Exceptionally nasty ransom virus: Cryptolocker

beancounter

beancounter

The Fire That Burns Within
Joined
Jun 3, 2012
Reaction score
2,977
Location
In the Church of the Poisoned Mind
I posted this in the portable HD thread, but I think it deserves it's own thread.

This virus encrypts all of your files and then tells you to pay $300USD to get the key to decrypt it.

Even if your anti- virus software removes it, your files remain encrypted, and unusuable.

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

There is a tool (free) to change the group policies in all Windows computers which is supposed to stop crypto locker. Other tools exist, but only do that in the Premium Windows editions.
Here’s the link: http://www.foolishit.com/vb6-projects/cryptoprevent/
It’s at the bottom of the page, and there are excellent explanations of the tool and how it works on the page…as well as testing the tool after installation. Before testing, bookmark the page (or use the link here) and then reboot.
 
Last edited:
Question, on the assumption that ransomeware is illegal ..

The $300 must be paid into a bank account and surely that should allow the authorities to easily identify the perpetrators?
 
Clueless Git said:
Question, on the assumption that ransomeware is illegal ..

The $300 must be paid into a bank account and surely that should allow the authorities to easily identify the perpetrators?
Click to expand...

You can only pay by two methods. Bitcoin and some money transfer service (similar to Paypal, I guess) that I've never heard of. I suspect both methods allow a high level of anonymity. Also, if they are based outside the U.S., they are beyond the jurisdiction of the authorities.

Of course part of the problem is that white collar crime is usually a low priority for law enforcement.

Afterthought: I have a sneaking suspicion that a foreign gov't is behind this.
 
Last edited:
So do we want "cryptoprevent" or "cryptopreventinstaller" at the bottom of the page?
 
[quote="beancounter, post: 149659, member: 33"
...
There is a tool (free) to change the group policies in all Windows computers which is supposed to stop crypto locker. Other tools exist, but only do that in the Premium Windows editions.
Here’s the link: http://www.foolishit.com/vb6-projects/cryptoprevent/
It’s at the bottom of the page, and there are excellent explanations of the tool and how it works on the page…as well as testing the tool after installation. Before testing, bookmark the page (or use the link here) and then reboot.[/quote]

Thank you for posting this information about cryptoprevent. But I'm a bit confused about how it works. Does it come on automatically when I boot up? Or do I have to start it manually every time, say, by creating a desktop icon and clicking on that when I start my computer?
 
I copied the information on cryptoprevent from a game developer website. I really don't know much about it.

Joe said:
[quote="beancounter, post: 149659, member: 33"
...
Click to expand...

Thank you for posting this information about cryptoprevent. But I'm a bit confused about how it works. Does it come on automatically when I boot up? Or do I have to start it manually every time, say, by creating a desktop icon and clicking on that when I start my computer?[/quote]
 
Last edited:
I found some information about CryptoPrevent posted in a Usenet forum:

CryptoPrevent is a tiny utility to lock down any Windows OS (XP, Vista,
7, 8, and 8.1) to prevent infection by the Cryptolocker malware or
‘ransomware’, which encrypts personal files and then offers decryption
for a paid ransom.

CryptoPrevent artificially implants group policy objects into the
registry in order to block certain executables in certain locations
from running. The number of rules created by CryptoPrevent is
somewhere between 150 and 200+ rules depending on the OS and options
selected, not including whitelisting! Note that because the group
policy objects are artificially created, they will not display in the
Group Policy Editor on a Professional version of Windows — but rest
assured they are still there! Executables now protected against
(starting with v2.6) are *.exe *.com *.scr and *.pif, and these
executables are blocked in the paths below where * is a wildcard:

http://www.foolishit.com/vb6-projects/cryptoprevent/
Click to expand...

It seems like the program runs, does its thing (implanting policy objects into the registry),
and then does not need to be "on" anymore to provide protection. Except for one thing.
It needs to be "on" for you to request the updates, and apply them. (This assumes you are
using the free version. You can pay for a version which updates automatically.)

ETA: If you do check for updates, it seems it has an update at least daily. So it seems prudent to turn it on and check/download update/apply update every time you access the internet.
 
I feel truly sorry for Windows users sometimes. Is there really no better, less cumbersome way to protect yourselves? Are you sure there isn't a security update to the OS itself that protects against these sorts of threats?
 
Top Bottom