Page 1 of 8 123 ... LastLast
Results 1 to 15 of 120
  1. #1
    iNET Interactive
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    682
    Thanks
    11
    Thanked 65 Times in 51 Posts

    CryptoLocker: A particularly pernicious virus




    TOP STORY


    CryptoLocker: A particularly pernicious virus


    By Susan Bradley

    Online attackers are using encryption to lock up our files and demand a ransom — and AV software probably won't protect you.

    Here are ways to defend yourself from CryptoLocker — pass this information along to friends, family, and business associates.

    The full text of this column is posted at http://windowssecrets.com/top-story/...nicious-virus/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    New Lounger
    Join Date
    Jun 2010
    Location
    UK
    Posts
    23
    Thanks
    0
    Thanked 4 Times in 3 Posts
    There's also "CryptoPrevent" which automates these policy changes and also works for non-pro/business editions of Windows, available at FoolishIT:

    http://www.foolishit.com/vb6-projects/cryptoprevent/

    As mentioned, users should make sure they have images/data backups before implementing any changes

  4. The Following 2 Users Say Thank You to MrBuckingham For This Useful Post:

    BruceR (2013-11-12),Dominicf (2013-10-24)

  5. #3
    Lounger
    Join Date
    Apr 2010
    Location
    Katoomba NSW Australia
    Posts
    38
    Thanks
    0
    Thanked 7 Times in 3 Posts
    I have to say that I am astounded at this column. I encountered the same virus/whatever called Cryptolocker about 3 weeks ago. I know it has been out a fair long time. I got rid of it easily in under an hour. Admittedly I work "in the trenches" meaning that I do PC build/repair/delouse as most of my daily job so I do come into contact with viruses on other people's machines OFTEN. Cryptolocker was relatively easy to remove to be honest, using the usual tools and didnt require a real lot of time or effort on my part. As a result, the files that were supposedly to be locked soon, were not locked.

    I suggest to anyone reading my reply who wants to try this out for themselves, infect your own test machine with Cryptolocker, kill the task then use your favourite kill technique first then just run MBAM for a second backup and follow up with a DECENT antivirus such as a trial Sophos or free AVG and it is gone and no need to worry. My personal first line of attack is one that may well kill off your Windows if you dont know what you are doing well enough so I hesitate to mention it here but there are plenty of such programs available on the net without having to mention it so try looking up. Sophos removal tool is good enough to get rid of it. It *IS* important to kill the Cryptolocker task BEFORE doing anything else though. I suppose it depends on variants that may come up in the future but you could either start in Safe mode (may not help if a variant takes that into account) or even use HijackThis to delete the entry for it to begin with after first killing the task then reboot if you feel the need or just proceed on with getting rid of it.

    Also, I realise some of you may tell me I am telling BS. I can only say to you that I am not. If you want to try it yourself, go for it. Like I said, important to kill the task before doing anything else. After that, all is simple with the right removal tools and a follow up MBAM scan then a fillow up DECENT antivirus scan after that.

  6. #4
    New Lounger
    Join Date
    Jun 2010
    Location
    UK
    Posts
    23
    Thanks
    0
    Thanked 4 Times in 3 Posts
    gregwh -I don't really see what there is to be astounded about. Many readers don't work "in the trenches" and so wouldn't have your knowledge/expertise. They wouldn't know, for example, about the importance of killing the task before carrying out any other action that you speak of. In any case, prevention has always to be better than cure, no?

    I would also point readers to the following page:

    http://www.bleepingcomputer.com/viru...#cryptoprevent

    written by Lawrence Abrams on October 14, 2013

    in particular:

    "Is it possible to decrypt files encrypted by CryptoLocker?
    Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection"..
    Last edited by MrBuckingham; 2013-10-23 at 21:19.

  7. #5
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,298
    Thanks
    138
    Thanked 112 Times in 96 Posts
    "Is it possible to decrypt files encrypted by CryptoLocker?

    Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection"..
    Indications are that any removal, even if successful, would still leave the files encrypted. So what have we accomplished by removing the infection? Our data would still be lost.

