Mike:
I think you meant CryptoPrevent, not "-Blocker" which is easily confused with "-Locker" the malware.
This looks like a promising tool. Have you been able to install it without running into program conflicts?
I'm poking around trying to find some 3rd party reviews of it, especially reliable security sites, but haven't had a lot of luck.
On Thu, Feb 11, 2016 at 12:00 AM, Mike Copeland mike@ggisoft.com wrote:
Peter,
I've been using CryptoBlocker, which is supposed to block the methods used by the Cryptolocker trojan. You can read about the methodology here... https://www.foolishit.com/cryptoprevent-malware-prevention/
It looks good to me and I've been installing it on all of the systems I manage for a couple of years now.
I did have 1 client who experienced an attack/infection, paid the ransom and got his files back. I think it was $600 US. That's the first encounter I've had with it and I came across CryptoBlocker -after- that occurrence.
From what i could tell, the infection came from a zip-file attachment sent to my client, supposedly by a business contact. As it turned out, the website that the email originated from had been compromised and actually was the source.
Since then, I send out a "do not open any email attachment" warning to my clients about every 6 months. So far, knock on wood...
I hope this helps.
Mike Copeland
Peter Cushing wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we have good backups so were able to restore, although 3gb of data took some time to do. What I want to do is go over what happened and see what approaches other people have for these threats.
First thing we noticed was on Friday morning when somebody pointed out that their files had been mashed. Here's a few examples of what the files got changed to: /data/admin/misc files/FACTORY INFORMATION/fnwih0ocf.hoo7 /data/admin/misc files/FACTORY INFORMATION/g99q1kfz5.p9k0 /data/admin/misc files/FACTORY INFORMATION/og0u9pb.0gd /data/admin/misc files/FACTORY INFORMATION/tb4qz.775x0 /data/admin/misc files/FACTORY INFORMATION/znxis7hgu.k7h /data/admin/misc files/fi19fgq2r.69t /data/admin/misc files/fjs6r76n.8gup /data/admin/misc files/h2c0ew6pr.1gpd /data/admin/misc files/h8jgb.c4v9 /data/admin/misc files/Halls Fashion/535p0e.ugc5a /data/admin/misc files/Halls Fashion/halorr3vet.s9 /data/admin/misc files/Halls Fashion/nbhqgk5.a8ihp /data/admin/misc files/hs93hlb9.9p /data/admin/misc files/hxplu62l.mc9 /data/admin/misc files/i4jden.y7kx7 /data/admin/misc files/jaiytu55s.w2 /data/admin/misc files/kmp49j76.4b
Looking at the logs we soon found which machine it was although that person had gone home on the Thursday and was not due back until the Tuesday. Restored data and when the user got back we booted the machine up (not connected to network!) and have since done scan using AVG, Superantispyware, Avira, spybot search and destroy, kaspersky and malware bytes and still found nothing. We don't know if the virus was just memory resident or how it worked but obviously want to find out. Scanned all his emails and nothing (his files stored in IMAP folders). Nothing obvious in internet logs. Checked all processes running, startup programs, network setup etc etc. We'll probably just wipe the machine and start again but would be nice to know what happened.
Lately we have been getting more and more phishing emails from random users (pretending to be say DHL or some other company) with say an attachment invoicexxx.doc or perhaps .docx .xls etc (where xxx is a random number) which will turn out to be infected but not at the time the email was received. I.e the virus is too new to be detected. We have run lots of these through our own virus scanner (AVG) and say https://www.virustotal.com/ and they have come up with nothing until hours later (which could be too late). Some show infected a couple of hours later and some maybe next day. This latest development is very difficult to defend against if you cannot scan the file and confirm it is infected. Our mail server as AV software which scans files but didn't pick these up and even if users are really conscientious and scan before opening it does not show up as infected. We have now started implementing a white list of people who can send in invoicexxx.doc files. Anyone not on the list then the attachment is removed and put a message in to inform the user.
We are now reviewing procedures to defend against a machine with admin rights being infected.
