CryptoLocker: A particularly pernicious virus

Topic

New Reply

	TOP STORY CryptoLocker: A particularly pernicious virus
	By Susan Bradley Online attackers are using encryption to lock up our files and demand a ransom — and AV software probably won’t protect you. Here are ways to defend yourself from CryptoLocker — pass this information along to friends, family, and business associates.

---

The full text of this column is posted at http://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

There’s also “CryptoPrevent” which automates these policy changes and also works for non-pro/business editions of Windows, available at FoolishIT:

http://www.foolishit.com/vb6-projects/cryptoprevent/

As mentioned, users should make sure they have images/data backups before implementing any changes

Reply | Quote

I have to say that I am astounded at this column. I encountered the same virus/whatever called Cryptolocker about 3 weeks ago. I know it has been out a fair long time. I got rid of it easily in under an hour. Admittedly I work “in the trenches” meaning that I do PC build/repair/delouse as most of my daily job so I do come into contact with viruses on other people’s machines OFTEN. Cryptolocker was relatively easy to remove to be honest, using the usual tools and didnt require a real lot of time or effort on my part. As a result, the files that were supposedly to be locked soon, were not locked.

I suggest to anyone reading my reply who wants to try this out for themselves, infect your own test machine with Cryptolocker, kill the task then use your favourite kill technique first then just run MBAM for a second backup and follow up with a DECENT antivirus such as a trial Sophos or free AVG and it is gone and no need to worry. My personal first line of attack is one that may well kill off your Windows if you dont know what you are doing well enough so I hesitate to mention it here but there are plenty of such programs available on the net without having to mention it so try looking up. Sophos removal tool is good enough to get rid of it. It *IS* important to kill the Cryptolocker task BEFORE doing anything else though. I suppose it depends on variants that may come up in the future but you could either start in Safe mode (may not help if a variant takes that into account) or even use HijackThis to delete the entry for it to begin with after first killing the task then reboot if you feel the need or just proceed on with getting rid of it.

Also, I realise some of you may tell me I am telling BS. I can only say to you that I am not. If you want to try it yourself, go for it. Like I said, important to kill the task before doing anything else. After that, all is simple with the right removal tools and a follow up MBAM scan then a fillow up DECENT antivirus scan after that.

Reply | Quote

I have to say that I am astounded at this column. I encountered the same virus/whatever called Cryptolocker about 3 weeks ago. I know it has been out a fair long time. I got rid of it easily in under an hour. Admittedly I work “in the trenches” meaning that I do PC build/repair/delouse as most of my daily job so I do come into contact with viruses on other people’s machines OFTEN. Cryptolocker was relatively easy to remove to be honest, using the usual tools and didnt require a real lot of time or effort on my part. As a result, the files that were supposedly to be locked soon, were not locked.

I suggest to anyone reading my reply who wants to try this out for themselves, infect your own test machine with Cryptolocker, kill the task then use your favourite kill technique first then just run MBAM for a second backup and follow up with a DECENT antivirus such as a trial Sophos or free AVG and it is gone and no need to worry. My personal first line of attack is one that may well kill off your Windows if you dont know what you are doing well enough so I hesitate to mention it here but there are plenty of such programs available on the net without having to mention it so try looking up. Sophos removal tool is good enough to get rid of it. It *IS* important to kill the Cryptolocker task BEFORE doing anything else though. I suppose it depends on variants that may come up in the future but you could either start in Safe mode (may not help if a variant takes that into account) or even use HijackThis to delete the entry for it to begin with after first killing the task then reboot if you feel the need or just proceed on with getting rid of it.

Also, I realise some of you may tell me I am telling BS. I can only say to you that I am not. If you want to try it yourself, go for it. Like I said, important to kill the task before doing anything else. After that, all is simple with the right removal tools and a follow up MBAM scan then a fillow up DECENT antivirus scan after that.

I agree that it is fairly easy to remove, and if you have a good backup, you’re golden. But the virus does not announce it presence until it encrypts every targeted file it can access and if you don’t have a backup, removing the virus puts you at risk of never recovering your data.

Reply | Quote

I have to say that I am astounded at this column. I encountered the same virus/whatever called Cryptolocker about 3 weeks ago. I know it has been out a fair long time. I got rid of it easily in under an hour. Admittedly I work “in the trenches” meaning that I do PC build/repair/delouse as most of my daily job so I do come into contact with viruses on other people’s machines OFTEN. Cryptolocker was relatively easy to remove to be honest, using the usual tools and didnt require a real lot of time or effort on my part. As a result, the files that were supposedly to be locked soon, were not locked.

I suggest to anyone reading my reply who wants to try this out for themselves, infect your own test machine with Cryptolocker, kill the task then use your favourite kill technique first then just run MBAM for a second backup and follow up with a DECENT antivirus such as a trial Sophos or free AVG and it is gone and no need to worry. My personal first line of attack is one that may well kill off your Windows if you dont know what you are doing well enough so I hesitate to mention it here but there are plenty of such programs available on the net without having to mention it so try looking up. Sophos removal tool is good enough to get rid of it. It *IS* important to kill the Cryptolocker task BEFORE doing anything else though. I suppose it depends on variants that may come up in the future but you could either start in Safe mode (may not help if a variant takes that into account) or even use HijackThis to delete the entry for it to begin with after first killing the task then reboot if you feel the need or just proceed on with getting rid of it.

Also, I realise some of you may tell me I am telling BS. I can only say to you that I am not. If you want to try it yourself, go for it. Like I said, important to kill the task before doing anything else. After that, all is simple with the right removal tools and a follow up MBAM scan then a fillow up DECENT antivirus scan after that.

I have been seeing it blow past antivirus as it’s been morphing and changing. You can’t remove the damage once it’s encrypted the files. By the time you’ve noticed the damage, the damage is already done and files are encrypted. I would not suggest anyone actively attempt to infect themselves to try this out.

In a small network setting it will seek out mapped drives and encrypt files on the network share as well. This is not trivial, it’s impacted many people and firms and has caused hours of clean up.

Reply | Quote

GregWH,

I confess to not working in the trenches. Please tell me how to kill the process. Is this the cryptolocker process? Would MBAM and Norton Antivirus be a good combination?

Please explain the following: I suppose it depends on variants that may come up in the future but you could either start in Safe mode (may not help if a variant takes that into account) or even use HijackThis to delete the entry for it to begin with after first killing the task then reboot if you feel the need or just proceed on with getting rid of it.

What is the reason for starting in Safe Mode? Also, just what does … or even use HijackThis to delete the entry for it to begin with after first killing the task …. mean?

Thank you for explaining this to me. I didn’t grow up with computers and sometimes find them to be mysterious.

Charles

Reply | Quote

gregwh -I don’t really see what there is to be astounded about. Many readers don’t work “in the trenches” and so wouldn’t have your knowledge/expertise. They wouldn’t know, for example, about the importance of killing the task before carrying out any other action that you speak of. In any case, prevention has always to be better than cure, no?

I would also point readers to the following page:

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#cryptoprevent

written by Lawrence Abrams on October 14, 2013

in particular:

“Is it possible to decrypt files encrypted by CryptoLocker?
Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection”..

Reply | Quote

“Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection”..

Indications are that any removal, even if successful, would still leave the files encrypted. So what have we accomplished by removing the infection? Our data would still be lost.

This is yet another wake-up call to do regular data backups. Unlike system image backups, which can be done once a month for many home users, data backup or cloud synchronizing must be done daily or m,ore often, to prevent significant data loss when (not if) Windows once again shows its inherent insecurities in novel and as yet unpreventable ways.

This infection is not unpreventable. It is as yet only socially engineered. Due diligence in not trusting emails from even known correspondents if the emails are unexpected, and not downloading and installing codecs from just anywhere, as well as the usual warnings not to click on just anything on the Web, should suffice to prevent acquiring this infection. It is not know to be transmitted as a drive-by download — yet.

Personally, I have been running Windows since Windows 95SE, and have NEVER gotten bitten by Fake Antivirus, Ransomware or any encryption malware of any kind. I do not believe this is any different from the many previous virus warnings circulated in the tech press. It seems the only new wrinkle is that some of the emails appear to come from legitimate companies with which the user has done business. And I’d bet that pre-screening any embedded links would reveal their bogus nature to even untrained eyes.

