Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The ascension of Crypto-Ransomware and what you need to know to protect yourself


  • Please log in to reply
28 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 PM

Posted 04 November 2014 - 03:25 PM

As many of you know, BleepingComputer.com has been covering the Crypto-ransomware explosion from the onset and has predicted that these types of infections will become the single largest threat to computer users and their data. I hate that our predictions have come true, but the evidence has shown that because these types of malware have the ability to generate huge amounts of money for their creators, they are not going to go away but will rather increase. Not only have these types of infections shown to be great profit making tools, but they have introduced advanced techniques that include new encryption methods and malware developer customer service portals not previously seen in the security field.

 

CryptoLocker-thmb.jpg



With each new ransomware that is released, the money being made and brazen criminal acts continue to increase. Starting with ACCDFISA and its installation through hacked Terminal Services, to CryptoLocker grabbing the media's attention and showing that there is big money to be made, to Critroni and the introduction of Elliptical Curve Cryptography, to TorrentLocker and its hammering of Australian residents, and to the CryptoWall campaign that just doesn't want to let up and continues to hammer computer users globally, Crypto-Ransomware has shown to be resilient and is here to stay.

 

decrypt-service-thmb.jpg



That does not mean we have to sit here and take it. Instead we need to come up with new strategies and methods that we can use to protect ourselves and help to mitigate the risk from these types of malware. The following information, in no particular order, has been compiled to offer you a strategy guide on how you can protect yourself and your computer from current and emerging Crypto-Ransomware infections.


1. Backup your computer every night!

It is imperative that you backup your computer every night so that you have copies of all your most recently changed data. As Crypto-Ransomware encrypts data on any drive letters it detects, it is important to keep your backups in a location that is not mapped to your computer. It is suggested that you do not map your backup drive as a driver letter to your computer. Instead use backup software that can access a Network Attached Storage Device (NAS) via network paths or use a cloud backup solution instead.
If you do not want to purchase a NAS, then you should consider using a Cloud backup provider to perform nightly backups for you. As most cloud providers do not map your backup stores as a drive letter, they can safely be used to backup your data.


2. Make sure you have an anti-virus program installed and updated

I hate to say it, but in this day and age if you do not have anti-virus software then you are taking a foolish risk. Security software has become so competitive that buying a good commercial product is fairly inexpensive and provides protection that is definitely needed. I know some people will say that you do not need anti-virus software, but rather good education on how to use a computer. In my opinion you need both as mistakes do happen and an anti-virus program adds an extra layer of defense that we all need.


3. Become educated on what you should and should not do on the Internet.

The majority of Crypto-Ransomware is delivered in email attachments that pretend to be tracking confirmations, scans, or other business correspondence. Educating yourself to not open attachments unless you 100% know that they are being sent to you will diminish your risk considerably. It is important that everyone educates themselves on the proper way to stay safe on the Internet. Instead of going into details here, I suggest everyone read this guide we wrote a while back, but that still holds true today.
 

Simple and easy ways to keep your computer safe and secure on the Internet



4. Enable file extensions in Windows

One of the methods that ransomware tricks you into executing their files is to make it appear as a harmless document. For example, the malware infector will come as a file called Statement.pdf and will display a PDF icon associated with it. To you this looks like a harmless PDF file. In reality, though, this file is actually called Statement.pdf.exe, but since Windows by default does not display extensions, you do not see the .exe extension at the end and know that it is an executable. Therefore, you double-click the file thinking it will open a PDF file, but instead you have just started the encrypting malware.
To prevent this, I strongly suggest that everyone enable the displaying of file extensions in Windows by following this guide:



How to show File Extensions in Windows



5. Use Software Restriction Policies or CryptoPrevent to make it so the malware files cannot launch

Crypto-Ransomware programs typically launch from locations that programs are not supposed to execute from. This includes your desktop, User Profiles, and the Temp folders. Therefore, its fairly safe to make it so you are unable to launch executables from these folders by using a built-in Windows function called Software Restriction Policies. Software Restriction Policies allow you to create rules that determine what folders executables are or are not allowed to run from. By using these types of rules, not only do you restrict many ransomware programs from running, but also many other malware programs.

In order to setup Software Restriction Policies, you need to use the Group Policy Editor or the Local Policy Editor. If you are using Windows Home version, then you will not have access to these tools. Therefore, we suggest that everyone use a free tool called CryptoPrevent as it makes the task of setting up Software Restriction Policies very easy.

If you choose to purchase CryptoPrevent Premium for its additional features, you can get 30% off the price by using the coupon code bleeping30off. For full disclosure, BleepingComputer does make a commission for each sale.

More information and instructions on using Software Restriction Policies and CryptoPrevent can be found here:



http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent



6. Install a program that is designed to alert you when ransomware behavior has been detected.

SurfRight has developed a free tool called CryptoGuard that is designed to detect certain behaviors that encrypting ransomware exhibits and block the malware. Instead of containing definitions for each ransomware, CryptoGuard will instead monitor processes on the computer and if it detects behavior that is similar to how an encrypting ransomware would act, it blocks the process from running. For more information about CryptoGuard and to ask the developers questions, feel free to visit this forum topic.


By using these methods, you are sure to make your computer that much safer from Crypto-Ransomware and malware in general. If you have any other tips to share, please feel free to do so. We are all in this together!


BC AdBot (Login to Remove)

 


m

#2 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 04 November 2014 - 04:01 PM

Grinler, +1 on this post.


Edited by zingo156, 04 November 2014 - 04:01 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:55 PM

Posted 04 November 2014 - 05:33 PM

Great topic Grinler! :)

 

In addition I can add these programs:

 

Comodo Firewall should be able to protect the users from these types of infections if they add all local disks to Protected Files and Folders.

 

Or they can install Panda Antivirus 2015 Free or Pro since Panda have an option (similar to the one offered by Comodo) called Data Shield which can help them to protect their data against ransomware.

What is the Data Shield protection of Panda 2015?

 

 

Regards,

Georgi


cXfZ4wS.png


#4 GT500

GT500

    Authorized Emsisoft Representative


  • Security Colleague
  • 123 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Fortville, Indiana, USA
  • Local time:12:55 PM

Posted 04 November 2014 - 06:22 PM

Thanks for the article Lawrence, and keep up the good work. :wink:

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#5 saluqi

saluqi

  • Members
  • 499 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:09:55 AM

Posted 04 November 2014 - 06:45 PM

If this is not the right place for this question, please move it.

 

 

 

It is imperative that you backup your computer every night so that you have copies of all your most recently changed data. As Crypto-Ransomware encrypts data on any drive letters it detects, it is important to keep your backups in a location that is not mapped to your computer. It is suggested that you do not map your backup drive as a driver letter to your computer. Instead use backup software that can access a Network Attached Storage Device (NAS) via network paths or use a cloud backup solution instead.
If you do not want to purchase a NAS, then you should consider using a Cloud backup provider to perform nightly backups for you. As most cloud providers do not map your backup stores as a drive letter, they can safely be used to backup your data.

 

At present we back up files to an external hard drive (one of several) that is not physically connected to the computer or the network except when actually performing a backup.  If I am understanding all this correctly, that is not good enough and if encryption malware were on the computer the backup drive would be encrypted as soon as it was connected to the computer.  Is that correct?

 

I am a little reluctant to use a cloud backup service because we are in a very remote area and our Internet service may occasionally go down for a while.

 

If buying an NAS device is the best solution, I am not reluctant to do that, but could use some advice.



#6 BitMonk

BitMonk

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest, USA
  • Local time:11:55 AM

Posted 05 November 2014 - 09:30 AM

Great article! Thanks for your time and effort.

This needs to be shared with each of our individual circle of friends. Might be one avenue to combat these slugs.

I feel a Face Book post coming on.



#7 rp88

rp88

  • Members
  • 2,766 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:55 PM

Posted 05 November 2014 - 11:39 AM

Helpful thing to post.


I already do 1, 2 and 4. 6 and 6 (was one of them supposed to be a 5, i can't criticize though given how helpful the info is)i will have to look ino. I would like to know how effective a defense ad-blockers and noscript extensions in browsers are, i started running one recently and think it is (despite the few seconds of extra bother whenever you use a site you haven't visited before) a good extra layer of armour.


If enough people take steps to fight againts encrypting attacks the scum making such viruses might start to find it less profitable to do so.

Edited by rp88, 05 November 2014 - 11:39 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#8 Victor2K

Victor2K

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 05 November 2014 - 10:11 PM

I already have CryptoPrevent and also installed Hitman Pro Alert as well, but it seems Chrome is not working after I installed it (tried to close a window and open other to see if the protection works, which it does, but no page loads not even clicking and stuff)E

 

EDIT: had to uninstall HMPA and reboot to make Chrome (and also Opera) work. Maybe is some kind of bug with the browser. WIll try the support board of them


Edited by Victor2K, 05 November 2014 - 10:43 PM.


#9 nevans07

nevans07

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 07 November 2014 - 12:41 AM

Thank you so much Lawrence!!! Really needed this. :guitar:

 

Lifesaver.

 

Best Regards,

Nate



#10 bmike1

bmike1

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:12:55 PM

Posted 10 November 2014 - 08:01 PM

 

 

has predicted that these types of infections will become the single largest threat to computer users and their data.

 

 I'm a computer user and I am not threatened by this at all. You need to specify what kind of computer user will be affected. Specifically a Microsoft Windows user because Linux users are NOT affected.


A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#11 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 11 November 2014 - 10:27 AM

FYI: zbot is back and is installing cryptowall 2.0. MSE recognized the version we were hit by as: PWS:Win32/Zbot.gen!plock I have also posted this in the cryptowall forums.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 PM

Posted 11 November 2014 - 12:37 PM

FYI: zbot is back and is installing cryptowall 2.0. MSE recognized the version we were hit by as: PWS:Win32/Zbot.gen!plock I have also posted this in the cryptowall forums.


Please submit a sample to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Thanks

#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:55 PM

Posted 11 November 2014 - 12:41 PM

I'm a computer user and I am not threatened by this at all. You need to specify what kind of computer user will be affected. Specifically a Microsoft Windows user because Linux users are NOT affected.


Yes, this mostly applies to Windows at this point. Macs will be in danger in the future as their market share increases. As for Linux, the only reason viruses are not prevalent is because of low consumer use. The malware devs are here to make money. Does it make sense to target an OS that contains 88% usage share or the 1.4% that Linux has? If Linux ever has mainstream adoption, it will be targeted just as much.

#14 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 11 November 2014 - 12:42 PM

Unfortunately I was not able to get the dropper for zbot this last time. If I encounter it again I will let you know. I do have an exe that I got yesterday that I have not tested yet.


Edited by zingo156, 11 November 2014 - 12:54 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#15 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 11 November 2014 - 12:53 PM

I uploaded 2 files to your link. One may have been tied to the zbot in the last infection I was referring to. The other is from yesterday appears to be a trojan dropper. I have not tested what it does yet. Virus total yesterday only  3 had recognized it. Today 32.


Edited by zingo156, 11 November 2014 - 12:55 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users