What is important is to be able to detect ASAP when files are starting to get renamed. I have just developed a standalone APP that will scan network drives and look at file names. I got a list of known extensions off the internet and put them in a table. The app compares the file extension with the list and emails you anything different. If these files are safe you can load them into an exclusion table. If you run this regularly it should pick up these names very quickly.
What other security approaches are you using?
TIA
[excessive quoting removed by server]
Eyup. Prevent it is. :/
I've not had any conflicts that I'm aware of, during installation of c-Prevent, or of any program installed after c-Prevent. I have it installed on at least 400 machines.
The one 'problem' with this, or any other kind of prevention tool is that attack vectors change, so CryptoPrevent from last year might not work against the new approach used by this year's CryptoLocker. But, the installation method used by the original c-Locker trojan was pretty big and the c-Prevent author's explanation certainly justifies the cost to block that path, in my opinion.
I might be getting jaded (ha!) but software reviews seem to be more advertorial than editorial these days...so unless a software company is ready to buy some click-through ads...
Mike Copeland
Ted Roche wrote:
Mike:
I think you meant CryptoPrevent, not "-Blocker" which is easily confused with "-Locker" the malware.
This looks like a promising tool. Have you been able to install it without running into program conflicts?
I'm poking around trying to find some 3rd party reviews of it, especially reliable security sites, but haven't had a lot of luck.
On Thu, Feb 11, 2016 at 12:00 AM, Mike Copeland mike@ggisoft.com wrote:
Peter,
I've been using CryptoBlocker, which is supposed to block the methods used by the Cryptolocker trojan. You can read about the methodology here... https://www.foolishit.com/cryptoprevent-malware-prevention/
It looks good to me and I've been installing it on all of the systems I manage for a couple of years now.
I did have 1 client who experienced an attack/infection, paid the ransom and got his files back. I think it was $600 US. That's the first encounter I've had with it and I came across CryptoBlocker -after- that occurrence.
From what i could tell, the infection came from a zip-file attachment sent to my client, supposedly by a business contact. As it turned out, the website that the email originated from had been compromised and actually was the source.
Since then, I send out a "do not open any email attachment" warning to my clients about every 6 months. So far, knock on wood...
I hope this helps.
Mike Copeland
Peter Cushing wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately we have good backups so were able to restore, although 3gb of data took some time to do. What I want to do is go over what happened and see what approaches other people have for these threats.
First thing we noticed was on Friday morning when somebody pointed out that their files had been mashed. Here's a few examples of what the files got changed to: /data/admin/misc files/FACTORY INFORMATION/fnwih0ocf.hoo7 /data/admin/misc files/FACTORY INFORMATION/g99q1kfz5.p9k0 /data/admin/misc files/FACTORY INFORMATION/og0u9pb.0gd /data/admin/misc files/FACTORY INFORMATION/tb4qz.775x0 /data/admin/misc files/FACTORY INFORMATION/znxis7hgu.k7h /data/admin/misc files/fi19fgq2r.69t /data/admin/misc files/fjs6r76n.8gup /data/admin/misc files/h2c0ew6pr.1gpd /data/admin/misc files/h8jgb.c4v9 /data/admin/misc files/Halls Fashion/535p0e.ugc5a /data/admin/misc files/Halls Fashion/halorr3vet.s9 /data/admin/misc files/Halls Fashion/nbhqgk5.a8ihp /data/admin/misc files/hs93hlb9.9p /data/admin/misc files/hxplu62l.mc9 /data/admin/misc files/i4jden.y7kx7 /data/admin/misc files/jaiytu55s.w2 /data/admin/misc files/kmp49j76.4b
Looking at the logs we soon found which machine it was although that person had gone home on the Thursday and was not due back until the Tuesday. Restored data and when the user got back we booted the machine up (not connected to network!) and have since done scan using AVG, Superantispyware, Avira, spybot search and destroy, kaspersky and malware bytes and still found nothing. We don't know if the virus was just memory resident or how it worked but obviously want to find out. Scanned all his emails and nothing (his files stored in IMAP folders). Nothing obvious in internet logs. Checked all processes running, startup programs, network setup etc etc. We'll probably just wipe the machine and start again but would be nice to know what happened.