Unfortunately, those who could benefit most from this thread and the article are the very Widnows users who never look at a tech article or visit a tech forum. These Computer As Appliance users will always be sheep ripe for the fleecing.

Personally, I prefer to avoid this and other Widnows alarm calls by doing something not everyone would choose to do. I run Linux almost exclusively for my Web activities these days. I don’t get Netflix, but most every other Web site and Web App seems to work. (Ubuntu 13.04 Raring, 64-bits)

Linux does not run downloaded executables from most areas of the Home or Root Directories, nor from most Temp locations. The user Desktop can harbor executables, especially scripts, but these to run as Root would need a password login. User Data (such as it is under Linux) does not normally run executiions either. The act of file encryption would require a Root Login with a passsword. Elevation of privileges under Linux is not as easy as it is under Windows. No wonder malware writers don’t target Linux!

-- rc primak

Reply | Quote

Indications are that any removal, even if successful, would still leave the files encrypted. So what have we accomplished by removing the infection? Our data would still be lost.

Exactly – though gregwh’s post would seem to suggest that there’s a point in time where CryptoLocker announces its presence, but has not at that point encrypted any files:

As a result, the files that were supposedly to be locked soon, were not locked.

One would think it would encrypt files before popping up, rather than warn of impending encryption (affording the user the opportunity to kill the process).

Reply | Quote

CryptoPrevent (currently at v2.2) seems like a very simple (to use) and elegant preventative solution – and free. Has anyone used this with success? Shame that he doesn’t provide a md5sum to verify the download…

Re taking frequent backups, isn’t there a danger that a backup will happen while CryptoLocker is doing its nasty work, so you end up overwriting a previous good backup with locked versions of some of your files?

I heard that some antivirus software does spot and delete CryptoLocker-infected emails, others have been infected despite having av software (including Avast, which I use).

Reply | Quote

CryptoPrevent (currently at v2.2) seems like a very simple (to use) and elegant preventative solution – and free. Has anyone used this with success? Shame that he doesn’t provide a md5sum to verify the download…

Re taking frequent backups, isn’t there a danger that a backup will happen while CryptoLocker is doing its nasty work, so you end up overwriting a previous good backup with locked versions of some of your files?

I heard that some antivirus software does spot and delete CryptoLocker-infected emails, others have been infected despite having av software (including Avast, which I use).

I don’t overwrite or append data backups. I add new copies until about a month, or until the older backups become obsolete. Then I delete the oldest copies first.

-- rc primak

Reply | Quote

I thought the whole purpose of un-installing JAVA was to prevent these types of attacks…

Does this mean if JAVA is un-stalled you are still susceptible to this type of attack ???

Reply | Quote

I thought the whole purpose of un-installing JAVA was to prevent these types of attacks…

Does this mean if JAVA is un-stalled you are still susceptible to this type of attack ???

Yes. It’s primary means of infection are hiding a exe inside a zip file attachment that someone opens up.

Reply | Quote

CryptoPrevent (currently at v2.2) seems like a very simple (to use) and elegant preventative solution – and free. Has anyone used this with success? Shame that he doesn’t provide a md5sum to verify the download..

I was happy to use it as Lawrence Abrams at bleepingcomputer recommends it.

Re taking frequent backups, isn’t there a danger that a backup will happen while CryptoLocker is doing its nasty work, so you end up overwriting a previous good backup with locked versions of some of your files?

I think that’s a very real danger. I guess the only way to protect against that is to keep X number of backups (however many your storage allows). Actually, the way I understand it, CryptoLocker could also encrypt backup files anyway – even if they’re stored on external drives/Nas’s – so maybe we need to get out those blank DVDs/Blu-ray disks.

I thought the whole purpose of un-installing JAVA was to prevent these types of attacks…

Does this mean if JAVA is un-stalled you are still susceptible to this type of attack ???

Take a look at the bleepingcomputer link I posted previously – that’ll tell you how it’s spread – but no, uninstalling JAVA doesn’t help in this case.

Reply | Quote

I was happy to use it as Lawrence Abrams at bleepingcomputer recommends it.

Thanks I will probably do the same.

Re backups, at our office we do onsite and then offsite backup of data files using rdiff-backup and rsync (using a wrapper software package/instructions I wrote called TimeDicer). The backup machine runs Linux and the Windows clients connect using ssh (plink.exe) so the backup machine should be safe from CryptoLocker, of course encrypted files might be backed up but as it keeps all versions the previous unencrypted files should be recoverable.

Still it is obviously better to avoid the infection!

Edit: For anyone else, the md5sum of my copy of CryptoPreventSetup.exe (v2.2, the installer version) is ffff9031a306b9b644b3155603093205. I’ve now installed it, will of course post here if I have any problems…

Reply | Quote

The local security policy change as mentioned in the article is way too problematic. Many legitimate programs use local and roaming appdata locations for executables, including lots of Google programs (such as chrome and numerous update files). I certainly don’t see “folks with solid IT savvy” doing either this or “application whitelisting” for themselves. For corporate environments, of course, whitelisting or locked-down desktops may be appropriate…

Reply | Quote

“(Windows Home Premium doesn’t support Group or Local policies, so none of the following settings changes is supported.)”

Does this mean that Windows 7 Home Premium has no ability to apply policies to guard against CryptoLocker?

Reply | Quote

Does this mean that Windows 7 Home Premium has no ability to apply policies to guard against CryptoLocker?

CryptoPrevent claims to work fine with ‘Home’ versions and even with XP, because it bypasses the Group Policy Editor.

One small example I have found of a non-functioning legitimate program after applying CryptoPrevent is that the latest Avast’s ‘Browser Cleanup’ tool fails – this is because it works by extracting the executable tool from a 7z archive in %TEMP% and then running it, which the new policies do not allow. At least it proves that the policies are working.

Reply | Quote

I think I may have had the virus because I was getting the Excel message. Luckily I rely on Libre Office and nothing I created was affected. Open Source is usually the solution. None of the extensions listed in the article are Libre Office extensions. Because of a problem with my sound system on Windows7 (I could not play music or watch HBOGO on Firefox and games had no music) I reformatted my computer. Different forums said I had a virus, but I could not find it using various programs. Everything is sort of back to normal. One of these days Adobe is going to realize Linux runs their servers and they should program things like Shockwave to work on Linux computers.

Reply | Quote

The top of the article Susan’s wrote that the #1 way to get this virus is:

[INDENT]1) Via an email attachment. For example, you receive an email from a shipping company you do business with. Attached to the email is a .zip file. Opening the attachment launches a virus… [/INDENT]

Question: How does the simple act of opening a ZIP file (i.e. the attachment) launch a Virus ????

Reply | Quote

Question: How does the simple act of opening a ZIP file (i.e. the attachment) launch a Virus ????

Good point, I don’t think it does? However an exe file may be disguised as a zip file i.e. named Mydata.zip.exe and in some email programs or with some Windows setting you may just see Mydata.zip?

Reply | Quote

Good point, I don’t think it does? However an exe file may be disguised as a zip file i.e. named Mydata.zip.exe and in some email programs or with some Windows setting you may just see Mydata.zip?

Ever hear of a self-executing ZIP file? If not, read up on it. They’ve been around for awhile.

-- rc primak

Reply | Quote

Ever hear of a self-executing ZIP file? If not, read up on it. They’ve been around for awhile.

But not if they just have a .zip extension, because then your OS will pass them as a parameter to your installed ‘unzip’ application. I can’t find info about ‘self-executing’ zip files but plenty about ‘self-extracting’ zip files – which I think will all have an executable extension such as ‘.exe’.

Reply | Quote

But not if they just have a .zip extension, because then your OS will pass them as a parameter to your installed ‘unzip’ application. I can’t find info about ‘self-executing’ zip files but plenty about ‘self-extracting’ zip files – which I think will all have an executable extension such as ‘.exe’.

Yeah, self-extracting ZIP files. But upon extraction, an auto-run might possibly become active. Not sure this is possible, but apparently it has happened.

-- rc primak

Reply | Quote

bobprimak – A self-executing ZIP file is a EXE file. As an attachment in Email it’s a EXE file. Apparent you havent read up on this!

