Kaseya Community

CryptoLocker

  • Edit: please ignore the previous thread titled "CryptoBlocker".  It was late, I finger-checked the title, and then couldn't figure out how to correct my mistake.

    CryptoLocker is a rather nasty piece of malware that encrypts your data using a 2048-bit key stored on a random, remote server.  Once your data has been encrypted you're then prompted to pay a $100 ransom.  Once the ransom has been paid the software decrypts your files.  Details can be found at http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.  The only thing I'd add to that article is that the infection vector appears to be more than simply email.  

    KAV does not proactively detect and block CryptoLocker.  It does, rather unhelpfully, detect it once you've been infected and the damage has been done.

    Right now the only way to prevent the software from running appears to be blocking all *.exe activity from within AppData.  The only ways to restore your data are to (1) pay the ransom or (2) restore the data from backups (incl. Shadow Volume Copies).

  • Malwarebytes Pro does - according to their site - proactively protect users from this piece of ransomware, since it actively monitors the users system and prevents the installation from occurring. Since KMA can't be installed at the same time as the Kaseya agent, our organization has still implemented the group policy changes necessary to prevent the ransomware from executing in the appdata folder.

  • We had a client affected with this while running Vipre Business(highly recommended btw). According to our research, there was NO AV that actively protected against this. It affected ONE machine and then jumped over to network shares. They ended up shelling out the money for it, which worked for them. Crazy stuff.

  • Someone posted this on the Kaseya site:

    I found the following information regarding Kaspersky & CryptoLocker.

    www.securelist.com/.../Cryptolocker_Wants_Your_Money

    From the article:

    The Kaspersky host intrusion prevention system is capable of blocking even unknown versions of this Trojan from infecting the systems.

    The most widespread variants of the Cryptolocker malware are detected by Kaspersky products with the following verdicts:

    Trojan-Ransom.Win32.Blocker.cfkz, Trojan-Ransom.Win32.Blocker.cmkv, Trojan-Ransom.Win32.Blocker.cggx, Trojan-Ransom.Win32.Blocker.cfow, Trojan-Ransom.Win32.Blocker.cjzj,

    Trojan-Ransom.Win32.Blocker.cgmz, Trojan-Ransom.Win32.Blocker.cguo, Trojan-Ransom.Win32.Blocker.cfwh, Trojan-Ransom.Win32.Blocker.cllo, Trojan-Ransom.Win32.Blocker.coew.

    - Max

    What my organization would like to know is if the version of Kaspersky that comes with Kaseya is the one highlighted in this article. Can it detect the ransomware?

  • Yes and no.  While Kaspersky is updating their AV/AM definitions every day, so are the malware authors.  I've seen KAV block CryptoLocker on Monday, let a new variant through on Tuesday, and block the new variant on Wednesday.  The same holds true for the other "Fake AV" malware programs out there.

  • My experience is that the free version online works agains crypto, but KAM doesn't. I think the engine may be different...