Replies

Another great tool that was missed is CryptoPrevent by FoolishIT.

This one:
-blocks many common infection vectors (running executables from temporary or data directories, misnamed/renamed files like: file.pdf.exe, etc.)
-uses windows built-in group-policy settings, and so i) is low overhead; it set rules and is done no background application is left running, and ii) runs well with any other anti-malware application (it is currently on every PC in my house running fine with Emsisoft, MalwareBytes (MBAM), Kaspersky, ZoneAlarm)
-it protects all user accounts on the system
-works even on “home” versions of windows where microsoft offers no way to set group-policies
-rules can be adjusted and it supports white-listing to support applications that run in non-standard ways like running from data directories. I only saw one application that did this (BitTorrent) so I removed it.
-extremely good pricing (free version needs manual updates, but for $15 you get lifetime access and auto-updates)

The tool is here:
https://www.foolishit.com/cryptoprevent-malware-prevention/

Technical info here:
https://www.foolishit.com/cryptoprevent-malware-prevention/technical-information/

Note: I am just a very happy customer (and fan of clever solutions), I have no financial interest in the company.

-brino

Just upgrade, and be happy.

…and lose access to some older required applications?
…and lose the function of older, but critical hardware? (because new drivers do not exist)
…and need to relearn how to use the OS interface?

Ummmm…..NO!

This is total illogical BS!

-brino

Even forgetting about fire and flood, it is still possible for an electrical surge to kill that backup drive since it is electrically connected to the rest of the computer.

Perhaps the chances are low, it all comes down to what level of risk is acceptable to you.
My Dad suffered an electrical event that took out everything connected to his PC including all internal drives and external connected USB drives.

-brino

Looks like I already have Cryptoprevent installed, but it did need updating. The BD programs seem to run without conflict with Cryptoprevent. I am uncertain if I should have both running along with an AV program.

Due to the way CryptoPrevent works I have never seen a conflict with many other AV/malware tools. My previous comments on the topic are here:

http://windowssecrets.com/forums/showthread//175328-Protecting-your-backup-files-from-ransomware?p=1051100&viewfull=1#post1051100

…and some from a more reputable source :o: are here:

http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-3040-xxx-ttt-micro-mp3-support-topic/#entry3932804

Stay Safe!
-brino

Exfso2,

That registry entry would scare me too!

Locky can also spread by other spam email attachments like microsoft excel macros, javascript and possibly even powerpoint macros(and of course any executable file!). Are you the only one using that machine? Can you guarantee that no one else opened one?

I’d also give a scan with the free Emsisoft Emergency Kit:
https://www.emsisoft.com/en/software/eek/

Have you done some research about Locky? There is a great write-up here:
http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

Have you double-checked that you recognize everything in the Windows start-up list? If the registry entries keep re-appearing then they are coming from somewhere.
I would also check that there are absolutely no signs of encrypted files.

In fact I would probably go overboard and not boot from that OS/drive again until I was sure. I would instead attach it to another PC and scan it from there.

Do you have recent backups?

Good Luck!
-brino

……..I prefer a permanently running behavioral watchdog like CryptoPrevent. I just believe that the combinationm of registry surveillance AND behavior checker/blocker has a better chance at catching zero-day behavior than a purely reactive kind of program and/or signature update alone.

I have been using CryptoPrevent for a long time and have several licensed copies. Cyptoprevent may NOT do everything you attribute to it.

My understanding of Cyptoprevent is that basically it uses Windows Group Restriction Policies to disable many of the infection methods used by current ransomware; things like running executable files from various data directories, allowing you to run things like “filename.pdf.exe”, etc. I do not believe it has any “active” behavioral monitoring or registry surveillance.

In answer to @radar’s question about using CryptoPrevent along side other products, I have seen no conflicts with MalwareBytes, Emsisoft, Kaspersky, ZoneAlarm, etc. (across several different machines). I believe this is due to the fact that it simply sets a bunch of “Group Policy” rules in the registry to disable much of the “bad behaviour” of current ransomware and then is done. It leaves nothing actively running.

Of course, the new version of CryptoPrevent may add additional prevention strategies.

-brino

Hey Les (et al),

Another great piece of software not mentioned above is SandboxIE.
http://sandboxie.com/
It started life as a way to make IE safe(r) (thus the name), but blossomed into a great little sandbox program for running any application. I have been a user for years. The company was bought out a while ago, but from my perspective nothing has changed drastically, updates are still being offered.

I suggest that for any web sites that you do not trust (or even for every browser instance!) run a sandboxed version of the browser.

While running sandboxed, an application will _believe_ it is making changes to the registry and filesystem, but it is NOT! Changes are made safely within the sandbox only. When you delete the sandbox contents all those registry and filesystem changes are also deleted.