Reply | Quote

The top of the article Susan’s wrote that the #1 way to get this virus is:

[INDENT]1) Via an email attachment. For example, you receive an email from a shipping company you do business with. Attached to the email is a .zip file. Opening the attachment launches a virus… [/INDENT]

Question: How does the simple act of opening a ZIP file (i.e. the attachment) launch a Virus ????

The zip file has an embedded exe file. It immediately launches and installs.

Reply | Quote

The zip file has an embedded exe file. It immediately launches and installs.

Susan I remain puzzled as to how opening a ‘.zip’ file (whether from an email attachment or elsewhere) can auto-launch an embedded ‘.exe’ file – supposing that ‘.zip’ is the real extension, not that the ‘.exe’ real extension is hidden by Windows settings.

If I double-click a zip file, or open it from email, it comes up inside 7-Zip (others may have a different program of course or just use Windows default unzipper). The contents of the zip file are extracted to a temporary folder by the application and are then visible in a file listing window for inspection. For a virus to get installed surely you then have to run a listed ‘.exe’ file inside there, if you just open the zip file, look at the contents and then go away you should still be safe IMO?

I have googled and can’t find any examples of .zip files that autorun their contents when opened (though lots of course about self-extracting zip files which however have ‘.exe’ extension). Bottom line is that ‘.zip’ files are not applications so what happens when you open them depends upon the application to which they are passed as a parameter (which may be Windows itself). I can’t see that any such applications have an ‘autorun’ feature but I would certainly like to know about it if they have.

Reply | Quote

I think I may have had the virus because I was getting the Excel message. Luckily I rely on Libre Office and nothing I created was affected. Open Source is usually the solution. None of the extensions listed in the article are Libre Office extensions. Because of a problem with my sound system on Windows7 (I could not play music or watch HBOGO on Firefox and games had no music) I reformatted my computer. Different forums said I had a virus, but I could not find it using various programs. Everything is sort of back to normal. One of these days Adobe is going to realize Linux runs their servers and they should program things like Shockwave to work on Linux computers.

Actually, LibreOffice users do use Microsoft Office formats. When you receive a file from someone, chances are better than three in four that they are providing a MS Office formatted file. LibreOffice can read and edit and write these formats. So there are ways Open Source programs can get your computer infected with this malware. It isn’t difficult at all to imagine these scenarios.

And LibreOffice is vulnerable to Java based attacks.

-- rc primak

Reply | Quote

I wonder if the following could be a program which could defeat CyberLocker. My programming skills are too old to write such a program but I be a clever young person could.

Each person would save a copy of a reasonably short program, e.g. a few kilobytes or longer. If Cyberlocker encrypts files, have this hypothetical program compare the encrypted file with the saved copy and extract the key.

I realize that encryption is sophisticated these days but most research seems to concentrate on factoring large primes to extract a key. I am not talking about that at all. For example, an ancient encryption scheme, as I recall, was to EOR a file with a key. The result was pretty hard to decipher with brute force but an EOR with the two files would reproduce the key.

Anyone would understands programs care to tell us whether or not this is hopeless.

I realize that one has to have a ‘backup’ of the key file and one may argue that it is better to could on backup than recovery. However, very few of us are perfect on backups and it might be nice to have a way to recover those files that didn’t get backed up when Cyberlocker struck.

Reply | Quote

Anyone would understands programs care to tell us whether or not this is hopeless.

Unless Cryptolocker uses truly incompetent cryptography mechanisms it is hopeless. Modern mechanisms are only slightly (if at all) more penetrable to before-and-after comparison attacks in terms of discovering the underlying keys than they are to brute-force attacks.

Reply | Quote

I don’t use BitLocker and probably won’t. Would simply deleting this app prevent the problem? Win7 64 & 32 bit.

Reply | Quote

I don’t use BitLocker and probably won’t. Would simply deleting this app prevent the problem? Win7 64 & 32 bit.

No. This has nothing to do with BitLocker.

Bruce

Reply | Quote

By the way Criptolocker apparently works, there’s no assurance that it will not encrypt all files kept on line with the infected computer. So, for home users, it would mean that you should not let an external HD stay connected after imaging or backing up files, which would mean that automatic backups couldn’t be done. Also, that backing up files on a network isn’t safe either.

Reply | Quote

Just a quick heads-up:

I just checked the file:
CryptoPrevent.ZIP with “Virus Total”.

Seems clean at first,
BUT the SUCURI Web Site Check,
(see the “Additional Information” Tab of “Virus Total”),
lists the author site of CryptoPrevent.ZIP (“foolishit.com”),
as: “possibly HIJACKED“.

Here’s the SUCURI Link with the report:
http://sitecheck.sucuri.net/results/www.foolishit.com

Could be a false positive,
but I wouldn’t be surprised if the baddies
are already targeting the author’s site
offering this apparently free & easy, preventive utility.

So…I’m not installing this utility yet …wish I could.
Any other opinions on this?

Reply | Quote

I have a dual boot machine with WIndows 7 & Windows 8, each on a separate hard drive. In Windows 8 machine, if I try to open an Excel file on Win 7 hard disk I get “Excel cannot open the file [filename] because the file format or file extension is not valid,” which seems to suggest that the virus is on the machine. However, if I copy the file over to Win 8 machine then there is no problem opening it! I can open all Office files that are on the Win 8 hard disk but none that are on Win 7 disk.

On Win 7 there is no problem opening any Office file on either hard disk.

so, is the virus on my machine or not?

I have run the Microsoft Safety Scanner on both machines and it came up with nothing!

I am beginning to wonder if the blog’s claim “This problem has been confirmed to be caused by malware on the affected machine” is a lot of nonsense.

Reply | Quote

In Windows 8 machine, if I try to open an Excel file on Win 7 hard disk I get “Excel cannot open the file [filename] because the file format or file extension is not valid,” which seems to suggest that the virus is on the machine. However, if I copy the file over to Win 8 machine then there is no problem opening it! I can open all Office files that are on the Win 8 hard disk but none that are on Win 7 disk. On Win 7 there is no problem opening any Office file on either hard disk.

What reason is there to think that this is a CryptoLocker issue? If files had been locked by CryptoLocker you wouldn’t be able to open them from anywhere… IMO it is more likely to be something a bit wrong (not necessarily virus-related) with the Windows 8 setup, or with the format of the Windows 7 hard disk.

Reply | Quote

What reason is there to think that this is a CryptoLocker issue? If files had been locked by CryptoLocker you wouldn’t be able to open them from anywhere… IMO it is more likely to be something a bit wrong (not necessarily virus-related) with the Windows 8 setup, or with the format of the Windows 7 hard disk.

Or a permissions issue wrongly interpreted by Excel, sure doesn’t feel like CryptoLocker.

Reply | Quote

Or a permissions issue wrongly interpreted by Excel, sure doesn’t feel like CryptoLocker.

Or an Ownership issue. I run into these when trying to access user-owned data files from across partitions or disks or machines.

-- rc primak

Reply | Quote

Or an Ownership issue. I run into these when trying to access user-owned data files from across partitions or disks or machines.

If this was a permission or ownership issue then why am I getting “Excel cannot open the file [filename] because the file format or file extension is not valid” message instead of something like you don’t have permission to open this file?

Reply | Quote

”(Windows Home Premium doesn’t support Group or Local policies, so none of the following settings changes is supported.)”

Does this mean that Windows 7 Home Premium has no ability to apply policies to guard against CryptoLocker?

There are registry equivalents for Group Policy setttings.
http://www.microsoft.com/en-us/download/details.aspx?id=25250

You can also install the Gpedit for these versions.
http://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/
http://drudger.deviantart.com/art/Add-GPEDIT-msc-215792914

I’ve never bothered to do this, but now seems like a good time.

Reply | Quote

I made a youtube video going over the steps of installing and using the CryptoPevent tool. I installed it on a XP VM and it seemed to do what it claimed. I have had several customers hit with this virus, 2 didn’t have backups and lost everything, one had a good backup and I was able to restore their files.

Reply | Quote

I have installed CryptoPrevent 2.2.1 on my Vista machine and it seems to be working according to the test button on the software.I also run EMET v3 and was wondering if anyone knows if that alone would prevent the installation of CryptoLocker?