Lately we have been getting more and more phishing emails from random users (pretending to be say DHL or some other company) with say an attachment invoicexxx.doc or perhaps .docx .xls etc (where xxx is a random number) which will turn out to be infected but not at the time the email was received. I.e the virus is too new to be detected. We have run lots of these through our own virus scanner (AVG) and say https://www.virustotal.com/ and they have come up with nothing until hours later (which could be too late). Some show infected a couple of hours later and some maybe next day. This latest development is very difficult to defend against if you cannot scan the file and confirm it is infected. Our mail server as AV software which scans files but didn't pick these up and even if users are really conscientious and scan before opening it does not show up as infected. We have now started implementing a white list of people who can send in invoicexxx.doc files. Anyone not on the list then the attachment is removed and put a message in to inform the user.
We are now reviewing procedures to defend against a machine with admin rights being infected.
What is important is to be able to detect ASAP when files are starting to get renamed. I have just developed a standalone APP that will scan network drives and look at file names. I got a list of known extensions off the internet and put them in a table. The app compares the file extension with the list and emails you anything different. If these files are safe you can load them into an exclusion table. If you run this regularly it should pick up these names very quickly.
What other security approaches are you using?
TIA
[excessive quoting removed by server]
On Thu, Feb 11, 2016 at 10:42 AM, Mike Copeland mike@ggisoft.com wrote:
The one 'problem' with this, or any other kind of prevention tool is that attack vectors change, so CryptoPrevent from last year might not work against the new approach used by this year's CryptoLocker. But, the installation method used by the original c-Locker trojan was pretty big and the c-Prevent author's explanation certainly justifies the cost to block that path, in my opinion.
I might be getting jaded (ha!) but software reviews seem to be more advertorial than editorial these days...so unless a software company is ready to buy some click-through ads...
True. All reviews ought to be considered with a grain of salt. I saw the professional "reviewers" move in and take over Amazon a decade ago, and it's clear that some of the "review" sites are not journalistic efforts as much as advertising sites.
There aren't a lot of "general" computing sites left, but I follow a few security sites (like isc.sans.edu) that tend to be pretty good at reporting the current problems and prevention, if any.
And now, of course, my Google-fu kicks on, and I find a couple good write-ups:
http://krebsonsecurity.com/tag/cryptoprevent/ https://askleo.com/why-havent-you-mentioned-cryptoprevent/
Ah Google-san! We would sit at your feet, but...
I'm pretty sure I read about C-Prevent in the Windows Secrets newsletter http://windowssecrets.com
It was either started by Fred Langa, or he was heavily involved in it from the early stages. Fred's a pretty good guy and self-professed "Tech Writer from the Dark Ages."
Mike
Ted Roche wrote:
On Thu, Feb 11, 2016 at 10:42 AM, Mike Copeland mike@ggisoft.com wrote:
The one 'problem' with this, or any other kind of prevention tool is that attack vectors change, so CryptoPrevent from last year might not work against the new approach used by this year's CryptoLocker. But, the installation method used by the original c-Locker trojan was pretty big and the c-Prevent author's explanation certainly justifies the cost to block that path, in my opinion.
I might be getting jaded (ha!) but software reviews seem to be more advertorial than editorial these days...so unless a software company is ready to buy some click-through ads...
True. All reviews ought to be considered with a grain of salt. I saw the professional "reviewers" move in and take over Amazon a decade ago, and it's clear that some of the "review" sites are not journalistic efforts as much as advertising sites.
There aren't a lot of "general" computing sites left, but I follow a few security sites (like isc.sans.edu) that tend to be pretty good at reporting the current problems and prevention, if any.
And now, of course, my Google-fu kicks on, and I find a couple good write-ups:
http://krebsonsecurity.com/tag/cryptoprevent/ https://askleo.com/why-havent-you-mentioned-cryptoprevent/
On Thu, Feb 11, 2016 at 11:45 AM, Mike Copeland mike@ggisoft.com wrote:
Ah Google-san! We would sit at your feet, but...
Yeah, there's no room, with the dogs.
