back to article Cryptolocker copycat ransomware emerges – but an antidote is possible

Hot on the tail of devilish Cryptolocker comes a copycat software nasty that holds victim's files to ransom – but the newcomer's encryption is potentially breakable, we're told. Security startup IntelCrawler claims a "large-scale distribution" of the new so-called Locker malware began earlier this month. Locker, once it has …

COMMENTS

This topic is closed for new posts.
  1. Kevin Fairhurst

    Locker...

    "avoids infecting machines running tools used by security researchers"

    What tools, and are they free to install? Seems a good way of avoiding some of the nastier crud if it is looking for, and staying off, machines running certain exes!

    1. Anonymous Coward
      Anonymous Coward

      Re: Locker...

      I have heard it said that scumbags avoid anything they think is a virtual machine on the grounds that VMs are used by more sophisticated users, including malware researchers, and hence might be honeytraps. Installing something like VMWare or VirtualBox guest tools might fool them but I'd expect that they just check the BIOS instead to see if it is a VM.

      Whatever the details, I think it would be pretty foolish to rely on this sort of trickery to protect you. The old advice is still the best: Keep Windows patched; Keep the browser patched; Run a decent and up to date anti-virus; Don't turn off UAC no matter how annoying it is; Do turn off autorun; Show file name extensions (Jesus wept! Has hiding file extensions really been the default in Windows since 1995? When are they ever going to fix that massive fsckup?); Don't use IE for anything other than specific known sites that need it and never for day-to-day surfing. Don't open any suspicious attachments. All attachments are suspicious. You know the drill.

      If you really want to go further to protect yourself, and you don't want to go the whole hog by kicking out Windows all together, then installing VMWare Player or VirtualBox and making yourself a disposable Linux VM for all your day-to-day surfing is a good idea.

      1. Anonymous Coward
        Anonymous Coward

        Re: Locker...

        " The old advice is still the best: ....."

        Snipped much good advice, but two things to add:

        1) A simple step for all home Windows PCs running under a single account. Create a new user account, give it admin rights, and then downgrade the regular log in account to "user" status. No guarantees, but why allow the possibility of malware getting advanced permissions. Just remember to log in every week or two as admin because some updates won't auto apply from a user account.

        2) The Windows firewall defaults to allowing outbound connections, and that outbound connection is how Cryptolocker gets its key, and presumably this new flavour. Block access to the server, and it can't encrypt. If you've got a decent anti-malware suite and it has a properly defaulting firewall then no action is needed, if you haven't then download and set up TinyWall. That configures the WIndows firewall properly, all you have to remember is that this is silent blocking - if things stop working you'll need to give them outbound access through the TinyWall control panel.

    2. Bradley Hardleigh-Hadderchance

      Re: Locker...

      If you're interested in this concept, this might enlighten you -

      http://www.surfright.nl/en/alert

      --------------------------------------------------------

      Most modern malware, including banking Trojans, use tricks to thwart malware research by avoiding debugging and automated analysis systems that can reveal its purpose. The vaccination feature in HitmanPro.Alert 2 makes easy use of the malware’s own tricks. It makes malware belief it is running in an unwanted research environment, automatically causing most sandbox-aware malware to disable itself.

      ----------------------------------------------------------

      It's free and mainly for banking trojans via browser exploits.

      You might also like to check out http://www.surfright.nl/en/kickstart

      ---------------------------------------------------

      HitmanPro.Kickstart is the solution against police ransomware and other persistent malware that has taken your computer hostage or prevents normal computer use.

      -----------------------------------------------------

      You make a bootable usb stick with it and reboot if you get infected. It's free as well. All the instructions are on that link. No idea how well it works.

      Just thought I'd mention these because they are two fairly new products and some may have missed them.

  2. psychonaut

    cryptoprevent

    Try foolishit ( yes really ) and get cryptoprevent. Free tool that's sets gpols to prevent things running from temp areas on your and your grannys pc.

    1. jason 7

      Re: cryptoprevent

      I bought the premium version of this over a week ago from FoolishIT. Still waiting for the key whatever. Not heard a peep.

      Seems he's gone off the radar.

      1. JCitizen
        Coffee/keyboard

        Re: cryptoprevent

        jasson7 said - "I bought the premium version of this over a week ago from FoolishIT. Still waiting for the key whatever. Not heard a peep.

        Seems he's gone off the radar."

        If you would have gone the bleepingcomputer.com, you could have downloaded the free one for home users. It simply changes the permissions of the target system folders to require administrative privileges for certain operations. The only disadvantage to that is if you have poorly written and misbehaving 'legitimate' software applications on your computer, that set this off - at that time, you would have to allow the operation each time. I assume it is worth it, as many have reported so on other forums.

  3. Anonymous Coward
    Anonymous Coward

    Spread the cost.

    This "looks like normal behaviour" exploit has to get worse unless the basic security model is revised.

    The fact cryptoprevent is offered speaks to the ability to reduce the threat by using existing policies and mechanisms, but that also most computers are left wide open with antivirus and antimalware.

