How to defend yourself from ransomware

Topic

New Reply

	TOP STORY How to defend yourself from ransomware
	By Susan Bradley Despite the CryptoLocker headlines, ransomware is still a growing threat to both individual PC users and small-to-medium businesses. Though our malware defenses have improved, ransomware authors are finding new ways to infect our systems. Fortunately, we have options and solutions.

---

The full text of this column is posted at http://windowssecrets.com/top-story/how-to-defend-yourself-from-ransomware/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

“HitmanPro.Alert” by SurfRight is free and claims to protect against ransomware:

HitmanPro.Alert looks out for suspicious activity instead of working with virus signatures. If e.g. mass encryption is detected, HitmanPro.Alert’s CryptoGuard technology will automatically neutralize the perpetrating program and restore the encrypted documents, without the need for any user intervention.

Again, this is HitmanPro.Alert (which is free) – not HitmanPro (which is not free).

http://www.surfright.nl/en/alert

Reply | Quote

Susan, thanks for the wake-up call! I do have a question, though.

Years ago, I ran across a recommendation to establish at least two user accounts on every computer you own – an Admin account that you would generally use only to upgrade or install software and a Standard account that you would use for everything else, including Internet access. The theory, as I understood it, was that software cannot be installed on your computer without your explicit permission when you are using a Standard account. Using this approach would presumably thwart third-party attempts to install malware on your computer.

First, is my understanding correct? Second, if it is, how successful might this approach be in preventing installation of ransomware?

Thanks!

Reply | Quote

The only thing I disagree with is that malware writers are finding new ways to infect computers. New variants of the same old vectors yes, not new ways. Therefore, safe computer practices still overwhelmingly (99.9%) dominate as the best preventative to infection, by ANY malware.

For those using devices which can become infected, these stories should be all about those safe practices and the last paragraph should be the mention of anti-virus software and attachment removal, etc. Then the 75k or 100k variants a day or whatever it is are just so much “background radiation.”

Reply | Quote

I’m currently testing a free application-whitelisting program — SecureAPlus (site; Figure 1) — that’s specifically designed for home users. I have some initial reservations about this product;

It’s only free for the first year; after that there’s a complex points referral program, e.g. follow on Facebook for a one-month extension: SecureAPlus Referral Program

Bruce

Reply | Quote

It’s only free for the first year…

Bruce

Right. It’s also not just an App Whitelister but also an AV product. I would not install this on a computer with an existing AV product as a test or you may have nasty problems. I would further not give my system security to an unknown company.

They have 2 Asian offices, so it may well be an International product recently ported to the west. But for a product like this, you want 3rd party testing and comparatives before you implement it. You don’t want to give your system security to a random company with a nice web site.

I’m happy Susan mentioned it but I would have added more cautions.

Reply | Quote

I have always been a follower of the ‘Run your browser in a sandbox’ camp. I am not sure why this practice is not more widely used. To my mind all browsers are insecure because of one major overlying design ‘feature’…. by default, a browser allows 2 way interaction between a web page and your PC it has to. So nothing you do over the internet can be trusted… ever. It makes sense then that your browser sessions should be run in a crash and burn environment. There are two options… running the browser in a virtual environment (a little challenging for the average non tech user) or in a sandboxed environment. While I have noted some Windows Secrets writers have mentioned SandboxIE in the past, it has never really caught on. While it does not prevent infection on the session itself, it really does not matter… once you delete the sandbox, the infection (of any kind) is removed from your PC. This includes Cryptolocker and its relatives. Whatever it encrypts within the sandbox is not needed anyway. I would like to hear counterpoints if there are any. Thanks.

Reply | Quote

“it’s not easy finding an app-whitelisting solution for home PCs”

Wow Susan, I can’t believe that I just read that on a Windows Secrets article! There are plenty of antivirus / antimalware apps that use whitelisting and also can run unknown apps in a sandbox for further evaluation. Two that immediately come to mind are both well-known, that’s Comodo and Webroot.