It has been a while since I played with it, but I also remember a SandboxIE add-in that would let you see all the registry and filesystem changes that an application _tried_ to make. It was a great way to do a test install of a new application; do the install inside a new sandbox, then you could scrutinize all the registry and filesystems changes the installer tries to make. And then, only if you trust it, you could run the installer un-sandboxed.

Stay vigilant and stay safe!

-brino

My personal favourite is the Emsisoft Emergency Kit. It can be found here:
https://www.emsisoft.com/en/software/eek/

Good Luck!
-brino

Could some protection be as simple as adding the bold line to the registry up front?

Hi Russ,

I do believe that would help with this one particular threat….as you say “some protection”.

However it would require only a new version with a simple registry key name change to defeat it. A better approach would be to detect/block some of the methods many of these encrypting ransomware use.

One tool I like is CryptoPrevent by FoolishIT:
https://www.foolishit.com/cryptoprevent-malware-prevention/
it uses Windows group policies (unavailable to most Windows “Home” users) to deny many of the tricks used by ransom-ware.

and MalwareBytes is moving forward with their Anti-Ransomware Beta:
https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/
but that product is very early in the design cycle.

-brino

Hi All,

After thinking about this for a while I started to wonder if Microsoft PowerPoint also supported macros.

Well guess what: Yes, it does!

Turning off macros in PowerPoint 2007 is identical to doing it in Excel as I showed in post #7 above.

-brino

For a quick summary of the details of Locky see this Bleeping Computer page:
http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

That page does list the affected file types. That is, Locky will (currently!) only encrypt those specific files.

So if you have a USB drive where you back up your files (Microsoft Word, Excel, Powerpoint file, or even your home videos .avi, etc.) with a simple file copy (either manually or automatically) and if this backup drive is connected when the ransomware strikes then you risk your backup copies being encrypted too!

If you use an image-based backup you _MAY_ be okay if the ransomware does not target your particular image file type……however, it is easy to see that for the biggest ransom income the next version or generation of ransomware could easily add all common image file types to their targeted file list.

The same applies for “cloud-based” connections. If you leave it constantly connected for easy back-up and retrieval of your files, then the ransomware may also have easy access.

Play Safe!
-brino

OK Susan, you’ve explained what to do for Word.

But although you included Excel in your item, you did not explain what to do about macros in Excel.

I am still using Office 2007.

Please advise,

Ron

Hi ronbar,

On my system (with Win7 and Excel 2007), first open the Excel application, then
1) hit the “Office Button” then “Excel Options”,
2) within the “Excel Options” pop-up, hit “Trust Center” then “Trust Center Settings”,
3) finally within the “Trust Center” pop-up, hit “Macro Settings” then make your choice, I use “Disable all macros with notification”

See below for screen-shots.
A little hidden, but not difficult.

-brino

43917-clip_808

43918-clip_809

43919-clip_810

Good article. Anyone using computers should read and understand this.

A couple places it could be slightly improved…..

1) You do mention macros in both Word and Excel, but then you only mention disabling it in Word. You should explicitly state to disable them in Excel too. I have received emails with Locky in both types of files.

2) It would be useful to explicitly advise to disconnect your external back-up device from the PC between backups. If mounted, the backup drive(s) could be encrypted too!

3) I have seen reports of Locky being distributed in java script (.js) files too. We need to be vigilant of many file types.

Keep up the good work of spreading the knowledge of these new plagues.

Thanks!
-brino

Susan,

I truly appreciate all the effort that goes into producing such a well written, well linked and well figured column. I thank you for all the work you put into each column.

In this latest one I see a potential mixed message…….

First you say:

What Microsoft built into Windows 10 from the start, it recently added to our Win7 and Win8.1 systems via a series of updates. (That’s caused quite a tizzy in the blogosphere, with most of the “discussions” based on conjecture and hearsay.) For example, optional KBs 3075249, 3080149 and 3068708 give Win7 and Win8.1 data-gathering capabilities similar to Win10’s.

and then go on to tell us how to avoid those updates. That’s all well and good.

However later, when discussing how to disable Windows telemetry function you say:

Open the start menu and click Administrative Tools/Services (or Control Panel/Administrative Tools/Services). Scroll down the list of services until you find Diagnostic Tracking Service. Click it and stop the service, then click OK. Now right-click the service and open Properties. Change Startup type from Automatic to Disabled (see Figure 2) and then click OK. (Note: If you don’t see the service, it’s probably because you’re behind a domain and didn’t get optional updates KB 3075249, KB 3080149, and KB 3068708 installed, install that service.)

Which is it?
1) Should I avoid those updates and never allow Windows telemetry onto my Win7 systems?, or
2) Should I install those updates just so I can disable Windows telemetry service?

Or did I miss something?

Thanks for any clarifications!
brino

I always whip out my cell phone and start recording video of the pop-up.
Later, hit pause during playback and read the message!
Simple.

-brino