Jump to content

Got hit with a Cryto-locker/ransomware variant


jeremyf

Recommended Posts

Hi there,
 
On Monday, our business was hit with "something". I expect the manner of infection was via IE (latest version, fully patched) on a Windows 7 x64 workstation (also fully updated and patched). The user was looking at "recipes" and I believe it was through an undocumented exploit of IE (a drive-by download), since she knew enough to call me over once UAC starting prompting her for changes (to which she always hit NO), and she wasn't trying to download anything, just viewing the web site.
 
Before I knew what I was doing with, I installed Malwarebytes free version on the PC (fighting the UAC prompt hitting NO every 5 seconds or so)...but then before it had even run for 5 minutes I noticed "DECRYPTION_INSTRUCTIONS.txt" being created in the Documents folder of the PC, and Eset Endpoint started flagging "DECRYPTION_INSTRUCTIONS.html" files being created alongside the .txt versions in every folder the malware was actively encrypting (and yes, it was quite successful at fully encrypting that workstation) as "Filecoder.CR Trojan".
 
At that point I disabled the ethernet card on that system.
 
The warnings from RAS later emailed to me, as a result of Eset Endpoints flagging them just before I disabled the ethernet card, looked like:

02/06/2014 8:40:58 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Last.Report\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:40:58 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Last.Report\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:44:09 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Last.Report\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:44:09 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Last.Report\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:44:23 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\ProgramData\TSD\WinTreeData\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:44:24 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\ProgramData\TSD\WinTreeData\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:45:02 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\ServerFolders\Company\Drivers & Software\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:45:03 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\ServerFolders\Company\Drivers & Software\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:45:06 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\ORDER.IMPORT\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:45:06 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\ORDER.IMPORT\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:49:20 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\PRICING\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:49:20 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\PRICING\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:50:02 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\spooler\dp\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:50:03 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\spooler\dp\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:50:04 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\spooler\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:50:04 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\spooler\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:50:11 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:50:12 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\Export\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.
02/06/2014 8:52:55 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\ServerFolders\Company\Common Files\DECRYPT_INSTRUCTION.TXT contains Win32/Filecoder.CR trojan.
02/06/2014 8:52:56 AM - Module Real-time file system protection - Threat Alert triggered on computer PRIME-SBS2011E: D:\ServerFolders\Company\Common Files\DECRYPT_INSTRUCTION.HTML contains Win32/Filecoder.CR trojan.

 

Obviously, it had started to work on Shared Network folders before I disconnected it. It was quite successful in the "export" and "last.report" directories, not so much in the "Common files", "Drivers and software" and "Programdata" directories. For this I am thankful.

 

Action I have taken:

 

- completely wiped (formatted and re-installed), and then restored from previous backups the entire affected workstation (it never came back on the network until this was complete)

- completely wiped and deleted those shared network folders on the Server that were affected, and restored from previous backup (disclaimer: if the "DECRYPTION_INSTRUCTIONS" files had been written to the directory, I tested randomly files within it. Like I say above, for the two folders where I could verify everything was encrypted, I deleted and restored. For those folders that I could find NO EVIDENCE of encryption having taken place, I simply deleted the "DECRYPTION_INSTRUCTIONS" files. I sincerely believe I caught the malware in time for those folders.

 

My question to the knowlegable folks here is: what else do you recommend?

 

Without providing source files (sorry I wiped the affected machine too quickly), I suppose I am not helping the cause by providing the malware for future immediate detection by Eset. I can tell you that it created a folder directly on teh affected machines C: drive called "ebc0c52" in which a file resided called "ebc0c52.exe". This file was also present in a number of Windows system folders, and set to run at startup throught the registry. That is as much investigation that I did before I wiped the system.

 

Does it make sense that Eset seemed to not detect the actual malware, but only the files it generated?

 

I would appreciate any input any of you have on this. Thanks.

Link to post
Share on other sites

Hello,

Unsure whether ESET was detecting or preventing, and i would wait for an official response.