Reply | Quote

Talking about protective GPO, I’ve been using the following on W2003 and W2008 Remote Desktop Server Farm :

To regular users, the domain GPO is set to disallow everything, except
%windir%,
%ProgramFiles%,
%ProgramFiles(x86)%
Plus a few login scripts.

The trick is to remove lnk (i.e. shortcuts) from the “designated file types“, so all menus (are other shortcuts) are allowed, providing that they point to one of the aforementioned folders. Of course regular users have no rights to write in there.
This is a quick way to you have absolute control over what is run on computers.

To people outside a domain, there’s apparently a way to apply a local GPO to all users except administrators.

http://www.sevenforums.com/tutorials/101869-local-group-policies-apply-all-users-except-administrators.html. Not tested myself.

Reply | Quote

The local security policy change as mentioned in the article is way too problematic. Many legitimate programs use local and roaming appdata locations for executables, including lots of Google programs (such as chrome and numerous update files). I certainly don’t see “folks with solid IT savvy” doing either this or “application whitelisting” for themselves. For corporate environments, of course, whitelisting or locked-down desktops may be appropriate…

Well, that’s just bad program design. Linux doesn’t generally do this sort of thing, so it’s not necessary.

And that Avast Browser Cleanup module is a system performance killer, and nothing in it does a better job than the browser plugins Click & Clean or (for Firefox) Better Privacy, plus the built-in History cleanup tools. Follow up with CCleaner. Trouble is, most folks don’t do brwoser cleanups often enough, as they rely on History instead of Bookmarks, and like to keep login cookies so as not to have to use a password manager.

-- rc primak

Reply | Quote

@ SF99, #14:

Sucuri website=scareware tactics

Free Website Malware ScannerSucuri SiteCheck API

Sitecheck Results
Website details
Blacklisting status

Blacklist status
Domain blacklisted by SiteAdvisor (McAfee): foolishit.com – reference
Domain clean by Google Safe Browsing: foolishit.com – reference
Domain clean by Norton Safe Web: foolishit.com – reference
Domain clean on Phish tank: foolishit.com – reference
Domain clean on the Opera browser: foolishit.com – reference
Domain clean by the Sucuri Malware Labs blacklist: foolishit.com – reference
Domain clean on Yandex (via Sophos): foolishit.com – reference
Domain clean by ESET: foolishit.com – reference

Worried about malware or getting blacklisted? Sign up and be at ease. Check out our monitoring & cleanup packages.

They have a product to sell (which rates foolishIT.com as clean).

McAfee Site Adviser – is that even still operational? When it was, you would be lucky to find any scan results newer than 6 months old = useless!

http://www.urlvoid.com/scan/foolishit.com/ = checked by close to 30 sites = clean.

http://www.google.com/safebrowsing/diagnostic?site=http://www.foolishit.com = not suspicious.

Reply | Quote

@ Satrow
Yes, I agree with you.
McAfee reports should be banned from VirusTotal…

I suspect McAfee has its own “agenda”.
Labeling that web site as: HIJACKED ,
when and if it is not – is highly irresponsible.

But the 2nd link you included in your post (Google Web Site Checker),
it reports:

“Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 0 domain(s), including… “. (???)

Check it out…
http://www.google.com/safebrowsing/diagnostic?site=http://www.foolishit.com

Reply | Quote

But the 2nd link you included in your post (Google Web Site Checker),
it reports:

“Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 0 domain(s), including… “. (???)

I did check it before posting; no infections caused, no second/third/fourth case recorded …

“the last time suspicious content was found on this site was on 2013-08-09” – I reckon by the follow-up visit the “suspicious” content had been given a clean bill of health = false positive, very common with heuristics (guesses).

Reply | Quote

Excel may be programmed to look to its’ own error messages, not to those built into the OS. What error do you see when you try opening one in Notepad?

Reply | Quote

Encountered this at a client who did not have backups. The version they had asked for payment in one of two forms. Either a Green Dot Moneypak or Bitcoins. The client opted for the Moneypak option and $300 later, their files were decrypted. It was quite a pain however, because many of the encrypted files were in the Recycle Bin and the bin had been emptied. Crypto Locker logs all the files it encrypts in the registry, so as it was doing the decryption, it paused on every file it could not find and I had to click “Ignore” for the process to continue. Ended up having to click it 1,500 times.

Reply | Quote

Application whitelisting is what all decent HIPS do – many of the commonly known as software firewalls are actually HIPS and they stop this kind of threats. I have been using HIPS for years and only allowed apps can run. This is really what makes me always respond yes when I see questions about software firewalls and their usefulness – they are useful because they will stop these and similar threats -including zero day malware threats.

Reply | Quote

i use EmsiSoft, and very happy with it.
they published an article in September about it

http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/#sthash.H1mjuYhL.dpbs

Reply | Quote

i use EmsiSoft, and very happy with it.
they published an article in September about it

http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/#sthash.H1mjuYhL.dpbs

I didn’t even notice that. The whitelisting app I use is Emsisoft’s Online Armor and my AV is Emsisoft AntiMalware, as well. EAM has a behavior blocker that catches some of the behaviors of this specific malware so, using both, there would be two lines of defense to catch it.

Emsisoft’s products are top notch, I can’t say it enough :).

Reply | Quote

How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

CryptoLocker Ransomware Information Guide and FAQ

Bruce

Reply | Quote

I keep two backups on internal drives and after reading all this I decided to make an additional image on an external drive and unplug it after it’s finished making the image.

Reply | Quote

I have put my trust in the iObit “Pro” software offerings. The one that I depend on to stop this nasty virus is http://www.iobit.com/malware-fighter-pro.php

Reply | Quote

I have put my trust in the iObit “Pro” software offerings. The one that I depend on to stop this nasty virus is http://www.iobit.com/malware-fighter-pro.php

Your trust may be misplaced. Please see this review http://www.pcmag.com/article2/0,2817,2419549,00.asp

Reply | Quote

I plowed through nearly 40 posts here in increasing amazement until rui FINALLY made the observation that a decent firewall should stop Cryptolocker in its tracks via its whitelisting mechanism. Online Armor offered this in the 5-year-old version which I continue to run on Win2K and I suspect considerably before that, and while my meager experiments with running the Windows firewall on later systems have not included this setting I’ve assumed that it’s easy to enable.

(It’s also useful for muzzling those programs which have no legitimate need to access the Internet but insist on doing so, by the way – just another check-box to check.)

Why Susan omitted so obvious a protection measure in favor of so much Group Policy folderol mystifies me. While she did mention whitelisting she made it sound ridiculously more difficult than it actually is in OA: you just allow or block each new application execution (based either upon knowing what is asking to run or having a very good idea based on what you’re doing at the time) and soon the learning process is effectively over and most pop-ups thereafter deserve more careful scrutiny.

I could say that people who don’t display file extensions deserve what they get, but I don’t really think that (at least I think I don’t…) – but as long as a self-executing archive extracts the executable payload to a location from which to run it the whitelist mechanism will kick in at that point to warn you.

“Paranoia strikes deep” is more than just a line from a memorable anti-war song: it’s a caution against hysteria when well-know solutions to a menacing problem exist.

Reply | Quote

I plowed through nearly 40 posts here in increasing amazement until rui FINALLY made the observation that a decent firewall should stop Cryptolocker in its tracks via its whitelisting mechanism. Online Armor offered this in the 5-year-old version which I continue to run on Win2K and I suspect considerably before that, and while my meager experiments with running the Windows firewall on later systems have not included this setting I’ve assumed that it’s easy to enable.
[/quote]

I hope you said that ironically :). The Windows firewall is a network firewall, it has no ability whatsoever to whitelist or blacklist running programs. Of course, you could innocently believe, when you see comparisons made with the Windows firewall and the 3rd party firewalls, that it would have similar abilities. The truth is it doesn’t, so I can’t really stop cringing when I see so many “informed”(?!) analysis comparing, without so much a hesitation, what are effectively apples and oranges.

(It’s also useful for muzzling those programs which have no legitimate need to access the Internet but insist on doing so, by the way – just another check-box to check.)