    I assume someone at MS will "leverage" this sort of thing to sell us all cloud solutions and a more easily budgeted monthly ransom charge.

    1. lorisarvendu

      Re: Spread the cost.

      "I assume someone at MS will "leverage" this sort of thing to sell us all cloud solutions and a more easily budgeted monthly ransom charge."

      Popular Cloud solutions that rely on a synchronised folder on the PC (like Skydrive, Google Drive, and Dropbox) are just as vulnerable to ransomware infections, as encrypted files in that folder can be almost immediately synchronised with your online storage. Bingo - your backups are encrypted as well.

      Google and MS will not risk promoting Cloud storage as a buffer against ransomware when they patently know this not to be true.

      1. Anonymous Coward
        Anonymous Coward

        Re: Spread the cost.

        I used the words "assume" and "will" to indicate changes in the future.

        If I'd have said "does now" you'd be right and that the cloud storage services offer little protection (except where possible to roll back to previous file versions).

        If they did in the future decide that protection is possible and even a silver lining of the cloud they may look back and see cryptolocker as a good little sales drive.

      2. as2003

        Re: Spread the cost. @lorisarvendu

        Not true. All the major cloud backup services (Dropbox, SkyDrive, Google Drive, etc) have implemented file versioning so you'd always be able to navigate back to a previous (unencrypted) version.

        1. Anonymous Coward
          Anonymous Coward

          Re: Spread the cost. @lorisarvendu

          " you'd always be able to navigate back to a previous (unencrypted) version"

          Not necessarily true. Google Drive will automatically delete versions more than thirty days old or more than 100 versions old. If you needed to go back more than thirty days you're stuffed. 30 days grace isn't much on your precious data. And I suspect with all cloud storage the versions are stored in your paid volume, so you'd need two or three times your planned volume of storage if you wanted to be sure..

          1. as2003

            Re: Spread the cost. @AC

            You're right that revisions are deleted after 30 days (and Google counts those revisions against your total storage, but Dropbox doesn't), but CryptoLocker gives you three to four days to pay the ransom before deleting your files, so if you haven't noticed after 30 days then I suggest your files can't be that important.

    2. WatAWorld

      Re: Spread the cost.

      "that also most computers are left wide open with antivirus and antimalware."

      Did you check to their website to see if your existing AV actually detects this?

      I had to do a lot of looking, but eventually I found where Kaspersky says it protects against it.

      Thing is, for the big AV vendors this is just another type of malware. They do not issue press releases for each new type of malware they can detect.

      For the operating system, well operating systems cannot decide what files you should and should not open on your computer.

      1. JCitizen
        Coffee/keyboard

        Re: Spread the cost. - @WatAWorld

        I read on Krebs on Security, that Hitman Pro prevents cryptolocker in much the same way as cryptoprevent, but you have to pay for it, where a free version of FoolishIT's solution is at bleepingcomputer.com as a download.

        The information page at that site is here:

        http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

  4. Boris the Cockroach Silver badge

    disguised

    as MP3 files

    Or is it disgusied as MP3 files by a shit OS that cant tell the difference between malware.exe and malware.mp3.exe

    STILL!

    1. Anonymous Coward
      Anonymous Coward

      Re: disguised

      "Or is it disgusied as MP3 files by a shit OS that cant tell the difference between malware.exe and malware.mp3.exe"

      It won't matter on OSs that can't tell the difference as this is targeting Windows only atm. On windows it can tell the difference and it will warn you it's an executable and will require elevation confirmation to install it...

  5. jason 7

    So maybe......

    changing the OS so that you are not allowed a ' . ' in the file name is in order?

    1. lorisarvendu

      Re: So maybe......

      Nar, some users will still open a file that says it is "FunnyPicture-jpg.exe"

  6. Destroy All Monsters Silver badge
    Holmes

    Locker ... rank amateurs

    I foresee a body being unceromonously dumped into the sump of an abandoned factory.

    Professionals don't like rifraf encroaching on their turf.

  7. psychonaut

    carbonite...

    by the way, carbonite (online backup) have a dedicated team so that if you do get hit by crypto locker, they can roll your backup back to before you got hit giving you unencrypted last version of all files.

    very impressed - theyve saved 3 of my customers.

    1. Anonymous Coward
      Anonymous Coward

      Re: carbonite...

      Carbonite severely throttles bandwidth after 200GB backed up. Crashplan is MUCH better and their file versioning (I suspect even with default settings) also defeats this attack.

      1. JC_

        Re: carbonite...

        Can't comment on Carbonite, but my CrashPlan backup never got over 4Mb/s on a connection which could easily do four times that.

        I'm not sure if there's a difference to the user between throttling and the company having inadequate bandwidth. For many people, a fast 200GB upload then throttling would be better than a slow but unthrottled connection.

  8. Pascal Monett Silver badge

    "if they harass or threaten the extortionist"

    Okay, so no threatening then.

    Direct to kill it is.

  9. RobHib
    Mushroom

    Money. Can someone tell me why it's transferred? ...And where's the NSA when actually needed?