Going forward i would create some policies whether local or global that will prevent crypto's basic functionality.

Another prevention method is to encrypt your drives yourself, so any future encryption attempts will be failed.

ESET offers this protection here: hxxp://www.eset.com/int/business/technology-alliance/deslock/

Link to post
Share on other sites

Addendum:

 

To my dismay, now that I am reviewing the Threat log on the RAC, I see at least 4 other systems that detected the same "Win32/Filecoder.CR trojan" as .TMP files in the associated workstations users' 'Appdata/local/temp' directories.

 

As far as I can tell from this log, Eset Endpoint DID detect these as threats and deleted them.

The timestamps on these detections and deletions coincide to just before I originally disconnected the offending infected workstation.

 

So somehow it was attempting to propogate through the internal LAN network as well. I was not aware of this behaviour from these types of ransomware infections...anybody else?

 

My fear now is I can only hope that Eset did in fact eliminate this threat as it was attempting to propogate (it sure looks like it did!).

I am also puzzled by why Eset did NOT detect it on the offending, fully infected original workstation. (Although it did begin throwing detection notifications on the DECRYPTION_INSTRUCTION files).

I have slightly different versions of the Endpoint client on these machines, ranging from 5.0.2126 - 5.0.2225. But the version on the offending machine, and one of the ones that detected and reported deleted in the Appdata directory was the same version, .2126.

 

Again, any advice or commentary is welcome.

Link to post
Share on other sites

Most variants of cryptolocker launch from the appdata folder. :)

If you have FIle security on your servers hosting the network drive, it will protect the network propagation, however if it tries to spread through network protocols, you will need Endpoint security on your clients.

I have witnessed and assisted with crypto attacks that jump to network drives in the past, this has been its design for a while. :)

Link to post
Share on other sites

Most variants of cryptolocker launch from the appdata folder. :)

If you have FIle security on your servers hosting the network drive, it will protect the network propagation, however if it tries to spread through network protocols, you will need Endpoint security on your clients.

I have witnessed and assisted with crypto attacks that jump to network drives in the past, this has been its design for a while. :)

I have Endpoint on all domain connected workstations, including the one that was infected.

I have File Security for MS Servers on the single server we have, which hosts the shared network folders.

 

I am currently nuking a couple of virtual Win XP, and a single Win 7 machine (all within Virtualbox) - which are hosted on the server as well. These system are not part of the domain, but serve other purposes. They did NOT have Endpoint on them, which I will rectify after I restore older images of those machines pre-infection.

 

I expected the thing to begin actively encrypting shared network folders...what I did not expect was it to seemingly propogate through some unkown means to other workstations? These system do not have shared network folders...and yet no less than 4 Eset detections and deletions according to RAC logs on other otherwise unaffected workstations in their respective local User/Appdata folders...I found this strange...by what means does it propogate in that way?

Link to post
Share on other sites

Hello jeremyf,

 

To start with I want to let you know that I have never seen the Cryptolocker infection itself move past the originating system. What happens is the encryption will encrypt anything the system is connected to using an encryption service. This service is usually the Windows encryption service or another that is already installed on the system. Araksi is correct that this infection has moved through emails that work to get the enduser to click on an attachment. The infection is in that attachment. I personally have not seen it move any other way. This does not exclude the idea that things may have changed as that is business as usual for the people who write and propagate these infections.

 

This situation is either a new variant or something else is going on along with the cryptolocker infection. I think at this point it might be a good idea if you could give us a call at 1-619-630-2400. We are available Monday through Friday 5am to 7pm PST. Please have your ESET Username or email address associated with the ESET account ready when you call.

 

WilliamT
ESET Business Support Engineer

Link to post
Share on other sites

Hello jeremyf,

 

To start with I want to let you know that I have never seen the Cryptolocker infection itself move past the originating system. What happens is the encryption will encrypt anything the system is connected to using an encryption service. This service is usually the Windows encryption service or another that is already installed on the system. Araksi is correct that this infection has moved through emails that work to get the enduser to click on an attachment. The infection is in that attachment. I personally have not seen it move any other way. This does not exclude the idea that things may have changed as that is business as usual for the people who write and propagate these infections.