Why Susan omitted so obvious a protection measure in favor of so much Group Policy folderol mystifies me. While she did mention whitelisting she made it sound ridiculously more difficult than it actually is in OA: you just allow or block each new application execution (based either upon knowing what is asking to run or having a very good idea based on what you’re doing at the time) and soon the learning process is effectively over and most pop-ups thereafter deserve more careful scrutiny.

I could say that people who don’t display file extensions deserve what they get, but I don’t really think that (at least I think I don’t…) – but as long as a self-executing archive extracts the executable payload to a location from which to run it the whitelist mechanism will kick in at that point to warn you.

“Paranoia strikes deep” is more than just a line from a memorable anti-war song: it’s a caution against hysteria when well-know solutions to a menacing problem exist.

I can’t explain the perpetual lack of reference to HIPS as the one of the most effective means of protecting against malware. That must be because I am no Windows specialist.

Reply | Quote

I hope you said that ironically :).[/quote]

Actually, I just assumed it in a spirit of charity: I’ve only run the Windows firewall on any platform long enough to find something better to replace it with, so have never bothered to investigate whether I could set it up to be as effective as I want my firewall to be.

On a completely unrelated note, my use of the word ‘folderol’ in my original post (which in a similar spirit of charity I’ll admit may have been a bit extreme) seems to have been converted to ‘folder’ when you quoted it in your reply. Hardly important in and of itself, but it doesn’t seem like the kind of thing the software should be presuming to do.

Reply | Quote

On a completely unrelated note, my use of the word ‘folderol’ in my original post (which in a similar spirit of charity I’ll admit may have been a bit extreme) seems to have been converted to ‘folder’ when you quoted it in your reply. Hardly important in and of itself, but it doesn’t seem like the kind of thing the software should be presuming to do.

I fixed the quote :).

Reply | Quote

It’s rumored the writers of CryptoLocker are receiving $300,000 a month in ransom income, so this may be just the beginning of this type of malware. As other malware writers see the income potential from this type of strategy, variations may grow exponentially. My understanding is that Susan Bradley works with businesses, not individuals. When a business is faced with this type of problem, they want a permanent solution so their expensive IT staff doesn’t have to deal with this on a regular basis. That may be why Susan suggests using an image backup and the Software Restriction Policy.

There’s free image backup software available:

Macrium Reflect Free (http://www.macrium.com)

Paragon Backup & Recovery Free (http://www.paragon-software.com)

EaseUS Todo Backup Free (http://www.todo-backup.com)

Special versions of Acronis True Image are available free for owners of Seagate and Western Digital hard drives: Seagate DiscWizard and WD Edition.

http://www.seagate.com/support/downloads/discwizard/

http://support.wdc.com/product/downloaddetail.asp?swid=119&wdc_lang=en

Windows Pro versions and higher include the Software Restriction Policy. For owners of lower versions, post #50 has links to instructions on how to add the Software Restriction Policy capability to your operating system. But, if you don’t want to do that, other posts have suggested a firewall with a host-based intrusion prevention system (HIPS). Privatefirewall is free (http://www.privacyware.com).

Reply | Quote

Keep in mind that antivirus software probably won’t prevent a CryptoLocker infection. In every case I’m aware of, the PC owner had an up-to-date AV application installed. Moreover, running Windows without admin rights does not stop or limit this virus. It uses social engineering techniques — and a good bit of fear, uncertainty, and doubt — to trick users into clicking a malicious download or opening a bogus attachment

Opening an email attachment, Java exploit, or “you need this driver or video player update.” Heck I’ve even seen them trying to sneak a Chrome update past me. Absolutely nothing new here, only noteworthy and described nicely by the thread title. The reliance on anti-virus is much more placebo than not, yet reply after reply is about some programmatic solution, yeah or nay. Social engineering is where it’s at folks, look in the mirror; there lies the kernel that needs hardening, fruitless though that is to say for reasons both good and bad.

Reply | Quote

I have installed CryptoPrevent on all our machines and feel easier about the CryptoLocker threat now. Kudos to Nick @ FoolishIT for providing this free tool. :clapping:

Reply | Quote

I was “browsing some dodgy sites” today and encountered what looked like a variant of the virus. I don’t know if it was bogus or not because I was using Sandboxie. I exited Sandboxie and looked for signs of infestation but found none. Is Sandboxie a temporary solution till a fix is found to permanently defeat this problem or was I lucky and the site was bogus or did Sandboxie do it’s job properly?

Reply | Quote

I was “browsing some dodgy sites” today and encountered what looked like a variant of the virus. I don’t know if it was bogus or not because I was using Sandboxie. I exited Sandboxie and looked for signs of infestation but found none. Is Sandboxie a temporary solution till a fix is found to permanently defeat this problem or was I lucky and the site was bogus or did Sandboxie do it’s job properly?

Sandboxie should be effective in shielding you from such nasties. If I understand well what it does (I have used it only briefly when I used 32 bit OS versions), all the downloads are kept “sandboxed” and thus prevented to reach the OS, unless you allow it.

Reply | Quote

Installing CryptoPrevent may give you a false sense of security because sooner or later they will figure out a way to get past it..

As long as you don’t get lulled into a false sense of security with Crypto Prevent..

In my opinion, the only really sure way is to keep an image on an external drive and unplug it after making the image.

Reply | Quote

Installing CryptoPrevent may give you a false sense of security because sooner or later they will figure out a way to get past it..

As long as you don’t get lulled into a false sense of security with Crypto Prevent..

In my opinion, the only really sure way is to keep an image on an external drive and unplug it after making the image.

I spent the afternoon imaging & backing up. That makes sense.

Reply | Quote

Ya its definitely chasing after a variant and radioing roadblocks in ahead of time and trying not to ruin the flow of traffic, but that can work for some for a while.
Right Bany, that’s the only sure answer for many things including this but it’s about a likely to happen as folks not clicking on anything they did not initiate.

Reply | Quote

Sure Bob, I never kept an image on a external drive. until recently.
I have two internals that I use but after coming to the conclusion anything that attacks your C dive can also attack any internal drives you have..

The point to remember is to UNPLUG the external after you make your image.

Reply | Quote

I’ve deployed software restriction policies via GPO (very similar to the CryptoPrevent utility link above) to the hosts on our mixed XP/Win7 network and verified that applications launched from those locations are blocked.

Next thing I want do is to get alerts from the event logs, so I can see when somebody tries to launch something they shouldn’t. I can manually set forwarding of the local event log ID 866 to the server and then trigger an email using task scheduler, but I am trying to get my head round configuring the forwarders via GPO on our XP based hosts automatically (the GPO settings seem only to work in Vista and above – our Win 7 hosts should pick up the GPO just fine). Wonder if anyone has any tips on that?

Looking at our ESET console, we see numerous invoice-abcxyz.pdf.exe and similar attachments being blocked on Exchange, but it won’t take long for somebody somewhere to do something silly, or for the threat to morph and the GPO settings to be come useless.

With pretty much most of our data accessible to the most “click friendly” users, this is one of the few threats that really worries me. We run hourly onsite backups and daily offsite, but it would be a right royal pain to recover all that data across our network. Even after data recovery, I would be apprehensive about our network and the server. :o:

Reply | Quote

I’d like to see/know if Returnil, DeepFreeze, SteadyState and other programs of such ilk stop this. I know they would easily give the virus itself the boot but I’m wondering if it can do it’s damage while it exists.

Reply | Quote

I’d like to see/know if Returnil, DeepFreeze, SteadyState and other programs of such ilk stop this. I know they would easily give the virus itself the boot but I’m wondering if it can do it’s damage while it exists.

Yes they will return the machine to a known stable condition. However, they won’t protect your data.

If the payload is active, your data is encrypted and returning the machine to a default state will not decrypt the data. Currently, the only mechanism to recover your data from a crypto locker infection is by paying the ransom or reverting to an offline backup (after a successful clean-up process).

This is true not just for Windows machines, but for any device that holds data which can be accessed by a mapped network drive – Apple Mac’s, NAS, SAN, Linux boxes, File servers etc. are all at risk if they hold data accessible by a Windows machine under threat.

Presently, the proprietary formats often used by imaging software are not attacked by crypto locker, so a device that contains these backups can be left connected to an attacked machine. I wouldn’t use that as long term mitigation though: it is likely that the threat will develop to attack these files too.

