UPDATED Highly destructive 'ransomware' exploit in Windows
Moderator: Moderators
-
pbb
- Rank 2
- Posts: 32
- Joined: Thu 02 Feb 2006 15:30
- Contact:
UPDATED Highly destructive 'ransomware' exploit in Windows
19 November 2013 Regarding this exploit, there have been some useful recent developments.
A method of preventing the malware from encrypting user files was developed soon after it first appeared. However this technique could not be employed on Windows Home, Home Basic or Home Premium machines since Microsoft had removed the group policy editor from these Windows variants (thank you M$).
Someone has developed a small program to patch the registry of a Windows machine with the results one would have got had the group policy editor been available. This means that any Windows machine can now be protected automatically against the encryption payload of this ransomware.
Be aware that you should carry out a complete back-up of your system before installing and running this program - patching the registry, even automatically by a program, can fail and result in an unusable machine if you happen to be unlucky.
Also, these changes are made at quite a powerful level of the operating system and, for some users, might result in previously successful programs no longer working! However the application does have an undo button, and an exception/whitelist facility.
This application is available for free download at:
http://www.foolishit.com/vb6-projects/cryptoprevent/ (Careful how you pronounce this!)
There is another potentially useful program that claims to minimise the chances of these types of exploits from being successful. It is available from a well-respected provider of anti-malware solutions - Malwarebytes.
http://www.malwarebytes.org/products/an ... /#overview
Note that this product is still in Beta, and it may become chargeable once it clears Beta testing.
Good luck!
Original Post:
I ought to warn users of this forum that there exists a particularly nasty computer exploit, that first appeared in September, to which a lot of unfortunate PC users have fallen victim.
I won't go into any detail here since it is well covered in the two links below, but, once infected with this new exploit, a PC user will find that all his common data files (e.g. Word, Excel, pictures, music, etc.) have been encrypted and therefore they are no longer usable. The user's machine then displays a warning screen telling him that he has 96 hours to pay a ransom of $100 or $300 if he wants to gain access to his data or he will lose access to it forever when the decryption key is automatically destroyed after the deadline.
The only practical defence for users of Microsoft's Home or Home Premium versions of Windows (almost everyone!) is to be certain that they have a full and up-to-date copy of all their data files on an off-line device (external disk, USB key, DVD's) such that they can restore their files and not need to pay the ransom.
The two links are:
http://windowssecrets.com/top-story/cry ... ous-virus/
http://www.bleepingcomputer.com/virus-r ... nformation
These articles quickly become quite technical, but hopefully they will convince you of the scale of the risks involved if you were to become infected and you didn't have an appropriate level of backup.
A method of preventing the malware from encrypting user files was developed soon after it first appeared. However this technique could not be employed on Windows Home, Home Basic or Home Premium machines since Microsoft had removed the group policy editor from these Windows variants (thank you M$).
Someone has developed a small program to patch the registry of a Windows machine with the results one would have got had the group policy editor been available. This means that any Windows machine can now be protected automatically against the encryption payload of this ransomware.
Be aware that you should carry out a complete back-up of your system before installing and running this program - patching the registry, even automatically by a program, can fail and result in an unusable machine if you happen to be unlucky.
Also, these changes are made at quite a powerful level of the operating system and, for some users, might result in previously successful programs no longer working! However the application does have an undo button, and an exception/whitelist facility.
This application is available for free download at:
http://www.foolishit.com/vb6-projects/cryptoprevent/ (Careful how you pronounce this!)
There is another potentially useful program that claims to minimise the chances of these types of exploits from being successful. It is available from a well-respected provider of anti-malware solutions - Malwarebytes.
http://www.malwarebytes.org/products/an ... /#overview
Note that this product is still in Beta, and it may become chargeable once it clears Beta testing.
Good luck!
Original Post:
I ought to warn users of this forum that there exists a particularly nasty computer exploit, that first appeared in September, to which a lot of unfortunate PC users have fallen victim.
