Lots to cover/ask …
My computer was recently infected with Ransomware - cleaned up thanks to this forum (so far, at least), but I had some follow-up questions. Removal thread: http://www.bleepingcomputer.com/forums/t/586174/started-as-u-cash-now-bsod/page-5#entry3823952
http://www.bleepingcomputer.com/forums/t/524259/cryptoprevent-vs-cryptolocker-few-srp-questions/#entry3294801 was a good read, as was http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
The world is getting scary - That wasn't the answer I wanted. I was hoping for something simple - like "You are unlikely to run across anything like that and if you do, your normal anti-virus should take care of it."
Apparently, it's not that simple.
Between the Cryptoprevent and CryptoMonitor applications:
- Cryptoprevent seems good - but the free version requires manual updates and (among other things), it looks like it requires an updated list of known host servers to block. The free version is probably okay for me and the Premium version is 30 percent off for forum members, but it looks like they are coming out with a new version which will probably NOT have a lifetime free option. Looks good in that it just sets some policy exceptions so it doesn't have to run continuously.
- Cryptomonitor looks a bit more robust - i.e. the program somehow doesn't require updates, runs continuously and implies it protects against ransomware and tor lock as well as Cryptolocker. Unknown is the pro version is currently free while they develop a new version, but it is not clear how much the new version will cost, or if the existing pro version will stop working once the new version is released.
- Doesn't seem to be any harm in running both of them and I will probably try that. Wouldn't mind your opinion on the pro's and con's of each.
I basically figured out what happened to my system - it was a zero-day drive-by flash player exploit. (Not really zero-day as I probably hadn't updated Flash in a few weeks.) The thing that bothers me though is it seems to have a delayed payload - i.e. I didn't use the Internet for about a week or more, and then when I plugged the network adapter in, the ransomware screen seemed to come up before I even opened the web browser - more questions on that below.
A few sites I ran across:
Basically, my questions fall into five categories:
- Flash - Most of the programs mentioned are new to me. From what I can tell:
- NoScript - I typically run this, but I got lazy and got in the habit of clicking "Temporarily allow all on this page" - bad idea (and based on that, I probably DESERVED to get infected - not that it is right). However, this seems like a fairly good option otherwise.
- Flashblock - I have heard of the author from the Mozillazine forum - however, the software says it won't work with NoScript and I don't see that it adds a lot that NoScript would not do.
- Click to Play - (setting "Ask to Activate" under Firefox plugins) - I can't tell for sure, it looks like this just blocks or allows flash for an entire page, not individual elements.
- Internet Security Suites - I don't use any of these - I use Avast Free Antivirus, but it doesn't have Internet Security. Are there any good free ones out there and are they worth running?
- Sandbox - It isn't practical, but I used to think the best idea was to have a Chromebook or Netbook that ONLY accesses the web and then a main computer that only does everything else and when necessary, programs/files are transferred from the Netbook to the main computer. The sandbox/virtualbox seems to do this and might be a good idea. (You take a image of the virtual PC and if it gets infected, you just blow it away and re-install the image) I have lots of questions though:
- Which of these applications are free, and which work well?
- What are the advantages and disadvantages of one approach over the other?
- Is this something that you would suggest?
- Delayed implementation - I'm curious what the best strategy to deal with this is? As I said, the ransomware that hit me didn't show up until I connected the network adapter quite a while after the PC was compromised. So with any of the above solutions - if the virus is set to activate after the computer re-boots 10 times or only on 13 April, even the sandbox or netbook solution wouldn't work. (i.e. you install the virus on the netbook or virtual PC, everything seems fine, you install it on the main PC and suddenly two weeks later BOTH PC's are infected …)
No real rush on replying to me, but I'm curious what the best solutions are!