Reply | Quote

Susan,

I have been using a method to protect my daughter’s data that I thought I would share. I personally use a Mac which has not (yet) been attacked by ransomware, but when I first read about CryptoLocker I really panicked. My daughter is a graduate student who has all her research data and Ph.D. dissertation on her Windows 8.1 laptop. Losing all that data would be catastrophic for her. I have been using Amazon S3 to offsite archive some of my personal data and I came up with this solution for her. I installed GoodSync for Windows on her laptop and use my Amazon S3 account to sync her Documents folder to an S3 bucket. The secret keys to access the S3 bucket are theoretically only visible to GoodSync and the cloud storage is not mapped to a Windows drive letter or even visible to Windows as a network location. Unless I’ve missed something, none of the current versions of ransomware should be able to see that data. If you see a flaw in this thinking, I would greatly appreciate knowing it. I was even reluctant to make this response to your article and give the malware authors something else to work on.

Reply | Quote

”it’s not easy finding an app-whitelisting solution for home PCs”

Wow Susan, I can’t believe that I just read that on a Windows Secrets article! There are plenty of antivirus / antimalware apps that use whitelisting and also can run unknown apps in a sandbox for further evaluation. Two that immediately come to mind are both well-known, that’s Comodo and Webroot.

Both of those software I personally have tracked kernel patching interactions with, and Webroot has to be removed before someone can upgrade to Windows 10.

It’s not easy finding a well behaved app whitelisting solution might have been a better turn of phrase.

Reply | Quote

Both of those software I personally have tracked kernel patching interactions with, and Webroot has to be removed before someone can upgrade to Windows 10.

It’s not easy finding a well behaved app whitelisting solution might have been a better turn of phrase.

The free version of Avast antivirus software has a cloud-based whitelisting function called Hardened mode. To download and for more information see the links below. To enable it, go to Settings > General > Enable Hardened mode > Aggressive.

https://www.avast.com/en-us/index

https://forum.avast.com/index.php?topic=142172.msg1032485#msg1032485

Reply | Quote

Just read my emails, about this ransomware topic, this explains why I am a bit late in joining this discussion. Anyways, after being caught once by the ransomeware criminals. It took me a week to get my PC back on form. From then on I have always kept my browser window smaller than the maximum using the minimise button then drag to resize the browser window smaller than my screen. Somehow this prevents the nasty ransomware from locking up my system, so I can right click on the taskbar to choose start Task Manager then click on the Apps Tab, click on the nasty bad website and End Task. Works every time!
Since then, Ransomware have tried umpteen times to lock me out, to no avail – poor suckers!

I guess this is similar to a sandbox idea but less complicated. And a lot easier than doing lengthy clean ups. Also cheaper than paying for anti ransomware kits.

Reply | Quote

I have always been a follower of the ‘Run your browser in a sandbox’ camp. I am not sure why this practice is not more widely used. To my mind all browsers are insecure because of one major overlying design ‘feature’…. by default, a browser allows 2 way interaction between a web page and your PC it has to. So nothing you do over the internet can be trusted… ever. It makes sense then that your browser sessions should be run in a crash and burn environment. There are two options… running the browser in a virtual environment (a little challenging for the average non tech user) or in a sandboxed environment. While I have noted some Windows Secrets writers have mentioned SandboxIE in the past, it has never really caught on. While it does not prevent infection on the session itself, it really does not matter… once you delete the sandbox, the infection (of any kind) is removed from your PC. This includes Cryptolocker and its relatives. Whatever it encrypts within the sandbox is not needed anyway. I would like to hear counterpoints if there are any. Thanks.