    The big card companies, M/C, Visa etc. had absolutely no trouble screwing WikiLeaks by not allowing them to be paid.

    If it were made illegal for banks, card companies etc. to transfer money to theses trolls--or if banks were made to fork out the equivalent of the ransom whenever they transferred any money to them, then this nonsense would stop forthwith. With the WikiLeaks non-payment precedent, there's no longer any excuse (as it's been shown it can be done, and there's no international banking law/regulation preventing it).

    Same principle could also be applied to Nigerian email scams etc.

    I simply do not believe that with all the tracking techniques applied to international money laundering these days that the ransom money cannot be tracked/traced. After all, it has to go through banking transfer processes until the recipient claims it.

    The corollary of all of this is that with the NSA being so good at tracking, why haven't these sleazebags been bagged long ago? And why isn't the press et al screaming that the NSA, GCHQ etc. haven't solved this when obviously they're quite capable of so doing.

    Seems to me we're tackling this problem from completely the wrong end.

    1. Anonymous Coward
      Anonymous Coward

      Re: Money. Can someone tell me why it's transferred? ...And where's the NSA when actually needed?

      Then they'll just want bitcoin (like cryptolocker)

      1. RobHib

        @A.C. --- Re: Money. Can someone tell me why it's transferred? ...

        Agreed, that's a problem. But at the moment credit cards far exceed bitcoin in user penetration, thus the income would be restricted by the extra resistance to overcome investing in bitcoin.

        Ultimately, we don't know what ingenious systems governments will implement to stop money transfers between normal bank accounts and bitcoin, but from the press reports they're trying hard to devise schemes.

    2. harmjschoonhoven

      Re: Money. Can someone tell me why it's transferred? ...And where's the NSA when actually needed?

      @:obHib 'The big card companies, M/C, Visa etc. had absolutely no trouble screwing WikiLeaks by not allowing them to be paid.'

      At the height of this so called screwing of WikiLeaks my state owned Dutch bank had no problem whatsoever handling my humble contibution to WikiLeaks.

      1. RobHib

        @harmjschoonhoven--Re: Money. Can someone tell me why it's transferred? ...

        At the height of this so called screwing of WikiLeaks my state owned Dutch bank had no problem whatsoever handling my humble contibution to WikiLeaks.

        Correct. Before the WikiLeaks payment problem, the issue for banks has always been that the international transfer payment system was sacrosanct (in that payments had to be paid irrespective of the recipient or issue). Well, that's what they wanted us to believe but the WikiLeaks exception has now set a precedent which would be pretty hard to back out of if governments forced the issue.

        All it requires is for just one government to issue an edict which would force the issue. In the current climate of bank-hating and NSA-bashing considerable pressure could be brought to bear to make the money path transparent.

        I appreciate there's a lot at stake here. For instance, many states have outlawed on-line gambling within their own boarders but they've been unable to stop gamblers losing money to international syndicates. For the same reasons, if these states stopped banks transferring gambler's funds by making it unlawful the problem would be solved. Before the WikiLeaks precedent banks said it was not possible to block funds, now we know this is just B.S.

  10. WatAWorld

    With all the NSA and GCHQ spying going on, why haven't they identified this guy ?

    With all the NSA and GCHQ spying going on, why haven't they identified this guy ?

    Is it only the ATF that the NSA will help? It isn't narcotics so they do not care?

    I'm against all the spying on regular folks, but if we're going to have this invasive spying on everyone, why not use it in cases like this?

    1. RobHib

      @WatAWorld --- Re: With all the NSA and GCHQ spying going on, why haven't they identified this guy ?

      I'm against all the spying on regular folks, but if we're going to have this invasive spying on everyone, why not use it in cases like this?

      Exactly! The NSA's spying on the innocent stinks. So the argument is pretty simple: why aren't governments concentrating their spying efforts on the real crooks--crooks who are directly screwing innocent victims? No one in the media has raised this issue which I find very surprising. It really ought to become a political issue ASAP.

      1. Anonymous Coward
        Anonymous Coward

        Re: @WatAWorld --- With all the NSA and GCHQ spying going on, why haven't they identified this guy ?

        I think the NSA will be looking at this.

        The reason being that they have to be ready in case this happens to more sensitive systems in future.

  11. WatAWorld

    I think most AVs probably have protection against these encryption programs now

    Kasperky has similar tools available. I'm on Kaspersky's mailing list and get this info. I think The Register should get itself on the list too.

    http://www.kaspersky.com/virus-removal-tools

    And Kaspersky now includes protection against these ransomeware programs. They don't make a big deal about it, after all, it is just another version of the thousands of versions of malware.

    I think most AVs probably have protection against these ransomeware programs now -- but only a few are trying to make bucks off of it.

    1. JCitizen
      Coffee/keyboard

      Re: I think most AVs probably have protection against these encryption programs now

      I haven't read everything at bleepingcomputer.com , but I would not doubt they have instructions on how to use gpedit to block the cryptolocker virus/trojan. If you don't have administrative tools like that, they may show what folders to change file and sharing security on, to block it that way.

This topic is closed for new posts.

Other stories you might like