 

This situation is either a new variant or something else is going on along with the cryptolocker infection. I think at this point it might be a good idea if you could give us a call at 1-619-630-2400. We are available Monday through Friday 5am to 7pm PST. Please have your ESET Username or email address associated with the ESET account ready when you call.

 

WilliamT

ESET Business Support Engineer

That was my opinion as well, after having read up on it a bit. Which is why I was quite happy once I DC'ed the affected system that everything seemed to stop in terms of files being generated on the network folders (and actual active harmful encryption taking place), etc.

One other aspect however, was that I had one off-site software developer connected to another workstation via RDP during the same period of time as the infection took place. I was actually on the phone with him with very strange behaviour: repeatedly getting "lagged out" of his connection. Not disconnecting mind you, just so much lag his remote system became unresponsive from his perspective. A user disconnect on his part, and reconnect, would solve it momentarily, but it would quickly do it over and over. That all stopped when I went to deal with the infection and finally DC'ed the affected workstation, although he was only able to inform me of that quite a bit later in the day. Again to be clear, neither his laptop at home, or the local system here he was remoting to was affected in any way I can tell from this infection, except for that strange behaviour that was too much of a coincidence to be ignored. I have read some stuff about some malware taking advantage of open RDP ports in a local LAN, and I wonder if that was some method of propogation...though to be honest it seems a bit far-fetched.

I'm trying not to get too excited, but for you to even suggest my calling you is amazing on your part! Even though I am fairly confident that I have stopped this thing dead in its tracks (and therefore not in a panic or anything), a brief look by a professional such as yourself would be more than welcome!

I will take you up on giving you folks a call first thing tomorrow. :)

i also now realize I spelled "Crypto" wrong in the title of my OP...would a moderator please correct that for proper search functionality?

Link to post
Share on other sites

There is definitely means of spreading through RDP, however i don't think crypto does that. However if you use a 3rd party program that transfers files, it may use that if you have FT turned on at the time.

 

hxxp://www.darkreading.com/attacks-and-breaches/new-malware-puts-nasty-spin-on-remote-control/d/d-id/1103465?

hxxp://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Morto.A

Link to post
Share on other sites

Hi Jeremyf,

 

We had the same issue a month ago. It first started with a user, then before I realized what was happening, it has spread to our main file server. There were only 5 out of 1000 machines affected, but like I mentioned before one of those was our file server. The worst possible machine to be hit. 

Our problem is that everyone makes use of mapped drives on our network, I'm assuming that's how it spreads. Where it originated from? I don't know. It didn't affect all our files on the server, but all the files that were encrypted, were encrypted at the exact time and date. Every directory had the HOW_TO_DECRYPT.txt and HOW_TO_DECRYPT.html files in, but not every applicable file was encrypted. All of them were encrypted on a Saturday, I only responded the Monday. So why did it stop? Why didn't it spread to all the other machines on the network, and why did it only encrypt some files, instead of all? These are the questions that bothered me most. 

 

I blocked all external websites on my firewall, and users could only access sites that are on the allow list. I'm too damn afraid to take this restriction away, despite the whole company rioting with torches and pitch forks in front of the IT department, cause I took their internet away... Smh. 

Most of our files I could recover from our backups, but we lost some very very important files right before a audit. Management insisted I pay the ransom to decrpyt those files, but I don't negotiate with terrorists. Besides, I do not want to draw more attention on the deep web.

 

So far we haven't had any new problems. I don't know if it's because no one can get to dodgy sites, or because I loaded eset on all the machines. I just hope it will become a priority to track and prosecute these cyber criminals before it becomes a major trend. 

 

Kind Regards

Link to post
Share on other sites

That's quite a hairy story you have there! And it sounds quite similiar to what we experienced, but you are much bigger...and I am sorry to hear you had actual data loss as a result...

Yes, I really hope law enforcement gets serious with this type of thing (as much as it can), but I fear it will have little effect.