Actually, Chromium based browsers have an integrated sandbox, Internet Explorer has Enhanced Protected Mode, which is its version of a sandbox, and the last I heard Mozilla was still working on a sandbox for Firefox. The Chromium sandbox is robust, but has experienced some flaws, which are usually corrected in the next version. The Internet Explorer sandbox has positive qualities, but also some flaws, which are mentioned in the article linked below. I don’t use Sandboxie, but reports of it being breached are rare, although attempts to attack it are probably also rare because of the relatively small number of users in contrast to the large number of users for the other browsers. Like arsonists, hackers want their work to be a notable event in order to feed their ego, and they’re not going to get that by attacking Sandboxie. So, it could have flaws unknown to the public. I do know it was cracked for the purpose of distributing a version of it that is free to use indefinitely, much to the developer’s dismay, I’m sure. Sandboxes are a useful layer of additional security, as long as that’s not the only security.

http://www.chromium.org/developers/design-documents/sandbox

http://securityintelligence.com/internet-explorer-ie-10-enhanced-protected-mode-epm-sandbox-research/

Reply | Quote

I support a group of heavy duty PC users, and I use system image backup tools, saving the backups to local drives for speed. I note that Symantec System Recovery has a dedicated service that tries to protect the local backup files by maintaining a write lock on them. Do you think that this is an effective way to protect the backups from ransomware?

Barry

Reply | Quote

Thanks for the article about Crypto-ransomware. You many not be aware of two other applications designed to protect against it. One is HitmanPro Alert and the other CryptoMonitor

http://www.surfright.nl/en/alert
https://www.easysyncsolutions.com/products.html

It would be interesting if you could check these out and do a followup.

Reply | Quote

dfuerpo, does your daughter do all her work on that cloud you set up? In short, nothing originates on her harddrive? Copies from the cloud flow to her harddrive, correct? If yes to all of the above, great idea! Tell me more 🙂

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

The secret keys to access the S3 bucket are theoretically only visible to GoodSync and the cloud storage is not mapped to a Windows drive letter or even visible to Windows as a network location. Unless I’ve missed something, none of the current versions of ransomware should be able to see that data.

But if ransomware encrypted files in your daughter’s Documents folder, wouldn’t those encrypted files get synced to the S3 bucket automatically before she knew about it?

That’s why Susan said in the article, ” If you use a cloud-storage service to back up your data, be sure that versioning is turned on. If ransomware encrypts your local files, the synched version in the cloud might also be encrypted. But you should still have access to the previous versions of the files.”

dfuerpo, does your daughter do all her work on that cloud you set up? In short, nothing originates on her harddrive? Copies from the cloud flow to her harddrive, correct? If yes to all of the above, great idea! Tell me more 🙂

I didn’t read it that way at all. My guess is No, No, No.

Reply | Quote

Sorry I wasn’t more specific. Yes versioning is turned on for that S3 bucket; that is a critical factor in this scheme. Also, the sync is set to run at 2:00 am every night. My daughter has been educated as to the symptoms or signs of a ransomware attack. If she sees this, I have instructed her how to temporarily disable the sync. The idea is that it buys you some time to preserve your data. I am also thinking of setting up a one way sync with the S3 bucket to my NAS here at home. That way I also have a copy of her docs.

Reply | Quote

You said: it’s not easy finding an app-whitelisting solution for home PCs

Software Restriction Policies are built in to all Windows versions (with the exception of Home, I believe).
The NSA even has a document showing exactly how to set this up: https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf
It works extremely well, but takes a bit of work to properly setup.
Google “using software restriction policies to whitelist” for more resources.

The basic theme is expressed in the last line of that document: Ensure that users cannot both write to and execute from any location.
This prevents malware from writing and executing. It may write itself to disk, but won’t be able to execute without privilege escalation.

Reply | Quote

You said: it’s not easy finding an app-whitelisting solution for home PCs

Software Restriction Policies are built in to all Windows versions (with the exception of Home, I believe).

Home is the key word here. If it’s not available in Home, it isn’t available to home users.

Reply | Quote

You said: it’s not easy finding an app-whitelisting solution for home PCs

Commodo Firewall provides what is essentially whitelisting by preventing an unrecognized app from running without authorization from the user. It also allows sandboxing. Moreover, there is a free version that does not have a time limit on its use. I’ve been using it successfully for many years. I would be interested in learning if there is something I’ve missed regarding its capabilities.

Reply | Quote

Hi Susan.

This is my backup scenario that I run on a home computer that has a SSD for a primary OS and Program drive and a HDD for a data drive.