Reply | Quote

Surely there must be a permanent solution sometime soon? If not others will be using the same techniques and computing as we know it will be changed forever. Even if we have to pay for a solution it will be worth it? Now what is Microsoft doing to combat the problem? It is their system and they have billions in the bank. Rant over and I now feel better.:D

Reply | Quote

There are solutions against CryptoLocker as it is presently found – such as CryptoPrevent. But malware is continually adapting to get around such defences so by definition it is impossible to find a ‘permanent’ solution against this type of thing, and it isn’t fair to blame Microsoft. The real problem as others have said is not the machines it is the users who are tricked into running the malware.

As well as CryptoPrevent, we have antivirus, local disk images and regular onsite and offsite backups (with file history). I think it is wise to have multiple lines of defence because you never know what is around the corner.

Reply | Quote

There are solutions against CryptoLocker as it is presently found – such as CryptoPrevent. But malware is continually adapting to get around such defences so by definition it is impossible to find a ‘permanent’ solution against this type of thing, and it isn’t fair to blame Microsoft. The real problem as others have said is not the machines it is the users who are tricked into running the malware.

As well as CryptoPrevent, we have antivirus, local disk images and regular onsite and offsite backups (with file history). I think it is wise to have multiple lines of defence because you never know what is around the corner.

There is a permanent solution. Use a HIPS or use an AV that acts on suspicious behavior, not just on a blacklisted signature. Emsisoft’s AntiMalware protects against this, as will Emsisoft’s Online Armor (and any other HIPS). Stop saying there is no “permanent solution”. That is simply wrong.

Reply | Quote

Stop saying there is no “permanent solution”. That is simply wrong.

Depends upon the context. My impression is that the context is that of a clueless user who might well just click through an ‘Allow’ button if warned by a HIPS (after all, they allowed the malware to start to execute in the first place).

The aphorism “You can’t fix stupid” may apply here, though many valiant attempts have been made and some of them do some good.

Reply | Quote

If CryptoLocker goes after attached external drives, how does that effect the Windows 8 file history feature? Would those files be protected?

Reply | Quote

If you can browse to the backup location for file history, so can the virus.

Reply | Quote

I had my first customer with the Cryptolocker virus (of course a week after it hits the tech news). Removed the virus, but looked all over for a solution to get back the data. I found Shadow Explorer, which allows you to recover files/folders from the Volume Shadow Copy feature in Win Vista/7/8. I was able to recover all of the customer’s previously encrypted documents from before the infection. Easy to use, portable and free.

I’m in no way affiliated with ShadowExplorer, I’m just a tech who wants to spread the word about this software for anyone hit with Cryptolocker.

Reply | Quote

I had my first customer with the Cryptolocker virus (of course a week after it hits the tech news). Removed the virus, but looked all over for a solution to get back the data. I found Shadow Explorer, which allows you to recover files/folders from the Volume Shadow Copy feature in Win Vista/7/8. I was able to recover all of the customer’s previously encrypted documents from before the infection. Easy to use, portable and free.

I’m in no way affiliated with ShadowExplorer, I’m just a tech who wants to spread the word about this software for anyone hit with Cryptolocker.

Thanks for posting about that. It may be a solution for other users who find themselves in a similar situation.

Reply | Quote

Ms. Bradley’s CryptoLocker article lists settings to ensure that “the virus can’t launch from embedded or attached .zip files” by zip utilities WinRAR, 7Zip, WinZip, and Windows built-in .zip support, the last one apparently available on WindowsXP and up.
The descriptions of each of these is that they Block executables run from archive attachments opened with [followed by the zip program name].

Some Questions:

1) What is an archive attachment? In ordinary English, my understanding of “archive” is a collection of past documents or other material. And I do know about attachments in emails.
But more broadly in computerese, what is an archive? And what is an archive attachment?
And what is the difference between an archive attachment and an ordinary attachment?
In other words, why would Ms. Bradley use the word “archive” in her descriptions above?

2) Wouldn’t CryptoLocker be willing to use a non-archive newly downloaded document or new software as one of its vehicles to encrypt?

3) Does CryptoLocker use only zip software already installed on the computer, or does CryptoLocker also import its own zip software?
In other words, to protect against CryptoLocker, do I need to protect against zip utilities that are not already installed on my computer?

R.N. (Roger) Folsom

Reply | Quote

1) What is an archive attachment?

An archive file (.zip) which is attached to an email.

2) Wouldn’t CryptoLocker be willing to use a non-archive newly downloaded document or new software as one of its vehicles to encrypt?

Many email programs and systems block executable files but not zip archives, so it uses the .zip as a vehicle to deliver the .exe to your computer.

(And also tries to hide the .exe from you by naming it as FORM.PDF.exe, hoping that you’ve stuck with the ridiculous Microsoft default of hiding the last file extension.)

Nothing is encrypted until you click to open the .exe (disguised as a PDF).

3) Does CryptoLocker use only zip software already installed on the computer,

Yes (including the built-in support of XP/7/Vista/8).

or does CryptoLocker also import its own zip software?

No.

In other words, to protect against CryptoLocker, do I need to protect against zip utilities that are not already installed on my computer?

Not if you’re sure they will never be installed in the future, but CryptoPrevent has them all covered with a single click.

Bruce

Reply | Quote

BruceR:

Thanks for clarifying that CryptoLocker doesn’t import unzip software.

You wrote that CryptoLocker “uses the .zip as a vehicle to deliver the .exe to your computer.” Understood.

You then wrote that CryptoLocker “(. . . tries to hide the .exe from you by naming it as FORM.PDF.exe, hoping that you’ve stuck with the ridiculous Microsoft default of hiding the last file extension.) Nothing is encrypted until you click to open the .exe (disguised as a PDF).”

Here I am confused. Surely CryptoLocker doesn’t announce that it is malware by renaming its malware as “FORM.PDF.exe” hoping that the computer’s extensions are hidden so that the user sees the filename as FORM.PDF. So I am guessing that you are using the word FORM to represent an actual filename, such as UsefulSoftware.pdf.exe. Is my guess correct?

Also, as I said to F.U.N. downtown, my computers have always had unhidden extensions. Therefore, could a CryptoLocker email containing a normal name document, disguised with a PDF extension, include a zip file that would open as soon as I opened the PDF file with PDF software? (I use PDF-XChange Viewer, by Tracker Software; I probably will replace that with Tracker’s new PDF-XChange Editor.)

R.N. (Roger) Folsom

P.S. Thanks for the link to the CryptoPrevent website. I spent some time there, but finally had to face the fact that I don’t have nearly enough technological knowledge to figure out what CryptoPrevent does, other than somehow prevent CryptoLocker from messing up my computer. That’s too vague for me. Before installing any software, I like to understand what it does, even if I don’t understand it works. For example, CryptoPrevent apparently makes some use of WinPE (Windows Preinstallation Environment), but WinPE is way over my head.
So I will continue making daily backups onto a temporarily attached external drive (a Western Digital Passport).

Reply | Quote

You then wrote that CryptoLocker “(. . . tries to hide the .exe from you by naming it as FORM.PDF.exe, hoping that you’ve stuck with the ridiculous Microsoft default of hiding the last file extension.) Nothing is encrypted until you click to open the .exe (disguised as a PDF).”

Here I am confused. Surely CryptoLocker doesn’t announce that it is malware by renaming its malware as “FORM.PDF.exe” hoping that the computer’s extensions are hidden so that the user sees the filename as FORM.PDF.

Yes, that is what it does:

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
How do you become infected with CryptoLocker

So I am guessing that you are using the word FORM to represent an actual filename, such as UsefulSoftware.pdf.exe. Is my guess correct?

No, I was using FORM to represent FORM plus some random number, e.g. FORM_101513.pdf as above or Form_20130810.

Also, as I said to F.U.N. downtown, my computers have always had unhidden extensions. Therefore, could a CryptoLocker email containing a normal name document, disguised with a PDF extension, include a zip file that would open as soon as I opened the PDF file with PDF software?

The zip file contains the exe disguised as a pdf, not the other way round. If your extensions are unhidden then the exe would not be disguised as a pdf to you. As it’s not actually a pdf, you wouldn’t be able to open it with pdf software.

