Computer can be made immune against ransomware by adding registry key

vbimport

#1

We’ve just posted the following news: Computer can be made immune against ransomware by adding registry key[newsimage]http://www.myce.com/wp-content/images_posts/2016/03/lock-24269_1280-95x75.png[/newsimage]

A registry key is sufficient to be protected against an infection with the Locky ransomware, security researcher Sylvain Sylvain Sarméjeanne reports. The Locky ransomware was a lot in the news recently because it was rapidly spreading.

            Read the full article here: [http://www.myce.com/news/computer-can-made-immune-ransomware-adding-registry-key-78964/](http://www.myce.com/news/computer-can-made-immune-ransomware-adding-registry-key-78964/)

            Please note that the reactions from the complete site will be synched below.

#2

Yep, and if you are already infected, you can get your files back by using ShadowExplorer restoring shadow copies of your files:
http://shadowexplorer.com/

as for the actual removal, Malwarebytes should be able to remove it, but I do not think it decrypts the encrypted files. However, if the volume shadow copy service is running, you can get most back by restoring snapshots of your files…


#3

At this stage, I’m surprised there isn’t a product looks out for a tell-tale sign that a ransomware attack is in progress.

For example, if an attempt is made to overwrite a .docx, .jpg, mp3, etc., these writes are diverted to a cache similar to how Windows SteadyState worked. To the user, it appears as if the files are overwritten as normal. A similar process could be done for file deletions where the deleted files are discreetly kept especially if the files being deleted have just been read with a similar disk write activity rate taking place also.

If a certain threshold of certain files are overwritten/deleted in a short space of time (e.g. 100+ mp4, doc(x), mp3, etc. files), then pause disk access activity for the affected process and display a question something like “Have you just deleted or made changes to the files such as (list of last 5 files edited)?”.

If the user answers ‘No’, the process responsible for modifying the files is terminated, the contents of the cache is discarded and the product displays a warning about a suspect ransomware attack and advice what to do.

If nothing suspicious is happening such as less than than the threshold of files overwritten within a day, then the contents of the cache is committed, i.e. the original files are overwritten, like a commit with Windows SteadyState.

Generally the only time a false alarm would trigger would be if the user tries using a shredder type app to intentionally destroy a few hundred files, in which case they would just click ‘Yes’. Some file types could be have higher thresholds such as 1000 for .jpg to allow for batch resizing of JPEGs where the original images are overwritten without triggering a false alarm.

Of course there would be niggles to workout also such as how such a product would cope with low disk space and potential performance issues.


#4

[QUOTE=Seán;2770821]At this stage, I’m surprised there isn’t a product looks out for a tell-tale sign that a ransomware attack is in progress.

For example, if an attempt is made to overwrite a .docx, .jpg, mp3, etc., these writes are diverted to a cache similar to how Windows SteadyState worked. To the user, it appears as if the files are overwritten as normal. A similar process could be done for file deletions where the deleted files are discreetly kept especially if the files being deleted have just been read with a similar disk write activity rate taking place also.

If a certain threshold of certain files are overwritten/deleted in a short space of time (e.g. 100+ mp4, doc(x), mp3, etc. files), then pause disk access activity for the affected process and display a question something like “Have you just deleted or made changes to the files such as (list of last 5 files edited)?”.

If the user answers ‘No’, the process responsible for modifying the files is terminated, the contents of the cache is discarded and the product displays a warning about a suspect ransomware attack and advice what to do.

If nothing suspicious is happening such as less than than the threshold of files overwritten within a day, then the contents of the cache is committed, i.e. the original files are overwritten, like a commit with Windows SteadyState.

Generally the only time a false alarm would trigger would be if the user tries using a shredder type app to intentionally destroy a few hundred files, in which case they would just click ‘Yes’. Some file types could be have higher thresholds such as 1000 for .jpg to allow for batch resizing of JPEGs where the original images are overwritten without triggering a false alarm.

Of course there would be niggles to workout also such as how such a product would cope with low disk space and potential performance issues.[/QUOTE]

Great points. It is actually a part of the now gone ‘Evidence Eliminator’ program, default 200 files in x seconds (don’t recall)
Then you have a live product like Resplendence Undeluxe which will let you recover anything and you will actively have to delete protected files once more in the Undeluxe interface. Trouble is, a file delete has to occur for it to work.

Anyway, that is hardly the question here as such functionality should really be a part of the OS and not 3rd-party in the first place. :clap:


#5

I got a better idea just disconnect it from the internet. No more ransomware it’s pretty easy. If you go to black sites then get ready for ransomware. It’s so simple yet simple minds seem to go back for more and more and can’t seem to figure out how did I get it in the first place. In this day and age of click sexy fantasy instant gratification*** those that get it can’t figure it out yet claim to have half a brain… :confused:


#6

I routinely use a sandboxed browser session so I haven’t had any problems with malware in years.

Best of both worlds IMO. :slight_smile:

[B]Wombler[/B]


#7

[QUOTE=Wombler;2770842]I routinely use a sandboxed browser session so I haven’t had any problems with malware in years.

Best of both worlds IMO. :slight_smile: [/QUOTE]

It is a question of trying to be as safe as possible without disconnecting. A sandboxed web-browser running in the context of ‘[I]ANONYMOUS LOGON[/I]’ and you should be relatively safe. Personally, I have a number of virtual machines which are used for different use. This virtual machine is almost exclusively at this site, YouTube/Discogs (to snap links for “the last album you listened to” thread) and following external links from this site.
It may seem a tad overkill having a complete virtual machine just for a few websites, but it has its advantages as there is no Office, Java or other installations to attack… and should it be infected, I simply un7zip the initial backup and start it again without the virus (probably takes 5 minutes all in all).

coolcolors, apart from telling people to disconnect :bigsmile: has a point though in that what many in reality need to do is reconsider their surfing habits and stop visiting high-risk websites. Sadly, I also think he is correct in his observation that it is the less knowledgeable computer users who gets infected over and over.


#8

[QUOTE=Wombler;2770842]I routinely use a sandboxed browser session so I haven’t had any problems with malware in years.

Best of both worlds IMO. :)[/QUOTE]

This is also my present workaround, as well as using noscript, ad blockers, etc …

Back in the day, the easiest way around this problem was using another operating system such as Linux or one of the open source BSDs. Though this doesn’t seem to be effective anymore. (ie. Linux is also a medium/huge sized target these days).

Eventually I moved on to windoze after y2k, for the reason that the other people/family using my computer had no idea how to shutdown Linux/BSD properly. So every time I turned on the computer, it would take 10-15 minutes to go through and fix up the filesystem due to the “improper shutdown”. It got extremely annoying after awhile of having to do this. (I didn’t have much $$$ at the time, to buy another computer for these other people/family I was living with at the time).

Under windoze, I completely neutered Internet Explorer so that it was only minimally functional for mundane operating system purposes, and used Netscape/Mozilla/Firefox with java turned off by default. I only turned on java when it was necessary. (Back in the day, java wasn’t necessary for reading most web sites if one was only reading text).

All kinds of other anti malware/virus programs which came and went over the years.

At this point, I’m considering moving back to one of the BSDs (either FreeBSD or OpenBSD) for netsurfing purposes only, and keeping all my windoze machines as strictly offline only. Presently I don’t use any windows-only software which requires a mandatory internet connection. I don’t live with anyone else presently, so there’s no issues of “improper shutdown” problems.