I use the paid version of Shadow Protect Desktop to make image backups to an external drive that is physically detached from the computer unless a backup is in process and when it is attached the ethernet cable is disconnected so that the computer is never backing up while connected to the Internet. Both before and after the computer is backed up the computer is shut down and the cables swapped so there is less opportunity for a program to reside in memory and cross-contaminate the computer. Both drives are on monthly backups with incrementals every few days.

Other security software used is Norton 360, Secunia PSI 3.0, OpenDNS & Malwarebytes Anti-Malware (Paid). I also have Revo Uninstaller (Paid) with which I uninstall all software needing removal and scan for leftovers after any programs have been removed from the computer.

Assuming that I am practicing normal safe computer techniques, is there anything else I should be doing or missed in my plan?

Reply | Quote

Susan, the following statement from your article really troubles me:

“I’m currently testing a free application-whitelisting program — SecureAPlus (site; Figure 1) — that’s specifically designed for home users. I have some initial reservations about this product; I’ve been unable to find much third-party information about the program or its publisher. But it does let me lock down my system so that only applications I’ve approved will run.”

Your second sentence (and the independent clause that follows) says more than you, perhaps, realize. It seems to me that due diligence before recommending SecureAPlus would involve continuing and careful research into both the product and the publisher. In particular, I would think a careful investigation into an unknown publisher is absolutely essential.

Perhaps I misunderstood what you intended.

Reply | Quote

Susan, the following statement from your article really troubles me:

“I’m currently testing a free application-whitelisting program — SecureAPlus (site; Figure 1) — that’s specifically designed for home users. I have some initial reservations about this product; I’ve been unable to find much third-party information about the program or its publisher. But it does let me lock down my system so that only applications I’ve approved will run.”

Your second sentence (and the independent clause that follows) says more than you, perhaps, realize. It seems to me that due diligence before recommending SecureAPlus would involve continuing and careful research into both the product and the publisher. In particular, I would think a careful investigation into an unknown publisher is absolutely essential.

Perhaps I misunderstood what you intended.

It doesn’t take long to track down the CEO, here he is: https://duckduckgo.com/TEOW-HIN+NGAIR

Reply | Quote

A word of advice concerning the advice to “forward your mail through Gmail.”

Don’t.

Set up gmail to “Check mail from other accounts” instead.

The reason is that if you will be forwarding spam to your gmail account along with your regular email, gmail will see this spam as coming from your mail server, and it will start to hurt the Sender Reputation of your mail server, and you could end up having your mail server start showing up on some Block Lists.

I have had this happen to me. I have a tiny hosting service for my clients, and I started spam filtering a client’s “Contact Us” email through gmail by forwarding it to a gmail account that we made up in order to take advantage of gmail’s awesome spam detection. Then, some time later, a different email user tells me that one of her correspondents cannot receive her email. I look at the headers, and the reason the recipient cannot receive the email is because we are listed on a Block List. Uh Oh.

I tracked it down to the fact that the forward that I set up was sending hundreds of spam messages a day to that filtering gmail account. So gmail lowered our sender reputation.

The good news is that after I set that filtering gmail account to collect mail from the spammy “Contact Us” account via POP3, our sender reputation improved.

Reply | Quote

RollbackRX- unless somehow it messes that up too? If not, if you get any virus, or your system goes corrupt- simply do a rollback to a point in time before the infection of corruption. I would assume Rollback would be able to restore your computer to a time BEFORE the ransomware executable was run on your computer-

It’s very easy and worry free practically- of course something could happen to the rollbackrx where it becomes corrupt and won’t work, but in the many years I’ve used it, doing probably 100’s of rollbacks, it’s never failed me yet- I’ve had several viruses I n that time, and a simple couple of mouse clicks, and virus is completely gone- no mucking around with finding hidden files, no mucking with registry keys, no searching computer files for infected code- none of that- just pull up rollback menu on bootup (It loads before windows starts to load) and do a rollback from there- easy peasy

RollbackRX is like system restore on steroids, and does things system restore can’t do- best $60 I’ve spent for the computer- One tiem fee- no yearly subscription-