I won't go into any detail here since it is well covered in the two links below, but, once infected with this new exploit, a PC user will find that all his common data files (e.g. Word, Excel, pictures, music, etc.) have been encrypted and therefore they are no longer usable. The user's machine then displays a warning screen telling him that he has 96 hours to pay a ransom of $100 or $300 if he wants to gain access to his data or he will lose access to it forever when the decryption key is automatically destroyed after the deadline.
The only practical defence for users of Microsoft's Home or Home Premium versions of Windows (almost everyone!) is to be certain that they have a full and up-to-date copy of all their data files on an off-line device (external disk, USB key, DVD's) such that they can restore their files and not need to pay the ransom.
The two links are:
http://windowssecrets.com/top-story/cry ... ous-virus/
http://www.bleepingcomputer.com/virus-r ... nformation
These articles quickly become quite technical, but hopefully they will convince you of the scale of the risks involved if you were to become infected and you didn't have an appropriate level of backup.
Last edited by pbb on Tue 19 Nov 2013 22:47, edited 2 times in total.
-
Nigel
- Rank 5
- Posts: 300
- Joined: Tue 26 Jun 2007 11:35
- Contact:
-
blackduff
- Rank 5
- Posts: 850
- Joined: Sat 30 Dec 2006 11:32
- Contact:
I was just got wrapped in a similar scam like this. It's requesting 100€ ransom to get my computer working again. It took several days and bags of luck in getting this scum going back to Russia. Safe mode, bringing the files back to a safe version, and any other methods didn't work. Just friggin luck.
I use Norton's super duper and it didn't touch this trojan. I think that the version has PBB mentioned is similar. So, start getting your backup programs up to date.
Blackduff
I use Norton's super duper and it didn't touch this trojan. I think that the version has PBB mentioned is similar. So, start getting your backup programs up to date.
Blackduff
FACEBOOK THOUGHTS: Remember that old phrase: if you're not paying for it, you're not the customer; you're the product being sold.
-
pbb
- Rank 2
- Posts: 32
- Joined: Thu 02 Feb 2006 15:30
- Contact:
@nigel
You need to read the articles. There is a suggestion that this exploit is not being detected by AV products and it is also suggested that some AV's make the recovery by paying the ransom impossible because they interfere with exploit in some way.
Better to spend 50€ on a large USB key now, and use it, rather than run the risk!
You need to read the articles. There is a suggestion that this exploit is not being detected by AV products and it is also suggested that some AV's make the recovery by paying the ransom impossible because they interfere with exploit in some way.
Better to spend 50€ on a large USB key now, and use it, rather than run the risk!
-
russell
- Rank 5
- Posts: 1038
- Joined: Fri 21 May 2010 16:03
- Contact:
The ways to avoid this happening as I see it are:
1. If you are running Windows make sure your virus software is updated daily. The major antivirus programs detect this attack.
2. Never click on a link in an email unless you are certain it comes from a reliable source.
3. Back up your data regularly. I have a backup program that does a backup automatically at each boot up.
4. For best security use a Unix based operating system such as MAC (expensive) or Linux (free) instead of Windows.
Russell.[/b]
1. If you are running Windows make sure your virus software is updated daily. The major antivirus programs detect this attack.
2. Never click on a link in an email unless you are certain it comes from a reliable source.
3. Back up your data regularly. I have a backup program that does a backup automatically at each boot up.
4. For best security use a Unix based operating system such as MAC (expensive) or Linux (free) instead of Windows.
Russell.[/b]
-
martyn94
- Rank 5
- Posts: 2086
- Joined: Sun 14 Apr 2013 14:37
Or buy a mac. I am a long way from being a "fanboy": I got one because I was brassed off with windows, my desktop was dead, and a friend had a mac mini that seemed to work well. I imitated him and have never regretted it. You can buy second-hand for not very much (though much higher than an old PC if you ever want to resell) and their support for older kit is exemplary.