CryptoLocker - New Ransomware

pceinc said:
So it turns out the GPO's and using Nick's CryptoLocker prevention tool is not really a viable solution for us to maintain hundreds of our clients desktops as it also blocks the ability to install new legitimate software and update most 3rd party apps. This got me thinking is there a way to enable UAC for the temp folder or possibly move the temp folder to a location that prompts for UAC?

Am I missing another option?

I did receive confirmation that Continuum's supplied version of Malwarebytes is the Pro version which is encouraging.
Click to expand...

Please test with the latest version, 2.5.3

I'm constantly discovering and fixing issues in these releases that cause 3rd party apps to be blocked or program installations to fail by changing up the prevention methodology and with the current release, I think I'm pretty close to the best thing since sliced bread here. It has changed significantly even since v2.5.2 for some areas, and I'm always interested in hearing what apps you may be having trouble with so I can find a workaround or solution. If absolutely nothing else, the newer fake file extension prevention can be applied by itself, and will go a long way towards preventing bad attachments from phishing emails.
 
I'll give it a go on my home machine tonight. I'm also going to test scripting this with my RMM tool. That's the only way we can use it for MSP clients. Too many machines to run it manually. More on that later.
 
pceinc said:
I'll give it a go on my home machine tonight. I'm also going to test scripting this with my RMM tool. That's the only way we can use it for MSP clients. Too many machines to run it manually. More on that later.
Click to expand...

ok sweet. btw, you don't happen to be using Labtech by chance? something is very screwy with their setup. I'm working with another fella today trying to get it to work, but basically the /whitelist parameter isn't working to whitelist existing apps when he deploys, though everything else DOES, and /whitelist works perfect when done manually on the same workstation - just something about deploying it via Labtech. very puzzling...
 
No, I use Continuum. My process will consist of downloading the file to the machine, or server, then running the command with switches. Will this run from a UNC path?

Edit: I need to use the installer version. Are there parameters for a silent install?
 
Last edited:
I see no mention of running gpupdate /force to negate the need to reboot machine. Will that work or is a reboot absolutely necessary?
 
pceinc said:
I see no mention of running gpupdate /force to negate the need to reboot machine. Will that work or is a reboot absolutely necessary?
Click to expand...

I do by default a gpupdate /force when doing any action except within the whitelist window. In my experience on Windows 7/8, it appears to work without reboot 9/10 times. On Windows XP, it almost never does and a reboot is required almost always. I don't ever test on Vista. But with any OS the experience is NOT consistent, which is why I recommend reboot regardless. I wish I had a consistent experience but I haven't, go figure MS...
 
Does anyone know a way to find evidence that CL has been on a system after removal.
We have a client with a QNAP NAS and hes called to say suddenly all his XLS files appear to be corrupt.
We have transferred the file to our systems and they still do not open. Transferred a working file to them and that also opens.
We suspect CL but one of his staff may have panicked and ran malwarebytes, etc to remove it leaving the files locked.
It would be nice to prove what the issue was then i can charge them to install CryptoPrevent. (Not charge for the software :) )

Thanks

Chris
 
Last edited:
Thanks I will check again but I think the user removed cl with whatever program and then uninstalled the whatever he used. I will dig around some more.

Thanks
 
Not sure what happened but my customer who got infected with CryptoLocker had the files on the workstation encrypted and what we believed were most of the files on a network share too, before it was stopped.

Turns that hundreds of the 'unopenable files' on the network share are fine but have had their extensions removed.

Simply renaming and typing the correct extension, and the files are fine!

The ones on the workstation, not so much...
 
PremierTech said:
Does anyone know a way to find evidence that CL has been on a system after removal.
We have a client with a QNAP NAS and hes called to say suddenly all his XLS files appear to be corrupt.
We have transferred the file to our systems and they still do not open. Transferred a working file to them and that also opens.
We suspect CL but one of his staff may have panicked and ran malwarebytes, etc to remove it leaving the files locked.
It would be nice to prove what the issue was then i can charge them to install CryptoPrevent. (Not charge for the software :) )

Thanks

Chris
Click to expand...

Run the tool that list the encrypted files. If you have a list you can bet it was CL. It's linked in the bleeping computer thread.
 
Just spent a total of about 6 hours off and on reading the big thread over there. All I can say is wow, this one is actually scary. If it went after system files, we could fix it. if it halts your computer, we can fix it. But this, going after all your docs, wow. I really can't believe I am so out of date on reading this info.
 
Hitman Pro Crypto Guard Program Released

Ok,

Hope this is the 1st mention of this tool. If not my apologies.

http://www.surfright.nl/en/cryptoguard

Sounds very interesting. I haven't tried it yet, but wanted to get everyone's thoughts.

After watching the video, it seems very effective, (In Theory).

Put it through the tests and post your results.
 
HFultzjr said:
Ok,

Hope this is the 1st mention of this tool. If not my apologies.

http://www.surfright.nl/en/cryptoguard

Sounds very interesting. I haven't tried it yet, but wanted to get everyone's thoughts.

After watching the video, it seems very effective, (In Theory).

Put it through the tests and post your results.
Click to expand...

I've being testing it not for Cryptolocker, but other infections. It's one to watch
 
Just had a client call us up...lady opened an e-mail that said she had a "voice mail"....BAM.....the big red flag jumped up on her screen.

Yup they got a server...Small Business Server.
Nope they haven't let us put in offsite backup haven't even let us put in a decent local backup system....lucky for them it's SBS03 so previous versions is there on the data volume. They've been crying poverty and actually laying off people left 'n right...some little non profit adult ed place.
Cuz every share on the server got whacked!
 
PBComputer said:
I've being testing it not for Cryptolocker, but other infections. It's one to watch
Click to expand...

Actually, it does protect you from CryptoLocker. CryptoGuard is a newly build in feature of HMP Alert (which originally only checked your browser for banking trojans). I've been using HMP Alert for a while and I like it. I guess I better update it to the latest version :)

Good find Hfultzjr!
 
You must log in or register to reply here.

Similar threads

Porthos
AgeLocker ransomware targets QNAP NAS devices, steals data
Replies
8
Views
1K
glennd
glennd
phaZed
Synology warns of malware infecting NAS devices with ransomware (Bruteforce)
Replies
1
Views
965
Sky-Knight
Sky-Knight
Porthos
New ransomware attacks target your NAS devices, backup storage
Replies
1
Views
790
ell
E
Porthos
Windows 10 Start Menu Suggests Firefox Users Switch to Edge
Replies
11
Views
1K
DRPCNZ
DRPCNZ
GTP
New Feature in Emsisoft
2
Replies
24
Views
2K
Archon Prime
Archon Prime
Back
Top