I would think that using rollbackRX with offsite or off computer backup, and good antivirus, and perhaps something like nortons internet security or some such program, and using whitelists would go al ong way towards ensuring protection of computer- Sandboxing sounds like a good idea too- but I do like the RollbackRX for it’s ease of use and quickly restoring computer to a known good point before infections happen- takes just a matter of a few minutes, and viruses and malware and tojans etc all gone- completely- no worries

John- the other good thing about rollbackRX is that it completely reverts a drive back in time to a point before you installed software- so everything is for sure 100% gone from computer- no uninstalling necessary- what I do if I’m installing something to try- I’ll do a manual restore point in rollbackRX and then install software, and if anything goes wrong, or I decide I don’t like the program or whatever, if it really messes up the computer, no worries- I just do a rollback and it’s completely gone- no worries about leftover files, or files that are hidden or disguised or whatever- everything is gone

Reply | Quote

RollbackRX- unless somehow it messes that up too? If not, if you get any virus, or your system goes corrupt- simply do a rollback to a point in time before the infection of corruption. I would assume Rollback would be able to restore your computer to a time BEFORE the ransomware executable was run on your computer-
….

Rollback type apps do not affect data files which is what ransomware encrypts. How could it? If rollback apps did they would remove all files updated or added since the rollback point including any data you had from that time forward. Which would not be a very satisfying solution.

The ransomware removes itself (and is easily removed before that; indeed ransomware is just about the easiest of all malware to completely remove) after a set number of days (4-10 currently) if the ransom is not paid leaving the data files it encrypts encrypted. These ransomware @&#!!(*’s actually run a “nice” free help service in case you need help purchasing bitcoins, running a Tor OS and decrypting your files. It is apparently more responsive than the IRS hotline.

Reply | Quote

Rollback type apps do not affect data files which is what ransomware encrypts. How could it? If rollback apps did they would remove all files updated or added since the rollback point including any data you had from that time forward. Which would not be a very satisfying solution.

Rollback Rx does include data files in snapshots, and has a feature for recovering more recent files; but in the case of ransomware I assume those would have been encrypted:

Lets say, you are working on an important document. Then, while checking your inbox you encounter a catastrophic system crash and your PC becomes completely unusable. Unfortunately, the last snapshot was taken over a week ago…. The RollBack Rx technology allows you to go back to your week-old system state without losing any data from your current (crashed) system. How is this possible? The Recover Files feature facilitates the access of any files from your crashed system state, including that important document that you were working on.
Benefits of RollBack Rx

These ransomware @&#!!(*’s actually run a “nice” free help service in case you need help purchasing bitcoins, running a Tor OS and decrypting your files. It is apparently more responsive than the IRS hotline.

You don’t mean a telephone number in the case of ransomware help though, right?

Reply | Quote

…. You don’t mean a telephone number in the case of ransomware help though, right?

No. Ii is just the lengths Cryptowall 3 goes to assisting you in setting up Tor, purchasing and sending Bitcoin, and getting and using your then provided decryption key, including alternate server. While I am sure it is not amusing to its victims it demonstrates the desire of the blackmailer to get paid (duh) and yet maintain their reputation for following through by the victim successfully decrypting the PC once paid.

It is in the perpetrator’s best interest to complete the contract to the satisfaction of the victim so future victims that the Cryptowall authors are counting on since a bad rep means people would not bother paying. Equally amusing are the “security” experts and government pukes who sternly warn not to pay . . . easy to say when it is not your data. I noted an Arizona law enforcement agency recently had to pay the ransom . . . I guess such government advice only applied to the mundanes.

Reply | Quote

Equally amusing are the “security” experts and government pukes who sternly warn not to pay . . . easy to say when it is not your data. I noted an Arizona law enforcement agency recently had to pay the ransom . . . I guess such government advice only applied to the mundanes.