 

This will likely become the de facto standard for the most dangerous "virus" scripts/programs out there, since what else do you want as a malware writer, other than A) destruction and maybe a little B) profit?

I predict this might stimulate changes at the OS level in time as a response...we will see!

 

I am thankful that Eset really seemed to stop it as it tried to spread to other systems...it really seems to have only let it go on the one system (and shared network folders as a result), and I think because it is an as-of-yet unidentified strain.

Link to post
Share on other sites

Hi All,

 

Yes this infection is know to use standard RDP ports but not usually to propagate the infection. there will be a searies of links at the bottom of this post that will give you more information on this and other aspects of this infection. This is used for access to the network later. They have identified the leader of the group responsible for this and he is now on the FBI Most Wanted list. This is VERY good news and you can read more about this here on our blog site. I am sorry to hear about the riots Persona1986. I will PM you and some more information that may help quell the frenzy. I have provided some information below that will help you to understand the infection and even prevent some of this from happening.

 

 

Does ESET protect me from Filecoder (CryptoLocker) malware?
hxxp://kb.eset.com/zap/SOLN3433

Filecoder: Holding your data to ransom
hxxp://www.welivesecurity.com/2013/09/23/filecoder-holding-your-data-to-ransom/

Cryptolocker 2.0 – new version, or copycat?
hxxp://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-new-version-or-copycat/

Don’t pay up! How to avoid ransomware threats – and how to fight back
hxxp://www.welivesecurity.com/2013/10/25/dont-pay-up-how-to-avoid-ransomware-threats-and-how-to-fight-back/

11 things you can do to protect against ransomware, including Cryptolocker
hxxp://www.welivesecurity.com/2013/12/12/11-things-you-can-do-to-protect-against-ransomware-including-cryptolocker/

Remote Desktop (RDP) Hacking 101: I can see your desktop from here!
hxxp://www.welivesecurity.com/2013/09/16/remote-desktop-rdp-hacking-101-i-can-see-your-desktop-from-here/
-

ESET is dedicated to the protection of all of our users, and interested in any new virus samples. You can use the instructions from the Knowledgebase article below to submit these samples to our virus lab.
------------------------------------------------------------------------------
How do I submit a virus, website or potential false positive sample to ESET's lab?
hxxp://kb.eset.com/zap/SOLN141
------------------------------------------------------------------------------

For Administrators:
To learn more about how you can protect your computers from infection and increase your security, click or copy/paste any of the following ESET Knowledgebase articles into your web browser:
------------------------------------------------------------------------------
What can I do to minimize the risk of an infection on the network?
hxxp://kb.eset.com/zap/SOLN247

Cyber security road map for businesses
hxxp://www.welivesecurity.com/2013/05/14/cyber-security-road-map-for-businesses/
------------------------------------------------------------------------------

For Users:
To learn more about how you can protect your computers from infection and increase your security, click or copy/paste any of the following ESET Knowledgebase articles into your web browser:
------------------------------------------------------------------------------
What can I do to minimize the risk of a malware attack?
hxxp://kb.eset.com/zap/SOLN130

Bulletproof Inbox: Tips for staying safe (and sane) on email
hxxp://www.welivesecurity.com/2013/08/02/bulletproof-inbox-tips-for-staying-safe-and-sane-on-email/

Live fast, die old: Pro browsing tips to enjoy the Web at full speed (and safely too)
hxxp://www.welivesecurity.com/2013/09/19/live-fast-die-old-pro-browsing-tips-to-enjoy-the-web-at-full-speed-and-safely-too/
------------------------------------------------------------------------------

 

 

WilliamT

ESET Business Support Engineer

Link to post
Share on other sites

*Edited.

I am just going to mention here as well, here is the log of the initial infection.

Again, although these threats were discovered/caught, infection was still successful on this machine.