P.S. Thanks for the link to the CryptoPrevent website. I spent some time there, but finally had to face the fact that I don’t have nearly enough technological knowledge to figure out what CryptoPrevent does, other than somehow prevent CryptoLocker from messing up my computer. That’s too vague for me. Before installing any software, I like to understand what it does, even if I don’t understand it works. For example, CryptoPrevent apparently makes some use of WinPE (Windows Preinstallation Environment), but WinPE is way over my head.
So I will continue making daily backups onto a temporarily attached external drive (a Western Digital Passport).

As mentioned in Post #2 of this thread, CryptoPrevent automates the Software Restriction Policies from the article in Post #1: One or two clicks instead of a whole bunch of complex editing.

Where is WinPE mentioned in relation to CryptoPrevent? I think you may have been reading about a different product at the same site.

Bruce

Reply | Quote

An archive is a zip or rar file etc., anything that one or more files are packed into and not as readily available as a folder of files. Of course now many of these programs open up an archive file to view the contents easily if not encrypted so it has lost some of it’s meaning.
The virus may be disguised as a zip or other file if extensions are not turn on on a computer, not clicking on any attachment or unsolicited social email link or any unsolicited browser pop up for updating or downloading anything is the way to guard against any virus 99.99% of the time. Do not click on a attached zip file, real or not and you cannot get a virus. If one absolutely must open a zip file or any other form of attachment that seem legitimate, right click on it and save it to your hard drive (preferably in a computer designated for such activity) to get it out of the email, then right click on the file where it has been saved and scan it with Malwarebytes or another good antivirus or two. If that says it’s ok, then it is probably safe to open.

If someone else uses that computer or other computers on the same network and does not follow this protocol to a T at all times then there is increased risk. Riskiest thing Microsoft has continued to do throughout the years is leave extensions disabled because you might think its a zip file, disable your zip utility but its really a msi or exe file, but not clicking on anything covers all file formats that might execute.

Reply | Quote

F.U.N. downtown:

Microsoft’s reason for a Windows default setting that hides extensions has been a mystery for me ever since Windows 95. So for Win95, Win98, Win2k(sp2-sp4), WinXPsp3, and Win9sp1, one of the first things I did for each operating system was to enable extensions.

You wrote that “Not clicking on any attachment or unsolicited social email link or any unsolicited browser pop up for updating or downloading anything is the way to guard against any virus 99.99% of the time. Do not click on a attached zip file, real or not and you cannot get a virus.” Then you gave some interesting advice about what to do if you need to open an attached zip file: “right click on it and save it to your hard drive (preferably in a computer designated for such activity) to get it out of the email, then right click on the file where it has been saved and scan it with Malwarebytes or another good antivirus or two.”

Am I right in thinking that your “preferably in a computer designated for such activity” is an extra computer acquired only for the purpose of opening files attached to emails?

R.N. (Roger) Folsom

Reply | Quote

F.U.N. downtown:

advice about what to do if you need to open an attached zip file: “right click on it and save it to your hard drive (preferably in a computer designated for such activity) to get it out of the email, then right click on the file where it has been saved and scan it with Malwarebytes or another good antivirus or two.”

Am I right in thinking that your “preferably in a computer designated for such activity” is an extra computer acquired only for the purpose of opening files attached to emails?

R.N. (Roger) Folsom

Ya, if you had to open a lot of email attachments and were not a careful browser and worried a lot about something like an encryption virus getting activated, most definitely use a non-networked computer that didn’t contain any critical data.
I’ve never felt any need for such measures but dear old Mum is on the same network and I’ve caught her more than once opening an attachment directly from the email client after much and consistent insistence on not doing such a thing.

Reply | Quote

Microsoft’s reason for a Windows default setting that hides extensions has been a mystery for me ever since Windows 95. So for Win95, Win98, Win2k(sp2-sp4), WinXPsp3, and Win9sp1, one of the first things I did for each operating system was to enable extensions.

It’s not that big a mistery. I think they originally tried to mimic Apple (I think their operating systems hid extensions, by default, and I believe they still do). I think they meant to make it simpler for a regular user, not to have to worry about extensions and system files and folders – which got hidden at the same time, if my memory does not fail me. Obviously, it was a bad decision, but it’s done by others, as well.

Reply | Quote

I was thinking about ways to back up files on connected hardware. Given that CryptoLocker looks for files with certain extensions, what if we changed those extensions on backups, to something CryptoLocker wouldn’t recognise?

I’ve just written myself a small script which nudges each character in the extension X places in the alphabet. So with, say, 3 nudges,’.doc’ becomes ‘.grf’ – then I append X number of characters just for good measure.

So for example, ‘myfile.doc’ becomes ‘myfile.grf28773’ – and this same logic would be applied to all backed up files.

As long as we know how many nudges and how many appended characters (3 and 5 respectively in this example), it’s then an easy job for another script to convert them back again if/when necessary.

Reply | Quote

When the time comes that I have to go through all that I will open my window and throw the computer through it and then go buy some stamps and stationary.

Reply | Quote

When the time comes that I have to go through all that I will open my window and throw the computer through it and then go buy some stamps and stationary.

That would be an ironic end for a Windows machine. But don’t do it. Sell it to me instead for $10 – I can use it as my zip opening PC 😉

Reply | Quote

A word of warning. I followed the advice about local security policy & Software Restrictions Policies and everything was fine until I downloaded a program which wouldn’t launch. When I “tried” to reverse the restrictions Windows wouldn’t load and I was left with a blank desktop. Obviously I did something wrong. Eventually I restored my system. Not for the faint hearted.

Reply | Quote

A word of warning. I followed the advice about local security policy & Software Restrictions Policies and everything was fine until I downloaded a program which wouldn’t launch. When I “tried” to reverse the restrictions Windows wouldn’t load and I was left with a blank desktop. Obviously I did something wrong. Eventually I restored my system. Not for the faint hearted.

At a guess, you used the CryptoPrevent tool from earlier links and have a “home” (i.e. not a -pro) version of Windows. That may make it much more difficult to add whitelisted programs to the software restriction policies because you do not have the gpmc console. I presume reversal of the software restriction policies on a “home” version involves editing the registry, which certainly can lead to serious problems if not performed correctly.

If you do have Pro or above it’s a fairly straightforward task to add a whitelisted application. The Software Restriction Policies are perhaps buried deep for those unfamiliar with gpmc, but not overly complex to add once the correct policy is located.

However, consider that software you are trying to run is attempting to execute from within the user profile. There should be very few reasons for an application to do so; and that should trigger questions about the software and its developers.

Reply | Quote

At a guess, you used the CryptoPrevent tool from earlier links and have a “home” (i.e. not a -pro) version of Windows.

It’s almost impossible to do something wrong with CryptoPrevent; one click to apply.

That may make it much more difficult to add whitelisted programs to the software restriction policies because you do not have the gpmc console.

CryptoPrevent includes an optional Whitelist Editor which makes it very easy.

I presume reversal of the software restriction policies on a “home” version involves editing the registry, which certainly can lead to serious problems if not performed correctly.

CrytoPrevent includes a single-click “Undo”.

However, consider that software you are trying to run is attempting to execute from within the user profile. There should be very few reasons for an application to do so; and that should trigger questions about the software and its developers.

Post #11 mentioned that “Many legitimate programs use local and roaming appdata locations for executables, including lots of Google programs (such as chrome and numerous update files).”. I’ve found that many Sysinternals and Nirsoft utilities do the same (perhaps just the portable versions).

Bruce

Reply | Quote

It’s almost impossible to do something wrong with CryptoPrevent; one click to apply.

CryptoPrevent includes an optional Whitelist Editor which makes it very easy.

CrytoPrevent includes a single-click “Undo”.

Post #11 mentioned that “Many legitimate programs use local and roaming appdata locations for executables, including lots of Google programs (such as chrome and numerous update files).”. I’ve found that many Sysinternals and Nirsoft utilities do the same (perhaps just the portable versions).

Bruce

Thanks Bruce,

I do not use Crypto Prevent, preferring to edit the Software Restriction policies myself and distribute via GPO. I’ve only come across two user applications in my deployment that have had an issue: Spotify (which the user shouldn’t have been using anyway) and Foxit Reader Updater, which was easily added to my whitelists. I’ve not had any problems with Sysinternals since my deployment (I use various tools from the suite every day); and haven’t had need to use any Nirsoft utilities since deployment, but will watch out for it.