    This is yet another wake-up call to do regular data backups. Unlike system image backups, which can be done once a month for many home users, data backup or cloud synchronizing must be done daily or m,ore often, to prevent significant data loss when (not if) Windows once again shows its inherent insecurities in novel and as yet unpreventable ways.

    This infection is not unpreventable. It is as yet only socially engineered. Due diligence in not trusting emails from even known correspondents if the emails are unexpected, and not downloading and installing codecs from just anywhere, as well as the usual warnings not to click on just anything on the Web, should suffice to prevent acquiring this infection. It is not know to be transmitted as a drive-by download -- yet.

    Personally, I have been running Windows since Windows 95SE, and have NEVER gotten bitten by Fake Antivirus, Ransomware or any encryption malware of any kind. I do not believe this is any different from the many previous virus warnings circulated in the tech press. It seems the only new wrinkle is that some of the emails appear to come from legitimate companies with which the user has done business. And I'd bet that pre-screening any embedded links would reveal their bogus nature to even untrained eyes.

    Unfortunately, those who could benefit most from this thread and the article are the very Widnows users who never look at a tech article or visit a tech forum. These Computer As Appliance users will always be sheep ripe for the fleecing.

    Personally, I prefer to avoid this and other Widnows alarm calls by doing something not everyone would choose to do. I run Linux almost exclusively for my Web activities these days. I don't get Netflix, but most every other Web site and Web App seems to work. (Ubuntu 13.04 Raring, 64-bits)

    Linux does not run downloaded executables from most areas of the Home or Root Directories, nor from most Temp locations. The user Desktop can harbor executables, especially scripts, but these to run as Root would need a password login. User Data (such as it is under Linux) does not normally run executiions either. The act of file encryption would require a Root Login with a passsword. Elevation of privileges under Linux is not as easy as it is under Windows. No wonder malware writers don't target Linux!
    Last edited by bobprimak; 2013-10-24 at 02:40.
    -- Bob Primak --

  8. #6
    New Lounger
    Join Date
    Jun 2010
    Location
    UK
    Posts
    23
    Thanks
    0
    Thanked 4 Times in 3 Posts
    Indications are that any removal, even if successful, would still leave the files encrypted. So what have we accomplished by removing the infection? Our data would still be lost.
    Exactly - though gregwh's post would seem to suggest that there's a point in time where CryptoLocker announces its presence, but has not at that point encrypted any files:

    As a result, the files that were supposedly to be locked soon, were not locked.
    One would think it would encrypt files before popping up, rather than warn of impending encryption (affording the user the opportunity to kill the process).

  9. #7
    New Lounger
    Join Date
    Oct 2013
    Posts
    21
    Thanks
    1
    Thanked 2 Times in 2 Posts
    CryptoPrevent (currently at v2.2) seems like a very simple (to use) and elegant preventative solution - and free. Has anyone used this with success? Shame that he doesn't provide a md5sum to verify the download...

    Re taking frequent backups, isn't there a danger that a backup will happen while CryptoLocker is doing its nasty work, so you end up overwriting a previous good backup with locked versions of some of your files?

    I heard that some antivirus software does spot and delete CryptoLocker-infected emails, others have been infected despite having av software (including Avast, which I use).

  10. #8
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,854
    Thanks
    7
    Thanked 63 Times in 52 Posts
    I thought the whole purpose of un-installing JAVA was to prevent these types of attacks...

    Does this mean if JAVA is un-stalled you are still susceptible to this type of attack ???
    "If You Are Reading This In English, Thank A VET"

  11. #9
    New Lounger
    Join Date
    Jun 2010
    Location
    UK
    Posts
    23
    Thanks
    0
    Thanked 4 Times in 3 Posts
    CryptoPrevent (currently at v2.2) seems like a very simple (to use) and elegant preventative solution - and free. Has anyone used this with success? Shame that he doesn't provide a md5sum to verify the download..
    I was happy to use it as Lawrence Abrams at bleepingcomputer recommends it.

    Re taking frequent backups, isn't there a danger that a backup will happen while CryptoLocker is doing its nasty work, so you end up overwriting a previous good backup with locked versions of some of your files?
    I think that's a very real danger. I guess the only way to protect against that is to keep X number of backups (however many your storage allows). Actually, the way I understand it, CryptoLocker could also encrypt backup files anyway - even if they're stored on external drives/Nas's - so maybe we need to get out those blank DVDs/Blu-ray disks.

