PDA

View Full Version : Ransomware



Billy T
29-11-2013, 02:14 PM
I've been a member of the US WindowsSecrets website (and its predecessors) for many years and have found it fairly useful.

Currently there is some noise going on about ransomware, and following through on a thread, I found discussion about prevention and the difficulty of recovering without image files etc, and there was also a recommendation for a program called CryptoPrevent.

I'm not a big fan of random applications and their promises but this looked pretty positive, and the reviews looked even better, so I figured that for less than $NZ20 it was worth a punt.

Prevention is better than a cure, and as a general rule, Windows Secrets does not allow links to, or promote, shonky software.


If interested, take a look

Here (http://windowssecrets.com/forums/showthread.php/158065-In-view-of-serious-malicious-programs)

Cheers

Billy 8-{) :2cents:

wainuitech
29-11-2013, 03:39 PM
Theres no need to purchase any sort of software for that. in the page linked theres a free one anyway.

If the antivirus is capable, it will detect that ransomware beforehand. Its been around long enough for companies to recognize its signature.

Most infections are caused by people opening email attachments that have the hidden .exe, they come through as a PDf file, generally from UPS or Fedex.

Watched a Video a while back ---Heres the key point --- For Cryptolocker to work it HAS to connect to its servers to activate the key, so if a person has a firewall that prevents outgoing traffic without approval first then it wont encrypt or work. The infection can then be removed and all data is safe as its hasn't been encrypted. :2cents:

Billy T
29-11-2013, 04:13 PM
Theres no need to purchase any sort of software for that. in the page linked theres a free one anyway.

I noted that, but the paid version does auto-updates, and people are still getting hooked even with up-to-date AV, so the one-off cost was peanuts compared to the potential harm.

When the potential consequences are high for the victim, belt and braces give additional cmfort. Presumably somebody has to take a hit before signatures are updated.

The only free AV I have used is MSE and if that goes down I'll be off like a shot to get something else. $20 is less than 15% of my office rate so if it saves me 10 minutes once, it is paid for.

Cheers

Billy 8-{)

Lawrence
29-11-2013, 06:02 PM
Had HitmanPro's CryptoGuard installed for a few weeks

http://www.surfright.nl/en/cryptoguard ,looks alright to me and free and better to have something like this than be left with a mess later to clear up

wainuitech
29-11-2013, 06:38 PM
Theres a side effect thats not to well documented with that CryptoPrevent - While it may stop CryptoLocker from running it will also stop a LOT of legit exe files from running that user the same procedure. I dont mean infecting a PC, I mean in the way windows runs exe files. The problem with the above mentioned software is it only protects certain locations on the PC, what you need is some program to Stop the infection even before it has a chance to alter any files.

On saying that -- From Bleeping Computer:


CryptoPrevent is a tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. Typical locations set by CryptoPrevent are %appdata% and %localappdata%.


EDITED: Lawrence posted while I was writing and locating videos -- read below :)

Have a read of cryptoguard (http://www.surfright.nl/en/cryptoguard) -- Scroll down to the bottom of the page and watch the video.

OH BTW -- in the video they do a search Via Google, I looked at the site and decided to test it -- :devil Guess what ?? Nod32 stopped a file from starting and blocked the site. PS: So DONT try it unless you want to possibly infect your computer. ( read as dont trust your antivirus) ;)

As I mentioned in previous post, for it to work it has to contact the server to create the keys, if the outgoing firewall is working on the PC it will stop it going out to the internet.= Problem averted as its not active.
Watch This Video on Youtube (http://www.youtube.com/watch?v=Gz2kmmsMpMI) - around 3.50 - 4.00min the person tells you what I was referring to.

wainuitech
29-11-2013, 07:15 PM
Just adding the above, when installing Cryptoguard, The Eset smart Security firewall stopped it 4 times from accessing the internet.

Heres a typical example:

5338

If I click Allow it carries on, if I click Deny It stops any install dead in its tracks. If any random pop up appears wanting internet access you look carefully as to what it is. If you are installing a program theres a VERY high chance its wanting internet access :)

Lawrence
29-11-2013, 07:48 PM
I wondered if that site they went to was still live

Pretty irresponsible of them to show that site

Have no trouble with Hitman Pro Alert running Eset Nod32 Antivirus 7 and Malwarebytes Pro,the other family members the same running Eset Nod32 Antivirus 6

wainuitech
29-11-2013, 08:12 PM
I wondered if that site they went to was still live

Pretty irresponsible of them to show that site

Have no trouble with Hitman Pro Alert running Eset Nod32 Antivirus 7 and Malwarebytes Pro,the other family members the same running Eset Nod32 Antivirus 6

Upgrade them to V7 - Its free and from what I gather works better with the likes of Crypto.

To do it, its a piece of cake.

Heres How:

Open Nod32 from the Icon Tray ( or from the programs menu)
On the left click on "Update"
In the right hand window click on Product Update/Install (Earlier versions V5 are similar but have different wording)

It will do the rest, it will remove the installed version and install the New, keeping all your settings.

5341

Note: Vista has a bit of a problem sometimes, it usually upgrades OK, but does appear to hang sometimes at 99% and installing, but does eventually get there. XP, W7 & W8 no problems usually.

Lawrence
29-11-2013, 08:29 PM
Did it to mine but the Family members one has the Eset Nod32 add-on that Slingshot supplies on a monthly basis ,got them to ask Slingshot about upgrading but they have not got back to me

wainuitech
29-11-2013, 09:38 PM
A What ?? Never heard of that or gotten any sort of notification from Eset/Chilisoft.

Theres a Add-in for the email client installed on the PC, but its all part of the Nod32 Antivirus install. :confused:

Any chance of some more info on what they have ?

All I've found on Slingshots site is:

If you purchase the NOD32 antivirus product through us then the term of the license for that product is month to month.

11.3 If this agreement is terminated for any reason you must still pay us for services provided to you up to the date of termination. If you have prepaid for a service, no refund is payable to you on termination unless we agree otherwise.

Which could be a rip off Via slingshot depending on how much they are charging.
The retail price for a single user Licence ( 1st Year) is $70.75 with renewal of $49.52 for every year after. So some basic maths, if they have it for the first year they should only be paying $5.89 / Month first year, $4.12 after that.

Lawrence
30-11-2013, 06:04 AM
May be my explanation of "add-on" was misconstrued as they add $5 to your monthly account for Eset Nod32 along with any other service they provide

wainuitech
30-11-2013, 08:33 AM
Sounds like they are being charged fairly, the prices I quoted are Recommended retail. They still should be able to update to version 7, it comes from the same source as the regular definition updates.