Six departments in Maine within the last couple of weeks too: Maine police departments pay hackers to unlock computer system

Reply | Quote

[[Rollback type apps do not affect data files which is what ransomware encrypts. How could it? If rollback apps did they would remove all files updated or added since the rollback point including any data you had from that time forward]]

The rollback files I believe are held in a protected area of the hard-disk- I don’t know if ransomeware can get into protecte parts of a disk or not? If not, then it wouldn’t matter if ransomeware messed up the main had-drive, the old snapshots would revert your drive to a previous state bwefore the ransomeware changed everything to encryption- but you’d ghave to rollback to a tiem before the ransomeware hit because any files afterwards probably would be snapshotted as encrypted too

Yep- you’d lose you most recent files unless you did daily snapshots whenever you updated your fiels/documents etc (although that’s not really feasible as snapshots take up a good bit of room) But if you do snapshots once a week or every two weeks or whatever, you wouldn’t be losing a lot- and really, if you have important documents/work that you are working on, then you’d want to back those up to an off-computer device or site every time you update them anyways- and any software you would lose can simply be reinstalled-

It’s a lot better in my opinion than paying $1000 to unlock your hard-drive

Reply | Quote

Why can’t we black-list or uninstall or disable the encryption in Windows? You mentioned it uses standard Windows encryption. I have never encrypted anything knowingly on my system, so do I need it?

Reply | Quote

Well I expected this would be a popular thread. Congratulations Susan on a timely topic. I suspect it will be well attended at the MS conference is 3 weeks.

My understanding was the latest variants of ransomware were demanding $1,000 to provide a decryption key. I remember thinking about the Laffer curve of determining the optimal amount of money a government could extort before a greater percentage of people would try to hide it increasing the costs of earning detection and reducing the overall take.

Plenty of people have hard drive failures. Many are willing to pay $300 for recovery. Far fewer–no matter how valuable the data is–would pay $1,000 rather than just writing it off as a total loss.

I wondered with PDF doc’s now a common medium for ransomware distribution/infection if the $1,000 is now targeted more towards businesses rather than individuals as they would pay plenty to unlock a encrypted drive and through their network they have a lot of drives to encrypt and then blackmail to unencrypt. That is one big score! It might even be covered by a business’ insurance. Or be a tax write off.

Reply | Quote

I have been using Online Armor for the last 7 or 8 years precisely because it offers whitelisting based protection. Unfortunately, it won’t be for sale for much longer, as the insightful people who run the company that acquired the original software, decided their non whitelisting, behaviour detection based software is the way to go. It’s a stupid decision, which probably underscores the fact that decent whitelisting based, consumer oriented products are hard to find.

Before Online Armor, ZoneAlarm provided whitelisting based protection. Not sure if it still does. Comodo, as someone mentioned before, does it too. Unfortunately, in a misguided attempt to try to make products simpler to understand, many manufacturers don’t even mention the fact that their products offer whitelisting, which is really the only way to avoid all kinds of undesirable software. That’s quite telling about the state of the security software scenario. The field has been led to a stupidification strategy, of which I believe Emsisoft’s decision to cancel the continued development of Online Armor is a magnificent example.

Reply | Quote

Susan, or other lounge members: In Win7 Backup and Restore, how does one hide the external, USB backup drive so it doesn’t show up in Windows Explore.

Reply | Quote

Susan, or other lounge members: In Win7 Backup and Restore, how does one hide the external, USB backup drive so it doesn’t show up in Windows Explore.

Three possible methods here: How can I hide the backup external usb drive in Windows 7

Reply | Quote

Susan, or other lounge members: In Win7 Backup and Restore, how does one hide the external, USB backup drive so it doesn’t show up in Windows Explore.

Disconnect the external drive when not backing up.

Reply | Quote

Disconnect the external drive when not backing up.

That will also work; I thought maybe their external device may not be that easy to plug/unplug due to office logistics.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Susger, after you go into Windows 7’s diskmgr and un-assign [remove without reAssigning] the drive letter of the external device — it should not show up within Explorer. The additional step of disabling the external device within CTL-PNL’s Device Manager may or may not be necessary.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

I’m just wondering – will a ransomwared main hard drive infect a USB backup drive when it’s plugged in?