    I thought the whole purpose of un-installing JAVA was to prevent these types of attacks...

    Does this mean if JAVA is un-stalled you are still susceptible to this type of attack ???
    Take a look at the bleepingcomputer link I posted previously - that'll tell you how it's spread - but no, uninstalling JAVA doesn't help in this case.

  12. #10
    New Lounger
    Join Date
    Oct 2013
    Posts
    21
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by MrBuckingham View Post
    I was happy to use it as Lawrence Abrams at bleepingcomputer recommends it.
    Thanks I will probably do the same.

    Re backups, at our office we do onsite and then offsite backup of data files using rdiff-backup and rsync (using a wrapper software package/instructions I wrote called TimeDicer). The backup machine runs Linux and the Windows clients connect using ssh (plink.exe) so the backup machine should be safe from CryptoLocker, of course encrypted files might be backed up but as it keeps all versions the previous unencrypted files should be recoverable.

    Still it is obviously better to avoid the infection!

    Edit: For anyone else, the md5sum of my copy of CryptoPreventSetup.exe (v2.2, the installer version) is ffff9031a306b9b644b3155603093205. I've now installed it, will of course post here if I have any problems...
    Last edited by Dominicf; 2013-10-24 at 07:14. Reason: add md5sum

  13. #11
    New Lounger
    Join Date
    Dec 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The local security policy change as mentioned in the article is way too problematic. Many legitimate programs use local and roaming appdata locations for executables, including lots of Google programs (such as chrome and numerous update files). I certainly don't see "folks with solid IT savvy" doing either this or "application whitelisting" for themselves. For corporate environments, of course, whitelisting or locked-down desktops may be appropriate...

  14. #12
    New Lounger
    Join Date
    Oct 2013
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    "(Windows Home Premium doesn't support Group or Local policies, so none of the following settings changes is supported.)"

    Does this mean that Windows 7 Home Premium has no ability to apply policies to guard against CryptoLocker?

  15. #13
    New Lounger
    Join Date
    Oct 2013
    Posts
    21
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Ray Van Dune View Post
    Does this mean that Windows 7 Home Premium has no ability to apply policies to guard against CryptoLocker?
    CryptoPrevent claims to work fine with 'Home' versions and even with XP, because it bypasses the Group Policy Editor.

    One small example I have found of a non-functioning legitimate program after applying CryptoPrevent is that the latest Avast's 'Browser Cleanup' tool fails - this is because it works by extracting the executable tool from a 7z archive in %TEMP% and then running it, which the new policies do not allow. At least it proves that the policies are working.

  16. #14
    Lounger
    Join Date
    Dec 2011
    Posts
    47
    Thanks
    48
    Thanked 1 Time in 1 Post
    Just a quick heads-up:

    I just checked the file:
    CryptoPrevent.ZIP with "Virus Total".

    Seems clean at first,
    BUT the SUCURI Web Site Check,
    (see the "Additional Information" Tab of "Virus Total"),
    lists the author site of CryptoPrevent.ZIP ("foolishit.com"),
    as: "possibly HIJACKED".

    Here's the SUCURI Link with the report:
    http://sitecheck.sucuri.net/results/www.foolishit.com

    Could be a false positive,
    but I wouldn't be surprised if the baddies
    are already targeting the author's site
    offering this apparently free & easy, preventive utility.

    So...I'm not installing this utility yet ...wish I could.
    Any other opinions on this?
    Last edited by SF99; 2013-10-24 at 09:35.

  17. #15
    New Lounger
    Join Date
    Oct 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I think I may have had the virus because I was getting the Excel message. Luckily I rely on Libre Office and nothing I created was affected. Open Source is usually the solution. None of the extensions listed in the article are Libre Office extensions. Because of a problem with my sound system on Windows7 (I could not play music or watch HBOGO on Firefox and games had no music) I reformatted my computer. Different forums said I had a virus, but I could not find it using various programs. Everything is sort of back to normal. One of these days Adobe is going to realize Linux runs their servers and they should program things like Shockwave to work on Linux computers.

Page 1 of 8 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •