Wow...that's nasty looking stuff!
Sorry!!!
Mike Copeland
Mike Copeland wrote:
Here's the most recent info in WindowsSecrets newsletter (Jan 2015) regarding Crypto-whatever...
============================================= Protect yourself from the latest CryptoWhatever
Hardly a day goes by that I don't hear a story about someone hit by the latest version of CryptoLocker. On systems that have sensitive data — which is almost every Windows PC I own — I always ensure that I have a recent, full backup. For small-business systems, you can use products from Microsoft or third-party backup tools such as Acronis Backup (more info http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fsh6zWERXG4dwCosQmkIZWB-2FkwlFqov-2Fkyr6gx0LvViu7-2F9Fy03clLmsJ1ONwsDqplOA-3D-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNLLn5NzEUIZj5YMV3mXG7tCcVtjRFVSoNglK6JL-2FRGFr7prXNXenV4qFRpJPhAdYWkblP8N2K5-2FIrJXH9WlhbB7seCC4Bf2Ojk-2Bbbk6ALH7cK-2BFo4GdgwFoCVMNJPqGXjrYlNSd9m3X8OfqJzcuhW4Cfj92k2gG9v1mqhaI-2BKoVBtP0gjROJQypceoFf6VbEeg-3D-3D).
If you're familiar with the now-defunct MS Home Server 2011, its code lives on in two forms. First, Windows Storage Server 2012 R2 Essentials (site http://email.windowssecrets.com/wf/click?upn=Q8kkqfkHDbD-2Bfamhtak93RaUwjSaLln5Aq9lKnmysGp78LXrjBJwGHIwaQZNxs7Wpr5f5VDnEuDzDiWy-2FnO3Dv4RsGZKmwai4J7zDuqlT3XQ8a7UewA0WaKQHGUfogh4woAKBuNQakXIF-2B9geLApy0l1U-2F7f9TTy1Xm7jtUiAW3TqYt9-2FC9FJHFiNKU4f0plUCDmNswpRbTYSfCcdlCVAFdRWSIO577I4-2BtbqNLlDpxnqBYGRR92nM1eAqDMvE0rVoBjh7Iat4kedIaDGP6CHX-2FuuXsiVfO-2FzB6yiUyP9NE-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNGVL4P-2FWgrNKTS4UzDqo-2Bm2w5Unj8arwoI8K4dLwxpAbggrQaoNDTFssdkzo3Ot3hjGuNKD9nMugtdXw7KgsJa2Wq03q2rv83kCxyU0z79D5-2FVzTG7Zc0hilD5A8p6bKEHybc6xik45435MzMzV7xT-2B0YS8mYX-2Bk2ltGFmtq9X2kCvLMZHB273fH6W0H6k8wxA-3D-3D) provides the old, reliable Home Server client backup that I still rely on for several of my computers. Second, for larger networks, you can install the Essentials component included in standard Windows Server 2012 R2 (site http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fshy9E-2FMZ3MYbZaFFYQXDFykUEaYIP7mfrJbfQ9w0Yhb5Sft7MxSadWrBp9jziqw-2FtnA2-2FBsIoyd1HVeiFgAo7p-2B62Vej9nsw7X2MXIUq0MJFb_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNH7usCpfoU30jtprF-2FWiurlt1VJDeR331-2BU5-2B-2FVBbWNr-2BzzMzGZT5cPnLaMF15VhdIkz5sypwN5b0Yhgn7ZwX9-2BVJg3DPkI9Z9x8hJk6ZUU5HkoV229cQHfyf3LkGb9JnZZ-2BlJUMhkv66GDhNWfiyfQDaROPzV1Q0GggYyslebEx-2F-2F3AQ4Z0rTKuOwKy5mTQCA-3D-3D).
Keep in mind that the bad guys are getting smarter and are disabling Windows' shadow file copies. A full backup will mean you never have to pay a ransom for your data.
Make sure you have extra protection on machines that are more critical and thus at higher risk. The CryptoPrevent toolkit (site http://email.windowssecrets.com/wf/click?upn=TfemUwVZKdEYClrpCA-2FMOCaRiBZ4KmEepygKYpD7-2BOaLAHcLZNupbnfUAUlYLtjvUB82K2qxEIWVgoun1Yv3gw-3D-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNF0XLre9ZSriPk2VTY7o4l9myI19-2BXQYnjb5B-2Fv5F61eQsaw-2BZ-2F8DEFOCtGlgoLYg9Bmu2Ry24faAXqvDX0yYKDPxMQ-2FF6wnc9K5KrAM-2FMt-2FiFr5Aq0sFoyCAKpa-2Bzkw0HJYpMWx5sHPeptuzDmgIfdzcqjJjpBalkbtcA70Nly-2FlESBaTbjyPqXpu7zzEkeOQ-3D-3D) blocks certain locations on your PC that the attackers use to install their encryption software. (For a funny story about how the site got its name, read the site's "About" post http://email.windowssecrets.com/wf/click?upn=TfemUwVZKdEYClrpCA-2FMOCaRiBZ4KmEepygKYpD7-2BOYIDt79V8u32uqQ-2BXMoApzp_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNL-2BqGqCxjb5zHPYTmp7ZAXnbuj59D-2BnzS-2BPxI300Nyr8LOC07N8WxWUXXXk6MtPmh-2BFeO5PWLR9TjVyMY-2FYMqsqwWUXQ-2BAAwHhJe0-2BShNidFvxi6v5yCt-2F58Or7yHrn9aVH9dujMUj-2BneWE-2FKODCo8-2B26afXSVbe7ttlUcwzxOwllBuhzz-2FgZxCapEpHTwzFIQ-3D-3D.)
For networked systems, consult the information on the Third Tier website http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fsh-2FVIHwN3lNORj4-2FP3kz3dpANifdbDw7dWE49oF6WvChzWI-2BtnfN4uAugi9gNAb0b-2F1uDXpPrRtg87xfFsHWBKGM-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNOaiP5tV8q10Nbo45L1-2Br7MsO7CUsMWZS97e6I-2FAqYTTIyaUU821pp2YWXsMsca3-2F1ocfwqDhNt4QhrLOxG3ZA4kv-2FQhzUzS25K-2FXk-2Fv-2FrE7tdAeh3-2Bzrei-2BRzOW2HbOyurnPcH1HMnF-2FDPxnios1R31k2njdM7M-2F7Dp3DMPBw-2BpawuuaYkrrTN1lhsyrl5O2A-3D-3D about group-policy settings. (I assisted with that document.)
====================================================
Mike Copeland
Ted Roche wrote:
On Thu, Feb 11, 2016 at 10:42 AM, Mike Copeland mike@ggisoft.com wrote:
The one 'problem' with this, or any other kind of prevention tool is that attack vectors change, so CryptoPrevent from last year might not work against the new approach used by this year's CryptoLocker. But, the installation method used by the original c-Locker trojan was pretty big and the c-Prevent author's explanation certainly justifies the cost to block that path, in my opinion.
I might be getting jaded (ha!) but software reviews seem to be more advertorial than editorial these days...so unless a software company is ready to buy some click-through ads...
True. All reviews ought to be considered with a grain of salt. I saw the professional "reviewers" move in and take over Amazon a decade ago, and it's clear that some of the "review" sites are not journalistic efforts as much as advertising sites.
There aren't a lot of "general" computing sites left, but I follow a few security sites (like isc.sans.edu) that tend to be pretty good at reporting the current problems and prevention, if any.
And now, of course, my Google-fu kicks on, and I find a couple good write-ups:
http://krebsonsecurity.com/tag/cryptoprevent/ https://askleo.com/why-havent-you-mentioned-cryptoprevent/
[excessive quoting removed by server]