Page 1 of 2 12 LastLast
Results 1 to 15 of 25
  1. #1
    Lounger
    Join Date
    Jan 2011
    Posts
    36
    Thanks
    4
    Thanked 3 Times in 3 Posts

    [moved] Malware - Cryptolocker

    Hi.

    Am I right in saying that malware such as Cryptlocker makes changes to the files when encrypting them ?

    I ask this as I usually back up files to an external drive - and every once in a while copy new and changed files to the external drive.

    In copying the files, I use a program that compares file structure and date of modification against existing files on the external drive.

    Thus, if my above assumption is correct, an old JPG (or any type of file affected by the malware file) would show up as having being changed - and so would indicate the presence of such malware.

    FYI - I note that Windows Indexing sometimes makes these changes - and have therefore turned Indexing off.

    Please advise

    Many thanks

    Mike

  2. #2
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,640
    Thanks
    147
    Thanked 883 Times in 844 Posts
    You would know about it if you were infected with Cryptolocker as you would get a ransom demand pop-up, but you are doing the right thing by backing up to an external HDD.

    I create a full system image so that all files are backed up, which is the only sure way of combatting any Ransomware.

  3. #3
    Lounger
    Join Date
    Jan 2011
    Posts
    36
    Thanks
    4
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by Sudo15 View Post
    You would know about it if you were infected with Cryptolocker as you would get a ransom demand pop-up, but you are doing the right thing by backing up to an external HDD.

    I create a full system image so that all files are backed up, which is the only sure way of combatting any Ransomware.
    ---------

    Hi Sudo15.

    Thanks for your reply.

    The way I understand is that it takes a few days for the files to be encrypted - before the ramson demand comes in.

    Also, I believe that the encryption used is such that some affected files CAN be used (creating a false sense of security).

    But surely these infected files would show up when comparing files I that definitely haven't altered ?

    BTW - I just realised that there is a Malware / Security section in the forum, so I will be reosting this in that section

    Many thanks

    Mike

  4. #4
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Moved to the Security section, Mike

  5. #5
    Lounger
    Join Date
    Jan 2011
    Posts
    36
    Thanks
    4
    Thanked 3 Times in 3 Posts
    Thanks Satrow - I had already reposted it in the Security section when I became aware of it's existence

    All the best

    Mike

  6. #6
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    No worries, Mike, if I can find a little free time today, I'll see what contribution I can make here.

  7. #7
    jwoods
    Guest
    A tutorial on Cryptolocker from Sophos...

    https://nakedsecurity.sophos.com/201...-and-recovery/

  8. #8
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    JW, that's pretty old, both the threat and potential defenses/backup techniques have changed since 2013.

  9. #9
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    Yes, the files are encrypted. It takes as long as it takes, but I suspect it takes only a few minutes before it completes its nasty and then blocks off your screen. Cryptolocker has already been hacked with the fix posted (Project Tovak?) and its servers are down so you don't see it much any more. All the updated copycats are rather nastier (Cryptowall 3 in particular).

    Cryptolocker is still out there but in code grabbed by someone(s) and made to be a variant that is not responsive to the fix. It may not have touched shadow copies though.

    bleepingcomputers is generally the place to go for a running commentary on ransomware variants. I think Cryptolocker was up to 83 pages last I looked. Fun reading pointing out both how crude and how "sophisticated" some ransomware has become.

  10. The Following User Says Thank You to Fascist Nation For This Useful Post:

    Mike Dee (2015-05-06)

  11. #10
    jwoods
    Guest
    Quote Originally Posted by satrow View Post
    JW, that's pretty old, both the threat and potential defenses/backup techniques have changed since 2013.
    Of course...and there are variants.

    The premise of what Cryptollocker does is still the same, which is what the OP was asking about...

  12. #11
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,753
    Thanks
    171
    Thanked 652 Times in 575 Posts

    every once in a while?

    Hoping that you happen to check for file content changes during the period that ransomware is actively encrypting your files doesn't seem like much of a prevention method.

    And if your external drive with file backup copies remains usually connected, it's highly likely that your file backup copies would also have been encrypted by the ransomware.

    Bruce

  13. The Following 2 Users Say Thank You to BruceR For This Useful Post:

    Fascist Nation (2015-05-06),satrow (2015-05-05)

  14. #12
    Lounger
    Join Date
    Jan 2011
    Posts
    36
    Thanks
    4
    Thanked 3 Times in 3 Posts
    Many thanks for the useful link

  15. #13
    Lounger
    Join Date
    Jan 2011
    Posts
    36
    Thanks
    4
    Thanked 3 Times in 3 Posts
    Bruce R

    Yes, every once in a while ! I probably add/delete about 100 files a week. Only about a dozen files are really important and I save these on a small thumbdrive on a daily basis.

    And no, the external drive and thumbdrive do not remain connected all the time. Only when needed.

    In any case, thanks for your observations.

  16. #14
    Lounger
    Join Date
    Jan 2011
    Posts
    36
    Thanks
    4
    Thanked 3 Times in 3 Posts
    So basically, it seems I'm on the right track with the file comparison program.

    And if the computer freezes, I guess that restoring a system drive disk image will get it up and running again - unless the malware hides in some other partition.

    Would appreciate any comments.

    Thanks

    Mike

  17. #15
    WS Lounge VIP Calimanco's Avatar
    Join Date
    Dec 2009
    Location
    UK
    Posts
    722
    Thanks
    1
    Thanked 144 Times in 130 Posts
    CryptoPrevent is a useful utility to have as it protects against most variants. Its necessary to update it regularly, however, to avoid falling behind.

    http://www.foolishit.com/vb6-projects/cryptoprevent/

  18. The Following User Says Thank You to Calimanco For This Useful Post:

    Mike Dee (2015-05-06)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •