Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoMonitor - Stop all known crypto-ransomware before it encrypts your data!


  • Please log in to reply
365 replies to this topic

#211 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 11 May 2015 - 01:02 AM

Hi Nathan is nathan your real name? i have some question for you i saw some tool on some topic before.. i cannot remember who topic starter is exactly.. but i strongly guess it was you

that program has feature to showing what kind of ransomware installed on system.. maybe it was portable tool i remember.. i downloaded it for test from long time ago and i accidently removed it

maybe it has name cryptocheck or similar name or something else i just could'nt remember exactly name.. can you help me?


Edited by crisis2k, 11 May 2015 - 01:25 AM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


BC AdBot (Login to Remove)

 


#212 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,826 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 11 May 2015 - 05:33 AM

Are you referring to the ...ID Tool by Nathan Scott (DecrypterFixer)?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#213 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 11 May 2015 - 07:11 AM

Are you referring to the ...ID Tool by Nathan Scott (DecrypterFixer)?

 

great! that was what i'm looking for.. thanks for exellent help quietman7   you deserves to take enough respect exactly

i had some cryptolocker decrypter solution too i had removed all of it for accidently.. that was terrible mistake

i am trying to decrypting cryptolocker affiliation at this time but most decryptor requiring input encrypt key manually.

i know i can't create useful key.. but is there any useful key or any key creator or similar tool?

nathan has introduced about office_fix before but i could'nt have found topic about office_fix

i had downloaded and tested officefix program for some kind of ransomwares but it does'nt worked

probably i think it is different one each other.. exactly what is office_fix what decrypterfixer introduced?

 

have a good day


Edited by crisis2k, 12 May 2015 - 01:33 AM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#214 TambourineMan

TambourineMan

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 11 May 2015 - 01:53 PM

I just purchased and installed CryptoMonitor for my laptop.  During installation it asked me where I installed 32 and 64 bit programs and that if I didn't know to use "program files and program files (x86)."  For both my laptop and desktop I partition the main drive to keep OS partition size small for quicker drive imaging. I only install system files and mostly only programs that insist on going into the two standard program file folders in that partition.  Since the laptop only has a 500Gb SSD most of the other programs do go in the root directory in the boot partition but under short directory names for quick locations (U for utilities, C for communications programs, etc.)  Data files go on a 128Gb SDCard. 

 

However as respects my desktop I have installed many programs to the two standard program file folders in the OS partition but also to an entirely different partition. 

 

For my laptop I chose to tell CM I installed to C:\ for both 32 and 64 bit.  I don't understand the ramifications of this. I don't know what I should choose as respects my desktop.  I have already had to white list one program (private internet access) that was not in a program file folder, but rather was in my C folder.

 

Another question:  I guess the EasySync BackUp program is not yet available.  I have been backing up to other drives in my desktop, or to external USBs but I guess these ransom-wares can find any drive with a drive letter or even cloud or FTP servers.  (I can physically disconnect my USB drives or the network cable to my FTP server but this is a PITA.  I gather I could assign my Cm secure vault to a to level folder on a large 4TB and save my backups there, correct?

 

Further I usually name my VeraCrypt container files to a ".img" file extension.  is there a safer file extension to use that the ransom wares usually leave alone? 



#215 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 11 May 2015 - 03:06 PM

Nathan i guess you trying so hard to work i have several fundamental questions for you about cryptomonitor i hope you see this..

 

1. what is basical difference between the cryptoprevent and cryptomonitor?

 

2. can you add feature to detecting encryption key(not injected key) or auto decryptor for few kinds of ransomwares

    in cryptomonitor? if already system has infected and files already encrypted

 

3. can you add mui (multi language interface) for cryptomonitor?


Edited by crisis2k, 11 May 2015 - 03:16 PM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#216 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,826 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 11 May 2015 - 04:48 PM

1. what is basical difference between the cryptoprevent and cryptomonitor?


CryptoMonitor by EasySync is an anti-ransomware solution that was developed to protect a computer or server against all types of crypto-malware encrypting ransomware. CryptoMonitor relies on behavioral detection and several protection methods which allows it to detect encrypting ransomware before it has a chance to encrypt your data. CryptoMonitor will not only block existing ransomware variants but it will also block zero-day and future ransomware. This technology allows the program to detect and protect against new cyrpto-malware as they emerge. However, some ransomware variants (such as CTB-Locker) will inject into legitimate processes and protection against that is only available in the Pro version. CryptoMonitor bypasses UAC on startup and will immediately start protecting your computer when first installed.

CryptoMonitor Protection methods:
1. Entrapment Protection which sends encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a ransomware falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action...the computer is locked down, no file modifications are allowed and CryptoMonitor will send an alert (email) about the infection.

2. Count Protection, a feature only available in the Pro version, provides a second layer of protection against crypto-malware. Count Protection will constantly scan running processes and use heuristics to categorize them into absolute trusted, unknown, and suspicious. When the process modifies over a certain number of personal files, under a certain time, then a flag is raised and CryptoMonitor will send an alert (email and text message) so you can take action. Since this method could lead to false positives, it includes the ability to whitelist executables that may exhibit such behavior.

Other Features
Secure Vault is a protected directory created by CryptoMonitor. Nothing caalled access this directory except for CryptoMonitor, and any other processes that you allow to have access to it. Secure Vault can be used to safely store photos documents, videos, music and backups.

The Pro version includes Process Injection Check and LockDown Mode. Process Injection checks for injected code, and if injected code is found, it is then treated as a hostile process. LockDown Mode occurs when CryptoMonitor cannot kill or remove an infection right away. When LockMode is enabled, it blocks the offending processes privileges to everything, making it easy for removal manually or by aa Anti-Virus. Since only the bad process is locked down, you can run any application to help remove the infection when CryptoMonitor cannot.

CryptoMonitor licenses come with a 7 day free trial when purchased. After finishing on the purchase page, you will receive your license(s) by mail. If you cancel your subscription before that, you will never be charged. For more detailed information on how CryptoMonitor works, please refer to....
 
CryptoPrevent is a security tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. CryptoPrevent can be used to lock down any Windows OS to prevent infection by crypto ransomware which encrypts personal files and then offers decryption for a paid ransom. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, Recycle Bin) from running. Due to the way that CryptoPrevent works, it protects against a wide variety of malware and ransomware. There are several levels of protection but most users only need to use the default setting - "Set it and forget it" protection. CryptoPrevent Premium offers automatic updates to the program and definitions, email alerts, and custom policy rules.

CryptoPrevent has a filter module (in the installer version) which allows you to apply (enable) or disable suspicious program filtering for .cpl, .scr and .pif files which are executable files. This option is found by opening CryptoPrevent and selecting Advanced > show Advanced Options at the top. The portable version does NOT include the Filter Module...you must get the installer version to use that feature.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#217 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:07 PM

Posted 11 May 2015 - 05:25 PM

I just purchased and installed CryptoMonitor for my laptop.  During installation it asked me where I installed 32 and 64 bit programs and that if I didn't know to use "program files and program files (x86)."  For both my laptop and desktop I partition the main drive to keep OS partition size small for quicker drive imaging. I only install system files and mostly only programs that insist on going into the two standard program file folders in that partition.  Since the laptop only has a 500Gb SSD most of the other programs do go in the root directory in the boot partition but under short directory names for quick locations (U for utilities, C for communications programs, etc.)  Data files go on a 128Gb SDCard. 

 

However as respects my desktop I have installed many programs to the two standard program file folders in the OS partition but also to an entirely different partition. 

 

For my laptop I chose to tell CM I installed to C:\ for both 32 and 64 bit.  I don't understand the ramifications of this. I don't know what I should choose as respects my desktop.  I have already had to white list one program (private internet access) that was not in a program file folder, but rather was in my C folder.

 

Another question:  I guess the EasySync BackUp program is not yet available.  I have been backing up to other drives in my desktop, or to external USBs but I guess these ransom-wares can find any drive with a drive letter or even cloud or FTP servers.  (I can physically disconnect my USB drives or the network cable to my FTP server but this is a PITA.  I gather I could assign my Cm secure vault to a to level folder on a large 4TB and save my backups there, correct?

 

Further I usually name my VeraCrypt container files to a ".img" file extension.  is there a safer file extension to use that the ransom wares usually leave alone? 

Hello,

The question is actually very simple. You simply choose the 64bit and 32bit folder where you install a majority of your applications. Most computers use the default settings of 32bit:c:\program files (x86) and 64bit:c:\program files. Because you use a ssd, u most likely install ur programs to a different hdd or area. So where ever u install ur apps u choose those locations. If you install to many folders, you will need to white list these other areas in the settings.

 

Currently Secure Vault cannot be assigned a custom folder, but that is absolutely in the works. At the moment it is placed on the same hdd its installed on. But yes secure vault will protect ur backups.

As for your extension, I would use a random alphanumeric like .binner90923


Edited by Nathan, 11 May 2015 - 05:34 PM.

Have you performed a routine backup today?

#218 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:07 PM

Posted 11 May 2015 - 05:37 PM

Nathan i guess you trying so hard to work i have several fundamental questions for you about cryptomonitor i hope you see this..

 

1. what is basical difference between the cryptoprevent and cryptomonitor?

 

2. can you add feature to detecting encryption key(not injected key) or auto decryptor for few kinds of ransomwares

    in cryptomonitor? if already system has infected and files already encrypted

 

3. can you add mui (multi language interface) for cryptomonitor?

1.) thanks to quiteman for that great post!

2.)this simply isn't possible.

3.) this feature will be coming soon.


Have you performed a routine backup today?

#219 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 11 May 2015 - 06:12 PM

 

1. what is basical difference between the cryptoprevent and cryptomonitor?


CryptoMonitor by EasySync is an anti-ransomware solution that was developed to protect a computer or server against all types of crypto-malware encrypting ransomware. CryptoMonitor relies on behavioral detection and several protection methods which allows it to detect encrypting ransomware before it has a chance to encrypt your data. CryptoMonitor will not only block existing ransomware variants but it will also block zero-day and future ransomware. This technology allows the program to detect and protect against new cyrpto-malware as they emerge. However, some ransomware variants (such as CTB-Locker) will inject into legitimate processes and protection against that is only available in the Pro version. CryptoMonitor bypasses UAC on startup and will immediately start protecting your computer when first installed.

CryptoMonitor Protection methods:
1. Entrapment Protection which sends encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a ransomware falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action...the computer is locked down, no file modifications are allowed and CryptoMonitor will send an alert (email) about the infection.

2. Count Protection, a feature only available in the Pro version, provides a second layer of protection against crypto-malware. Count Protection will constantly scan running processes and use heuristics to categorize them into absolute trusted, unknown, and suspicious. When the process modifies over a certain number of personal files, under a certain time, then a flag is raised and CryptoMonitor will send an alert (email and text message) so you can take action. Since this method could lead to false positives, it includes the ability to whitelist executables that may exhibit such behavior.

Other Features
Secure Vault is a protected directory created by CryptoMonitor. Nothing caalled access this directory except for CryptoMonitor, and any other processes that you allow to have access to it. Secure Vault can be used to safely store photos documents, videos, music and backups.

The Pro version includes Process Injection Check and LockDown Mode. Process Injection checks for injected code, and if injected code is found, it is then treated as a hostile process. LockDown Mode occurs when CryptoMonitor cannot kill or remove an infection right away. When LockMode is enabled, it blocks the offending processes privileges to everything, making it easy for removal manually or by aa Anti-Virus. Since only the bad process is locked down, you can run any application to help remove the infection when CryptoMonitor cannot.

CryptoMonitor licenses come with a 7 day free trial when purchased. After finishing on the purchase page, you will receive your license(s) by mail. If you cancel your subscription before that, you will never be charged. For more detailed information on how CryptoMonitor works, please refer to... .
 
CryptoPrevent is a security tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. CryptoPrevent can be used to lock down any Windows OS to prevent infection by crypto ransomware which encrypts personal files and then offers decryption for a paid ransom. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, Recycle Bin) from running. Due to the way that CryptoPrevent works, it protects against a wide variety of malware and ransomware. There are several levels of protection but most users only need to use the default setting - "Set it and forget it" protection. CryptoPrevent Premium offers automatic updates to the program and definitions, email alerts, and custom policy rules.

CryptoPrevent has a filter module (in the installer version) which allows you to apply (enable) or disable suspicious program filtering for .cpl, .scr and .pif files which are executable files. This option is found by opening CryptoPrevent and selecting Advanced > show Advanced Options at the top. The portable version does NOT include the Filter Module...you must get the installer version to use that feature.

 

 

i always appreciate for your detailed information quietman7 you are 24/7 helpful expert.

i think function to detecting zero-day type of ransomwares is directly associated to count protection feature is'nt it?

i mean user need to purchase pro for detecting zero-day type of ransomwares?

 

 

 

 

Nathan i guess you trying so hard to work i have several fundamental questions for you about cryptomonitor i hope you see this..

 

1. what is basical difference between the cryptoprevent and cryptomonitor?

 

2. can you add feature to detecting encryption key(not injected key) or auto decryptor for few kinds of ransomwares

    in cryptomonitor? if already system has infected and files already encrypted

 

3. can you add mui (multi language interface) for cryptomonitor?

1.) thanks to quiteman for that great post!

2.)this simply isn't possible.

3.) this feature will be coming soon.

 

 

thank you for your fine news decrypterfixer can you give me a tip about what office_fix is?

have a good day : )


Edited by crisis2k, 12 May 2015 - 05:07 AM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#220 TechnicianOnline

TechnicianOnline

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Online
  • Local time:07:07 PM

Posted 11 May 2015 - 06:21 PM

DecrypterFixer,

 

If I bought the pro version for a Windows File Server, would this alert me when some of the directories have been encrypted?

The way this video and threat/website explain it your tool only protects the actual Operating System from getting infected with the malware.

I'm not worried about the Server running the ransomware, I'm only interested in getting alerted when one of the end users gets infected and starts encrypting the Server File Share.

 

Let me know, thanks!


A Network isn't something you 'own' or 'have'; you may only wield it like the sword of Excalibur.


#221 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:07 PM

Posted 11 May 2015 - 06:55 PM

If your servers shared folders and located on the same directory as cryptomonitor, then yes. But currently it will not protect another partition or hard drive. If this is the case, you will need it on ur clients, not the server.


Have you performed a routine backup today?

#222 TechnicianOnline

TechnicianOnline

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Online
  • Local time:07:07 PM

Posted 11 May 2015 - 07:29 PM

If your servers shared folders and located on the same directory as cryptomonitor, then yes. But currently it will not protect another partition or hard drive. If this is the case, you will need it on ur clients, not the server.

 

 

 

I see, so CryptoMonitor will detect encrypted files if the Windows File Server has the Shared drives on C:\ but not on D:\?


A Network isn't something you 'own' or 'have'; you may only wield it like the sword of Excalibur.


#223 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:07 PM

Posted 11 May 2015 - 07:46 PM

correct!


Have you performed a routine backup today?

#224 Gostega

Gostega

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 11 May 2015 - 07:52 PM

Nathan I would be careful about how much information you give to crisis2k, his requests are starting to look suspicious to me.



#225 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:07 PM

Posted 11 May 2015 - 09:17 PM

thanks for looking out, but I think you may be mistaken. His first language doesnt seem to be English and non of his questions seem to ask about how the backends work. He is just looking for some answers:). Plus he has previous posts that vouch for him.


Have you performed a routine backup today?




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users