I did encounter an issue installing MS Office on a new setup, but rather than set a whitelist entry on my DC and force a GPO update, I cheated and logged onto a local account on the machine, installed Office and then returned to the domain login.

However, bobrobert should not have had any issue removing or reversing the Software Restriction Policies. Based on your comments, if he was using Crypto Prevent, it should simple process. If manually setting Software Restriction Policies, just remove the policy setting and reboot.

[EDIT]

Curously enough, throughout October we had numerous (dozens and dozens, if not into the hundreds) of invoice-12345.pdf.exe attachments arrive by email. All were caught by our Antivirus (though I don’t want to rely on that in the future). Since the beginning of the first week in November, we have had none, and our background rate of spam has also reduced too. Anecdotal, perhaps, but I wonder if it has either gone to ground, or is being more actively being filtered by service providers / law enforcement.

Reply | Quote

Thanks for the mention of Crypto Prevent. My problem was with > Software Restriction Policies & Security Levels. I “messed” about with the three entries and locked myself out of the operating system and got it back by a repair of my system. I had also deleted the entries in Additional Rules. You live and learn, or at least you should?

Reply | Quote

I have “implemented” Crypto Locker hopefully successfully. I then downloaded an up date which states that a service needs to be running? Is it needed? I have discovered on my computer the presence of App Locker which I don’t remember downloading. Is it the same? It doesn’t appear to be running. TIA

Reply | Quote

I have “implemented” Crypto Locker hopefully successfully. I then downloaded an up date which states that a service needs to be running? Is it needed?

Hopefully you mean CryptoPrevent. It only uses a service for email alerts in the paid version.

I have discovered on my computer the presence of App Locker which I don’t remember downloading. Is it the same? It doesn’t appear to be running. TIA

No. AppLocker is a Windows component which can do blacklisting and whitelisting of applications, but it’s only available with the Enterprise editions of Windows 7 and 8.

Bruce

Reply | Quote

Sorry my mistake it was Crypto Prevent. I Googled for whitelisting and the first thing I read it is difficult and time consuming to fully implement and there isn’t a consensus as to which is best, whitelisting or blacklisting. At my age time is too short to go on this “adventure?;)

Reply | Quote

CryptoPrevent (now at 4.2.4) is much less intrusive than earlier versions, but still of course protects against (current incarnations of) CryptoLocker. It also protects against right-to-left override (RLO) obfuscation, a particularly sneaky way of getting someone to open (i.e. run) an executable because it appears to be a document.

Reply | Quote

Anybody? Why wouldn’t UAC stop this right at the beginning? Isn’t that it’s main function?

D

Reply | Quote

Anybody? Why wouldn’t UAC stop this right at the beginning? Isn’t that it’s main function?

D

The UAC doesn’t stop programs running. The UAC stops programs from gaining administrator’s rights, which happens when a program tries to change system settings. This malware doesn’t do that, it simply accesses files and encrypts them, without ever trying to change system settings and thus UAC cannot protect from it.

Reply | Quote

Thanks Rui, I guess this scumware doesn’t take that leap.

The best protection then is CryptoPrevent, whitelisting, and some wise surfing. I’m already installing the first on machines under my control. The second will be more difficult. I’m learning.

Thanks for all of your sage advice.

Reply | Quote

Thanks Rui, I guess this scumware doesn’t take that leap.

The best protection then is CryptoPrevent, whitelisting, and some wise surfing. I’m already installing the first on machines under my control. The second will be more difficult. I’m learning.

Thanks for all of your sage advice.

You’re welcome, Donny and thank you :).

Reply | Quote

I am not clear which drives would be infected. I use an external USB connected drive (M:) for a complete image backup and an internal second drive for data backup (D:). If I get infected I understand the C: and D: drives will be infected. What about the D: external? Should I leave this connected or would it be safer to keep it disconnected? Thanks!

Reply | Quote

I do what you do.
I back up C to two internal drives and an external drive.
I disconnect the external drive between backups..

From what I have read, Crypto can infect ALL drives but of course it can’t mess with the external because it’s disconnected…

Reply | Quote

Might operating from a limited account with restricted write access prevent this sort of thing from
infecting other internal drives?

Reply | Quote

Might operating from a limited account with restricted write access prevent this sort of thing from
infecting other internal drives?

The Windows Secrets article was clear about that – use of a limited account wouldn’t limit the issues that result from this infection. All files that can be accessed by the user under which the computer gets infected, can be encrypted. So, if the user with the limited account can access other internal drives, the encryption can affect such drives, as well.

Reply | Quote

I don’t know Clint…
I just feel better knowing it’s not connected…

Reply | Quote

Well, that settles that …

Reply | Quote

Well, that settles that …

Yeah, I guess the power from this nasty is that it limits itself to doing things a user can do, like accessing files. No attempts to change system settings that would trigger stuff like the UAC or security app warnings.

Reply | Quote

I don’t see any mention in the article regarding limited accounts with full WRITE protected drives running afoul of this.
If these drives are write protected it wouldn’t matter if they are simply just opened & viewed, as access to changing them would be restricted.

Reply | Quote

I don’t see any mention in the article regarding limited accounts with full WRITE protected drives running afoul of this.
If these drives are write protected it wouldn’t matter if they are simply just opened & viewed, as access to changing them would be restricted.

If the limited user account would have no write access to such files and no permissions to change such access, then those files would be protected from the malware, yes. I guess you’d need to restrict the access rights to external drives to limited accounts.

Reply | Quote

Yeah, I guess it would be highly dependent on what you use your computer for, for the majority of time you are using it.
It might be a considerable hassle to switch user accounts if the frequency were high enough.

Reply | Quote

Yeah, I guess it would be highly dependent on what you use your computer for, for the majority of time you are using it.
It might be a considerable hassle to switch user accounts if the frequency were high enough.

I guess that’s precisely why many users don’t switch accounts (although likely many users don’t even know that is possible).

Reply | Quote

It’s not good of news for some of us that have 10+ TB worth of internal drives.
It’s too bad there weren’t some simple setting or programmable app that would at least warn of a write attempt and allow a stop.

Reply | Quote

By the way Criptolocker apparently works, there’s no assurance that it will not encrypt all files kept on line with the infected computer. So, for home users, it would mean that you should not let an external HD stay connected after imaging or backing up files, which would mean that automatic backups couldn’t be done. Also, that backing up files on a network isn’t safe either

As I read the way Cryptolocker works, the list of file types that it encrypted didn’t include back files like True Image Backups. (.tib files). That’s not to say a future variant won’t but for now, it seems image backup is one form of protection even if the drive is permanently attached.

Jerry

Reply | Quote

As I read the way Cryptolocker works, the list of file types that it encrypted didn’t include back files like True Image Backups. (.tib files). That’s not to say a future variant won’t but for now, it seems image backup is one form of protection even if the drive is permanently attached.

Jerry

That’s right Jerry, but I wouldn’t bank on it for ever. These guys surely have it in their capability to attack .tib, .spi, .v2i etc.

For home use, in addition to local software restriction policies, I’m thinking about building a powershell script to be called before my backups run each night. Hopefully, it will reconnect the USB ports that my backup drives are connected to, then a second script that will disconnect them after the backups have run. I also have a NAS connected via a UNC path that I use for archiving but haven’t figured how to prevent it being discovered…even if Crypto Locker can’t see it right now.

For work, backups are offsite.

Reply | Quote

Nice Column, very helpful info. changes implemented.

Reply | Quote

You guys might remember I suggested CryptoPrevent in response to Susan’s opening post. Well here’s another tool that claims to stop CryptoLocker (and other ransomware) in its tracks. A free prog from SurfRight, ‘HitmanPro.Alert’ now comes with ‘CryptoGuard’. Thus far, it’s only included in the latest BETA version, but I think it’s pretty robust. I’m running it on several machines alongside various security software and have had no issues with it.

Go here http://www.surfright.nl/en/cryptoguard for further details and download (just be sure it’s the BETA version you download).

Reply | Quote