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

I don’t see any reason why it couldn’t be – if the drive’s detected by the BIOS or Windows it’s possible.

Reply | Quote

I’m just wondering – will a ransomwared main hard drive infect a USB backup drive when it’s plugged in?

See my #16 post in this thread: http://windowssecrets.com/forums/showthread//168015-New-External-Drive-for-Backups/page2

Reply | Quote

I installed SecureAPlus (free version) on a 4 year old Win7 system. I slowed my system down so much it was unusable. Memory usage jumped to 80-90%. I had to uninstall from Safe Mode.

Reply | Quote

Double check what you install on your computers and Sandbox your browser (or better yet both your OS and your browser as I do; said it before, but I’ll say it again. Virtualization is the only way to protect your system’s integrity and I’m double-sandboxed). 🙂

Reply | Quote

While I appreciate, follow and address accordingly, the advice given and the methods of implementing security…..for personal and financial data, I use a stand alone computer that is non networked and never faces the internet. As I use a Truecrypt container to hold my documents, even intrusion to capture data by physical possession is somewhat thwarted.

Worst case scenario with the computer I’m writing from, a disk image resides in a USB drive to revert to a clean OS if needed.

As a note, I’ve been using Sandboxie for many years and feel it’s an important addition.

Thanks all for the ideas the members have been presenting and especially to Susan Bradley. :up:

Reply | Quote

I tried SecureAPlus today and I have a fairly new Windows 8.1 computer. At first, it was running fine in the background, but then it took over my computer to the point where is was functionally useless. I tried changing the scan setting to SLOW, but that did nothing. After trying to figure out what was causing the problem and rebooting 5 times, I had to quickly open the Control Panel and Uninstall SecureAPlus. It solved the prblem. I have 24 Gb RAM. No way to shut it down either. Not for me as I do not like something taking over my computer.

Reply | Quote

Install CryptoPrevent. It blocks most Crypto variants. It must be regularly updated to remain effective.

http://www.foolishit.com/vb6-projects/cryptoprevent/

Reply | Quote

Your description sounds like you still have ransomware installed on your system. Have you run lots of AV/malware scans?

cheers, Paul

Reply | Quote

I don’t think I have ransomware installed on my system Paul thanks for reading. It happened 2 years back and since then I have formatted all drives on my multiboot system to add a new drive for Windows preview 10.

cheers, Norman

Reply | Quote

I agree with Paul’s question if you have run AV/Malware scans. I would suggest running some free scans from major antivirus providers such as Norton, TrendMicro, ESET, etc. They are free for a scan. Also I would investigate with Malwarebytes Anti-Malware.

Reply | Quote

I agree with Paul’s question if you have run AV/Malware scans. I would suggest running some free scans from major antivirus providers such as Norton, TrendMicro, ESET, etc. They are free for a scan. Also I would investigate with Malwarebytes Anti-Malware.

Thanks john181818, I downloaded and ran AV/Malware, it found two PUPS (potentially unwanted programs) but no ransomware.
now I can rest assured and browse around the world in peace lol. :p

Reply | Quote

If I disable from Device Manager the external hard drive to which I backup my data, can ransomware attack that data? The drive is invisible from Explorer and Disk Manager. I only re-enable it when I make backups.

Reply | Quote

Disabling your external backup drive sounds good as it will be isolated, like in an isolation ward in hospital. But, I guess the risk of infection returns when you re-enable it, making it prone to whatever infections that may be on your system.

Reply | Quote

I guess I will have to be careful to not re-enable it before I can confirm the PC is clean. I imagine that it’s quite obvious when you have been infected with ransomware. Thank you for replying to my earlier question.

Reply | Quote

I imagine that it’s quite obvious when you have been infected with ransomware.

Not until your document files cannot be opened or you notice DECRYPT_INSTRUCTION files in document folders.

Reply | Quote

You could just unplug your external drive.

cheers, Paul

Reply | Quote

You could just unplug your external drive.

cheers, Paul

Yeah I realize that, but the computer is in a location that is a pain, so that is why “Disable” is more convenient.

Reply | Quote