Date Received    2014-06-02 08:44:37
Date Occurred    2014-06-02 08:40:50
Level    Warning
Scanner    HTTP filter
Object    file
Name    hxxp://gerring-serilg.su/net-phocaguestbook/jquery
Threat    a variant of Win32/Injector.BEYR trojan
Action    connection terminated - quarantined
User    [domain]\Pauline
Information    Threat was detected upon access to web by the application: C:\Users\Pauline\AppData\Local\Temp\KB480233852.exe.

And immediately afterwards:

Date Received    2014-06-02 08:44:37
Date Occurred    2014-06-02 08:40:51
Level    Warning
Scanner    Real-time file system protection
Object    file
Name    C:\Users\Pauline\AppData\Local\Temp\480239983.bat
Threat    BAT/Small.NAN trojan
Action    cleaned by deleting - quarantined
User    
Information    Event occurred during an attempt to access the file by the application: C:\Users\Pauline\AppData\Local\Temp\KB480231699.exe.

It was within a few minutes of the above that "DECRYPTION_INSTRUCTIONS" files began to be written on network shares...the local machine was taken over at this point...


Date Received    2014-06-02 08:52:31
Date Occurred    2014-06-02 08:44:09
Level    Warning
Scanner    Real-time file system protection
Object    file
Name    D:\Last.Report\DECRYPT_INSTRUCTION.HTML
Threat    Win32/Filecoder.CR trojan
Action    deleted
User    [domain]\Pauline
Information    Event occurred on a newly created file.


 

Link to post
Share on other sites

Hi jeremyf,

 

It sounds like its worth checking your Eset settings to make sure you're making the best use of the various protections it offers. Check that your config is set to use Advanced Heuristics and detect potentially unwanted and unsafe software. Make sure it's being sent to the clients correctly too - I have found that some of the options are not picked up from the config XML files. It's worth going through every page and setting to check the options are set up how you want them to be. If your computers are high spec enough, run Advanced Heuristics on every option.

 

Look at installing Microsoft's Enhanced Mitigation Toolkit. This adds another layer around Internet Explorer, Office, Adobe Acrobat etc. and, if you enable it, any other program. I've been installing this on all client computers by default now with very few problems. This will significantly help when protecting against drive-by exploits - one of its main functions.

 

Evaluate your network shares to make sure that users can only access what they need to. It's easy to put in a temporary fix to a permissions problem to allow users to access everything but not get round to re-securing shares. Check that the workstations have as little access to each other as they need. Also make sure your backups are made in a way that malware on a trusted client or the server can wipe them all out. Assume your server gets a virus like cryptolocker, and do what you can to mitigate what it can do.

 

Also check that the programs your users have installed are set up securely - Adobe Reader, in particular, has a lot of options to lock down JavaScript, launching external programs, accessing the Internet etc. If you use Java, switch off the browser plugin or lock it down to specific sites. We all know how bad Flash is at updating itself - so set a schedule to manually check it.

Link to post
Share on other sites
  • 2 weeks later...

Got the same virus on a computer here today, ESET put up all kinds of warnings but now I'm restoring network share data from shadow copies as a pile of folders got hit before I was able to pull the cord on the system that was infected. Concerning was that a scan I ran didn't find anything on the computer despite the fact that the virus was currently active.

The link sent in the e-mail is here:

[LINK REDACTED]

If that'll help anybody at ESET out.

-Chris

Link to post
Share on other sites

Got the same virus on a computer here today, ESET put up all kinds of warnings but now I'm restoring network share data from shadow copies as a pile of folders got hit before I was able to pull the cord on the system that was infected. Concerning was that a scan I ran didn't find anything on the computer despite the fact that the virus was currently active.

 

The link sent in the e-mail is here:

 

 

 

If that'll help anybody at ESET out.

 

-Chris

OVERKILL,

Please do not post links to viruses on the forum. If you have a sample or a link to a sample you can send them to samples@eset.com. If you click here you will get a more detailed set of instructions for submitting samples.

Thank you

Link to post
Share on other sites
  • 1 year later...

