they get infected can webroot roll it back, encrypted or not? I want to be able to assure our clients they are covered.
 
Some info on this nasty piece of code
http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/
 
Wayne
Userlevel 7
Webroot would catch this before any encryption even begins.  The infection has to execute code in order to encrypt the files, and Webroot would pick it up before it even has a chance to execute because, by default, Webroot scans new files when they are written to the hard drive.  So if you attempted to download the email attachment, this should be picked up before you even try to run it.  If it was a variant that we've never seen before, rollback should still work to put everything back the way it was before the infection showed up, just as soon as we flag the executable file as Bad.
 
@ have you seen this $300 version yet?
Userlevel 7
I have seen a few different versions of this (althought they all are similar enough). One case of a customer who had 3 PC`s ,2 with Webroot installed and the 3rd was an old PC with no AV on it. That 3rd PC had the all the data on the desktop encrypted. Unfortunately there wasnt much I could do with the PC :( I fixed all the other issues with the PC (it was in bad shape) but there was data loss. 
 
This type of malware is a much bigger issue in a corporate enviroment. In the case I saw it wasnt helped by extremely loose internal IT policies in said corporate enviroment.Managed to stop any spreading of the infection but one desktop was a write off (ie a format). 
 
In my opinion from back when I used be in IT I would have auto-run disabled, users wouldnt have any write access to coroporate network shares, external USB devices were banned, optical drives disabled. The only write access was to a small network share that would be periodically wiped (for security reasons). Email attachements were limited to certain file types, users were only given limited user accounts too. I think in todays world with the advanced malware going around we have to do everything we can to limit the number of entry points. 
 
This ransomeware is giant pain as unless you have access to a large number of supercomputers using brute force over a long persion to crack the key! We have a team working on this as we speak. At the moment thankfully we arent seeing many cases of this as we are catching a large number of this before it can execute.
 
In the end it comes back to that old computing mantra that seems seems to have been forgotton
 
BACKUP BACKUP BACKUP and do it regularly!
 
Userlevel 7
Badge +35
Rakanisheu wrote: In my opinion from back when I used be in IT I would have auto-run disabled, users wouldnt have any write access to coroporate network shares, external USB devices were banned, optical drives disabled. The only write access was to a small network share that would be periodically wiped (for security reasons). Email attachements were limited to certain file types, users were only given limited user accounts too. I think in todays world with the advanced malware going around we have to do everything we can to limit the number of entry points. 
 
In the end it comes back to that old computing mantra that seems seems to have been forgotton
 
BACKUP BACKUP BACKUP and do it regularly!
 
I know it's a bit off-topic from ransomware, but Rakanisheu brings up a lot of the issues with the growing trend of Bring Your Own Device (BYOD.) Users already treat their company-issued computers - especially laptops - as their own, and when users are using their own computers in the workplace the security concerns increase quite a bit. This is something that the whole security issue is working to address, but stronger IT policies are also needed.
 
-Dan
Userlevel 3
Badge +8
I agree with both regarding the issues surrounding IT policies, backup, and the issues surrounding BYOD. However the situation gets a little grey when we step away from a corporate environment in which we have more control both using group policy and other centrally managed security tools.
 
Take for example the company where there are only a couple people all partners or owners - who by default use their own machines for their business and do not have a central server. One can't write protect files on a local machine for these folks, nor can we wipe it weekly for security purposes. They often use dropbox or the like to share files, and controls are seriously lacking in that application, business version or not. Having them logon as a standard user and not local admin helps in many cases, but not with this ransomware. And try enforcing that type of logon, almost impossible.
 
Another situation is where contractors work for the company using their own machine and are not on a network, but on work sites all around the world, where we have even less control, it gets very grey here, what can the company enforce on its contractors - have AV and firewall, yes, but past that - not much. Surf out a proxy, sure. Does that help, maybe a bit but the baseline fundamental controls (user privilege, access, filtering, file level security) are difficult if not impossible to enforce.
 
What it boils down to is putting tools in place like an AV and firewall the end user can't mess with, then trying to convince the user to back up to a remote location or a temporarily attached device daily - and hoping they do it. We all know how well that works.
 
Wayne
Recently got this infection and the only way to clear it was to use task manager. I ran several scans after that with other products and came up clean.
I got FBI ransomware virus on 1/17/13 that WEBROOT did not catch & prevent. Luckily I had several other things loaded on my PC (HITMAN PRO) that I was able to use to remove it while I booted under my Admin account in safemode with networking otherwise I would have been dead in the water with NO PC. I am not sure why other Anti malware products see the ransomware but WEBROOT does not. I had same issue with ESET
Userlevel 2
Badge
Hi,
 
Ransomware and especially CryptoLocker is really quite a hot topic!
 
I have good news to all of you: according to Webroot they CAN revert back the encryption CryptoLocker would do on your system - but, of course, only if WSA was running when the ransomware hit the machine.
 
Another requirement is that you must have WSA v8.0.4.46+ software running on your system.
 
Should you be interested in details, you may want to sing up for this webinar: http://bit.ly/1b0f8Al
 
PS. we are going to test the remediation process in our lab this week with some CryptoLocker sample.....
 
 

Reply