I'm pretty sure I read about C-Prevent in the Windows Secrets newsletter http://windowssecrets.com
It was either started by Fred Langa, or he was heavily involved in it from the early stages. Fred's a pretty good guy and self-professed "Tech Writer from the Dark Ages."
I think Fred's "LangaList" merged with Windows Secrets. IIRC, Brian Livingston was also involved earlier, but no longer:
Here's the most recent info in WindowsSecrets newsletter (Jan 2015) regarding Crypto-whatever...
============================================= Protect yourself from the latest CryptoWhatever
Hardly a day goes by that I don't hear a story about someone hit by the latest version of CryptoLocker. On systems that have sensitive data — which is almost every Windows PC I own — I always ensure that I have a recent, full backup. For small-business systems, you can use products from Microsoft or third-party backup tools such as Acronis Backup (more info http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fsh6zWERXG4dwCosQmkIZWB-2FkwlFqov-2Fkyr6gx0LvViu7-2F9Fy03clLmsJ1ONwsDqplOA-3D-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNLLn5NzEUIZj5YMV3mXG7tCcVtjRFVSoNglK6JL-2FRGFr7prXNXenV4qFRpJPhAdYWkblP8N2K5-2FIrJXH9WlhbB7seCC4Bf2Ojk-2Bbbk6ALH7cK-2BFo4GdgwFoCVMNJPqGXjrYlNSd9m3X8OfqJzcuhW4Cfj92k2gG9v1mqhaI-2BKoVBtP0gjROJQypceoFf6VbEeg-3D-3D).
If you're familiar with the now-defunct MS Home Server 2011, its code lives on in two forms. First, Windows Storage Server 2012 R2 Essentials (site http://email.windowssecrets.com/wf/click?upn=Q8kkqfkHDbD-2Bfamhtak93RaUwjSaLln5Aq9lKnmysGp78LXrjBJwGHIwaQZNxs7Wpr5f5VDnEuDzDiWy-2FnO3Dv4RsGZKmwai4J7zDuqlT3XQ8a7UewA0WaKQHGUfogh4woAKBuNQakXIF-2B9geLApy0l1U-2F7f9TTy1Xm7jtUiAW3TqYt9-2FC9FJHFiNKU4f0plUCDmNswpRbTYSfCcdlCVAFdRWSIO577I4-2BtbqNLlDpxnqBYGRR92nM1eAqDMvE0rVoBjh7Iat4kedIaDGP6CHX-2FuuXsiVfO-2FzB6yiUyP9NE-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNGVL4P-2FWgrNKTS4UzDqo-2Bm2w5Unj8arwoI8K4dLwxpAbggrQaoNDTFssdkzo3Ot3hjGuNKD9nMugtdXw7KgsJa2Wq03q2rv83kCxyU0z79D5-2FVzTG7Zc0hilD5A8p6bKEHybc6xik45435MzMzV7xT-2B0YS8mYX-2Bk2ltGFmtq9X2kCvLMZHB273fH6W0H6k8wxA-3D-3D) provides the old, reliable Home Server client backup that I still rely on for several of my computers. Second, for larger networks, you can install the Essentials component included in standard Windows Server 2012 R2 (site http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fshy9E-2FMZ3MYbZaFFYQXDFykUEaYIP7mfrJbfQ9w0Yhb5Sft7MxSadWrBp9jziqw-2FtnA2-2FBsIoyd1HVeiFgAo7p-2B62Vej9nsw7X2MXIUq0MJFb_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNH7usCpfoU30jtprF-2FWiurlt1VJDeR331-2BU5-2B-2FVBbWNr-2BzzMzGZT5cPnLaMF15VhdIkz5sypwN5b0Yhgn7ZwX9-2BVJg3DPkI9Z9x8hJk6ZUU5HkoV229cQHfyf3LkGb9JnZZ-2BlJUMhkv66GDhNWfiyfQDaROPzV1Q0GggYyslebEx-2F-2F3AQ4Z0rTKuOwKy5mTQCA-3D-3D).
Keep in mind that the bad guys are getting smarter and are disabling Windows' shadow file copies. A full backup will mean you never have to pay a ransom for your data.
Make sure you have extra protection on machines that are more critical and thus at higher risk. The CryptoPrevent toolkit (site http://email.windowssecrets.com/wf/click?upn=TfemUwVZKdEYClrpCA-2FMOCaRiBZ4KmEepygKYpD7-2BOaLAHcLZNupbnfUAUlYLtjvUB82K2qxEIWVgoun1Yv3gw-3D-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNF0XLre9ZSriPk2VTY7o4l9myI19-2BXQYnjb5B-2Fv5F61eQsaw-2BZ-2F8DEFOCtGlgoLYg9Bmu2Ry24faAXqvDX0yYKDPxMQ-2FF6wnc9K5KrAM-2FMt-2FiFr5Aq0sFoyCAKpa-2Bzkw0HJYpMWx5sHPeptuzDmgIfdzcqjJjpBalkbtcA70Nly-2FlESBaTbjyPqXpu7zzEkeOQ-3D-3D) blocks certain locations on your PC that the attackers use to install their encryption software. (For a funny story about how the site got its name, read the site's "About" post http://email.windowssecrets.com/wf/click?upn=TfemUwVZKdEYClrpCA-2FMOCaRiBZ4KmEepygKYpD7-2BOYIDt79V8u32uqQ-2BXMoApzp_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNL-2BqGqCxjb5zHPYTmp7ZAXnbuj59D-2BnzS-2BPxI300Nyr8LOC07N8WxWUXXXk6MtPmh-2BFeO5PWLR9TjVyMY-2FYMqsqwWUXQ-2BAAwHhJe0-2BShNidFvxi6v5yCt-2F58Or7yHrn9aVH9dujMUj-2BneWE-2FKODCo8-2B26afXSVbe7ttlUcwzxOwllBuhzz-2FgZxCapEpHTwzFIQ-3D-3D.)
For networked systems, consult the information on the Third Tier website http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fsh-2FVIHwN3lNORj4-2FP3kz3dpANifdbDw7dWE49oF6WvChzWI-2BtnfN4uAugi9gNAb0b-2F1uDXpPrRtg87xfFsHWBKGM-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNOaiP5tV8q10Nbo45L1-2Br7MsO7CUsMWZS97e6I-2FAqYTTIyaUU821pp2YWXsMsca3-2F1ocfwqDhNt4QhrLOxG3ZA4kv-2FQhzUzS25K-2FXk-2Fv-2FrE7tdAeh3-2Bzrei-2BRzOW2HbOyurnPcH1HMnF-2FDPxnios1R31k2njdM7M-2F7Dp3DMPBw-2BpawuuaYkrrTN1lhsyrl5O2A-3D-3D about group-policy settings. (I assisted with that document.)
====================================================
Mike Copeland
Ted Roche wrote:
On Thu, Feb 11, 2016 at 10:42 AM, Mike Copeland mike@ggisoft.com wrote:
The one 'problem' with this, or any other kind of prevention tool is that attack vectors change, so CryptoPrevent from last year might not work against the new approach used by this year's CryptoLocker. But, the installation method used by the original c-Locker trojan was pretty big and the c-Prevent author's explanation certainly justifies the cost to block that path, in my opinion.
I might be getting jaded (ha!) but software reviews seem to be more advertorial than editorial these days...so unless a software company is ready to buy some click-through ads...
True. All reviews ought to be considered with a grain of salt. I saw the professional "reviewers" move in and take over Amazon a decade ago, and it's clear that some of the "review" sites are not journalistic efforts as much as advertising sites.
There aren't a lot of "general" computing sites left, but I follow a few security sites (like isc.sans.edu) that tend to be pretty good at reporting the current problems and prevention, if any.
And now, of course, my Google-fu kicks on, and I find a couple good write-ups:
http://krebsonsecurity.com/tag/cryptoprevent/ https://askleo.com/why-havent-you-mentioned-cryptoprevent/
Wow...that's nasty looking stuff!
Sorry!!!
Mike Copeland
Mike Copeland wrote:
Here's the most recent info in WindowsSecrets newsletter (Jan 2015) regarding Crypto-whatever...
============================================= Protect yourself from the latest CryptoWhatever
Hardly a day goes by that I don't hear a story about someone hit by the latest version of CryptoLocker. On systems that have sensitive data — which is almost every Windows PC I own — I always ensure that I have a recent, full backup. For small-business systems, you can use products from Microsoft or third-party backup tools such as Acronis Backup (more info http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fsh6zWERXG4dwCosQmkIZWB-2FkwlFqov-2Fkyr6gx0LvViu7-2F9Fy03clLmsJ1ONwsDqplOA-3D-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNLLn5NzEUIZj5YMV3mXG7tCcVtjRFVSoNglK6JL-2FRGFr7prXNXenV4qFRpJPhAdYWkblP8N2K5-2FIrJXH9WlhbB7seCC4Bf2Ojk-2Bbbk6ALH7cK-2BFo4GdgwFoCVMNJPqGXjrYlNSd9m3X8OfqJzcuhW4Cfj92k2gG9v1mqhaI-2BKoVBtP0gjROJQypceoFf6VbEeg-3D-3D).
If you're familiar with the now-defunct MS Home Server 2011, its code lives on in two forms. First, Windows Storage Server 2012 R2 Essentials (site http://email.windowssecrets.com/wf/click?upn=Q8kkqfkHDbD-2Bfamhtak93RaUwjSaLln5Aq9lKnmysGp78LXrjBJwGHIwaQZNxs7Wpr5f5VDnEuDzDiWy-2FnO3Dv4RsGZKmwai4J7zDuqlT3XQ8a7UewA0WaKQHGUfogh4woAKBuNQakXIF-2B9geLApy0l1U-2F7f9TTy1Xm7jtUiAW3TqYt9-2FC9FJHFiNKU4f0plUCDmNswpRbTYSfCcdlCVAFdRWSIO577I4-2BtbqNLlDpxnqBYGRR92nM1eAqDMvE0rVoBjh7Iat4kedIaDGP6CHX-2FuuXsiVfO-2FzB6yiUyP9NE-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNGVL4P-2FWgrNKTS4UzDqo-2Bm2w5Unj8arwoI8K4dLwxpAbggrQaoNDTFssdkzo3Ot3hjGuNKD9nMugtdXw7KgsJa2Wq03q2rv83kCxyU0z79D5-2FVzTG7Zc0hilD5A8p6bKEHybc6xik45435MzMzV7xT-2B0YS8mYX-2Bk2ltGFmtq9X2kCvLMZHB273fH6W0H6k8wxA-3D-3D) provides the old, reliable Home Server client backup that I still rely on for several of my computers. Second, for larger networks, you can install the Essentials component included in standard Windows Server 2012 R2 (site http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fshy9E-2FMZ3MYbZaFFYQXDFykUEaYIP7mfrJbfQ9w0Yhb5Sft7MxSadWrBp9jziqw-2FtnA2-2FBsIoyd1HVeiFgAo7p-2B62Vej9nsw7X2MXIUq0MJFb_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNH7usCpfoU30jtprF-2FWiurlt1VJDeR331-2BU5-2B-2FVBbWNr-2BzzMzGZT5cPnLaMF15VhdIkz5sypwN5b0Yhgn7ZwX9-2BVJg3DPkI9Z9x8hJk6ZUU5HkoV229cQHfyf3LkGb9JnZZ-2BlJUMhkv66GDhNWfiyfQDaROPzV1Q0GggYyslebEx-2F-2F3AQ4Z0rTKuOwKy5mTQCA-3D-3D).
Keep in mind that the bad guys are getting smarter and are disabling Windows' shadow file copies. A full backup will mean you never have to pay a ransom for your data.
Make sure you have extra protection on machines that are more critical and thus at higher risk. The CryptoPrevent toolkit (site http://email.windowssecrets.com/wf/click?upn=TfemUwVZKdEYClrpCA-2FMOCaRiBZ4KmEepygKYpD7-2BOaLAHcLZNupbnfUAUlYLtjvUB82K2qxEIWVgoun1Yv3gw-3D-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNF0XLre9ZSriPk2VTY7o4l9myI19-2BXQYnjb5B-2Fv5F61eQsaw-2BZ-2F8DEFOCtGlgoLYg9Bmu2Ry24faAXqvDX0yYKDPxMQ-2FF6wnc9K5KrAM-2FMt-2FiFr5Aq0sFoyCAKpa-2Bzkw0HJYpMWx5sHPeptuzDmgIfdzcqjJjpBalkbtcA70Nly-2FlESBaTbjyPqXpu7zzEkeOQ-3D-3D) blocks certain locations on your PC that the attackers use to install their encryption software. (For a funny story about how the site got its name, read the site's "About" post http://email.windowssecrets.com/wf/click?upn=TfemUwVZKdEYClrpCA-2FMOCaRiBZ4KmEepygKYpD7-2BOYIDt79V8u32uqQ-2BXMoApzp_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNL-2BqGqCxjb5zHPYTmp7ZAXnbuj59D-2BnzS-2BPxI300Nyr8LOC07N8WxWUXXXk6MtPmh-2BFeO5PWLR9TjVyMY-2FYMqsqwWUXQ-2BAAwHhJe0-2BShNidFvxi6v5yCt-2F58Or7yHrn9aVH9dujMUj-2BneWE-2FKODCo8-2B26afXSVbe7ttlUcwzxOwllBuhzz-2FgZxCapEpHTwzFIQ-3D-3D.)
For networked systems, consult the information on the Third Tier website http://email.windowssecrets.com/wf/click?upn=0-2BxQdQJ2-2FB3xnRtun7-2Fsh-2FVIHwN3lNORj4-2FP3kz3dpANifdbDw7dWE49oF6WvChzWI-2BtnfN4uAugi9gNAb0b-2F1uDXpPrRtg87xfFsHWBKGM-3D_9pIz290frcShQfOR9al69pMkWRklZ83tNex6g1BlAANUEsq3qt-2BRzlv1tScqCUOUDMP0kLMzqLMr2xbj1QpFHCOARa26ixlQExUYgSG5cGu2xlUc12Coe9FVdflbK3fxqxwdX3ub-2FSMWUESz-2Bwm2CYWamo9ktzw0iVZ-2BId3LLWrqjapq-2FeN-2FKcOjALUIQw4ad9YNET06RXHnM9tNC4nlNOaiP5tV8q10Nbo45L1-2Br7MsO7CUsMWZS97e6I-2FAqYTTIyaUU821pp2YWXsMsca3-2F1ocfwqDhNt4QhrLOxG3ZA4kv-2FQhzUzS25K-2FXk-2Fv-2FrE7tdAeh3-2Bzrei-2BRzOW2HbOyurnPcH1HMnF-2FDPxnios1R31k2njdM7M-2F7Dp3DMPBw-2BpawuuaYkrrTN1lhsyrl5O2A-3D-3D about group-policy settings. (I assisted with that document.)
====================================================
Mike Copeland
Ted Roche wrote:
On Thu, Feb 11, 2016 at 10:42 AM, Mike Copeland mike@ggisoft.com wrote:
The one 'problem' with this, or any other kind of prevention tool is that attack vectors change, so CryptoPrevent from last year might not work against the new approach used by this year's CryptoLocker. But, the installation method used by the original c-Locker trojan was pretty big and the c-Prevent author's explanation certainly justifies the cost to block that path, in my opinion.
I might be getting jaded (ha!) but software reviews seem to be more advertorial than editorial these days...so unless a software company is ready to buy some click-through ads...
True. All reviews ought to be considered with a grain of salt. I saw the professional "reviewers" move in and take over Amazon a decade ago, and it's clear that some of the "review" sites are not journalistic efforts as much as advertising sites.
There aren't a lot of "general" computing sites left, but I follow a few security sites (like isc.sans.edu) that tend to be pretty good at reporting the current problems and prevention, if any.
And now, of course, my Google-fu kicks on, and I find a couple good write-ups:
http://krebsonsecurity.com/tag/cryptoprevent/ https://askleo.com/why-havent-you-mentioned-cryptoprevent/
[excessive quoting removed by server]
-
Mike Copeland -
Ted Roche