Hi jeremyf,

 

It sounds like its worth checking your Eset settings to make sure you're making the best use of the various protections it offers. Check that your config is set to use Advanced Heuristics and detect potentially unwanted and unsafe software. Make sure it's being sent to the clients correctly too - I have found that some of the options are not picked up from the config XML files. It's worth going through every page and setting to check the options are set up how you want them to be. If your computers are high spec enough, run Advanced Heuristics on every option.

 

Look at installing Microsoft's Enhanced Mitigation Toolkit. This adds another layer around Internet Explorer, Office, Adobe Acrobat etc. and, if you enable it, any other program. I've been installing this on all client computers by default now with very few problems. This will significantly help when protecting against drive-by exploits - one of its main functions.

 

Evaluate your network shares to make sure that users can only access what they need to. It's easy to put in a temporary fix to a permissions problem to allow users to access everything but not get round to re-securing shares. Check that the workstations have as little access to each other as they need. Also make sure your backups are made in a way that malware on a trusted client or the server can wipe them all out. Assume your server gets a virus like cryptolocker, and do what you can to mitigate what it can do.

 

Also check that the programs your users have installed are set up securely - Adobe Reader, in particular, has a lot of options to lock down JavaScript, launching external programs, accessing the Internet etc. If you use Java, switch off the browser plugin or lock it down to specific sites. We all know how bad Flash is at updating itself - so set a schedule to manually check it.

 

Very interesting, thank you for sharing.
 
I would like to add there is also a Cryptolocker Prevention Kit (just Google it) since 2013. Apparently the kit still works.
Link to post
Share on other sites
  • Administrators

We've recently added protection against the widespread Filecoder.DG at the network level to ESET Smart Security. With LiveGrid, Advanced Memory Scanner and Exploit Blocker (being parts of HIPS), it's another protection layer that should keep our users away from Filecoder trojans that encrypt files.

Link to post
Share on other sites

We've recently added protection against the widespread Filecoder.DG at the network level to ESET Smart Security. With LiveGrid, Advanced Memory Scanner and Exploit Blocker (being parts of HIPS), it's another protection layer that should keep our users away from Filecoder trojans that encrypt files.

Hello Marcos. Earlier in this post Arkasi posted "Another prevention method is to encrypt your drives yourself, so any future encryption attempts will be failed.

ESET offers this protection here: hxxp://www.eset.com/...liance/deslock/"  I went over this with a malware specialist and he says this statement is not true and that even with DESLOCK , Cryptolocker can still encrypt your data. Can you confirm or deny this ? 

Link to post
Share on other sites
  • Administrators

 

We've recently added protection against the widespread Filecoder.DG at the network level to ESET Smart Security. With LiveGrid, Advanced Memory Scanner and Exploit Blocker (being parts of HIPS), it's another protection layer that should keep our users away from Filecoder trojans that encrypt files.

Hello Marcos. Earlier in this post Arkasi posted "Another prevention method is to encrypt your drives yourself, so any future encryption attempts will be failed.

ESET offers this protection here: hxxp://www.eset.com/...liance/deslock/"  I went over this with a malware specialist and he says this statement is not true and that even with DESLOCK , Cryptolocker can still encrypt your data. Can you confirm or deny this ? 

 

 

Yes, it can provided that the malware was run in the account of a user authorized to access the encrypted data.

Link to post
Share on other sites

 

 

We've recently added protection against the widespread Filecoder.DG at the network level to ESET Smart Security. With LiveGrid, Advanced Memory Scanner and Exploit Blocker (being parts of HIPS), it's another protection layer that should keep our users away from Filecoder trojans that encrypt files.

Hello Marcos. Earlier in this post Arkasi posted "Another prevention method is to encrypt your drives yourself, so any future encryption attempts will be failed.

ESET offers this protection here: hxxp://www.eset.com/...liance/deslock/"  I went over this with a malware specialist and he says this statement is not true and that even with DESLOCK , Cryptolocker can still encrypt your data. Can you confirm or deny this ? 

 

 

Yes, it can provided that the malware was run in the account of a user authorized to access the encrypted data.

 

Thanks Marcos. 

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...