"Vaccine" Available for CTB-Locker, Locky, TeslaCrypt

[steven36]

Users can now “vaccinate” their computers to prevent getting infected by a series of ransomware families, including CTB-Locker, Locky and TeslaCrypt.

Last week, French Cybersecurity company Lexsi detailed some of the operations that users could perform on their computers to prevent possible Locky infections. They call these operations a “vaccine,” as they are meant to render the computer immune to this type of ransomware, though the company says the methods won't work against some newer variants.

According to the security company, users can improve their computer’s defenses by making a series of minor changes to their systems. These include the creation of a specific mutex or registry key, or the changing of a simple system parameter, as long as the modification does not create an inconvenience to the user.

Lexsi’s Sylvain Sarméjeanne notes in a blog post that Locky avoids infecting computers that have Russian as the system language, and that modifying the language would prevent infection. However, that change would certainly not be feasible for non-Russian users.

However, what users could do is to create the HKCU\Software\Locky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.

Sarméjeanne explained that Locky also checks the key for the id (computer identifier), pubkey (public key fetched from the server), paytext (text to be displayed to the user, in the system language) and completed values. The latter indicates the end of the encryption process and, if it is set to 1 and if the id value contains the correct identifier, it terminates execution.

It was also discovered that Locky uses the pubkey during the encryption process and that this process fails if the pubkey value contains an invalid value. Moreover, if the pubkey exists, the ransomware uses it without prior verification, meaning that users could force the malware to use a public RSA under their control, for which they have the corresponding private key.

While these operations might keep computers safe from Locky, they do require some advanced knowledge when performed, meaning that beginners might not be able to apply the vaccine manually. However, an automated tool to help users add the extra protection layer to their machine was released by security researchers at Bitdefender, and is now available as a free download.

The above operations are specifically targeting the Locky ransomware, while Bitdefender’s new vaccine tool is currently capable of efficiently preventing the CTB-Locker, Locky and TeslaCrypt ransomware families from infecting a compromised system, the company says.

The tool builds on the success of the previous vaccine for CryptoWall, which was retired last week, as it was no longer efficient in offering protection, because of the latest updates in the targeted ransomware. Bitdefender told SecurityWeek that the new vaccine is picking up steam at the moment, and that they are waiting to see how the targeted malware evolves to learn whether it requires any modification.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way. We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea,” Chief Security Strategist Catalin Cosoi explained in a blog post.

Bitdefender wouldn’t share details on how their tool works, and for good reason: they don’t want the bad guys to learn what they need to change in their malware to circumvent protection.

Last November, Bitdefender security researchers released a decryption tool for the Linux.Encoder1 ransomware after discovering a flaw that allowed them to recover the files held for ransom for free.

The Source

[Holmes]

This is not a vaccine a vaccine is a cure and this is useless as the developers of the ransomware are most likely aware of this and are going to develop a new variant that fixes this solution and are going to make the original this one invalid.  There is a decryption tool for teslacrypt this so called vaccine is not required.  When I first read this I thought they figured out how to decrypt the encrypted files nice waste of time reading this.

[steven36]

1 hour ago, Holmes said:

This is not a vaccine a vaccine is a cure and this is useless as the developers of the ransomware are most likely aware of this and are going to develop a new variant that fixes this solution and are going to make the original this one invalid.  There is a decryption tool for teslacrypt this so called vaccine is not required.  When I first read this I thought they figured out how to decrypt the encrypted files nice waste of time reading this.

What does this have do with anything?  if you take a  vaccine for Polio its not going to cure Ebola and  always new diseases will appear and No a vaccine  is not really a cure . It controls  a certain Virus  tell it  dies and sometimes they never die really like Polio  vaccine came out in 1961 and it still very much alive today .

http://www.collective-evolution.com/2012/02/18/the-polio-vaccine-myth-the-vaccine-stopped-polio/

 

If you take a vaccine for CTB-Locker, Locky, TeslaCrypt its not going prevent PETYA ransomware

 

Why would you want to wait tell you caught  teslacrypt and then decrypt it  when you can prevent it? There still a chance you just catch it again .

[Holmes]

A vaccine is in fact a cure for that particular infection there is no panacea for all universal cure I never said there was What I said made perfect sense read it again and why are you comparing real life infections and diseases with computer infections what does that have to do with anything there not the same shit.  This so called vaccine stops particular ransomwares not all you want actual prevention use cryptoprevent or stop items from downloading anything to the appdata folder thats prevention.

[steven36]

14 minutes ago, Holmes said:

A vaccine is in fact a cure for that particular infection there is no panacea for all universal cure I never said there was What I said made perfect sense read it again and why are you comparing real world infections with computer infections what does that have to do with anything there not the same shit.  This so called vaccine stops particular ransomwares not all you want actualy prevention use cryptoprevent or stop items from downloading anything to the appdata folder thats prevention.

Never using a anti-virus has been a  real cure many of the virus that came out back years ago died but many antivirus  i tired  could not prevent it.. it could only detect them . It was not tell I used Kaspershy in like 2007  that i had to stop reformatting  when i caught a virus because it could prevent the Virus  from infecting my machine  . Prevention is a 100 times more better than removal . So no you dont make any sense .After you're infected its too late even if were get you're files back you would need to reformat after you moved them off on another drive.

[Holmes]

I make perfect sense you just dont want to listen use cryptoprevent or block the appdata folder and you prevented ransomware Im not speaking greek.

[steven36]

2 minutes ago, Holmes said:

I make perfect sense you just dont want to listen use cryptoprevent or block the appdata folder and you prevented ransomware Im not speaking greek.

 

Quote

 

A little bit about how CryptoPrevent works.

CryptoPrevent works by blocking the execution of programs from certain locations; locations that are not normally used by legitimate software. Apparently, people have found out that these are locations that are used specifically by CryptoLocker.

 

As such, for now what CryptoPrevent represents is a way to prevent CryptoLocker from running on your machine and encrypting all your files.

My opinion is that it’s actually the wrong solution to the problem.

The right solution

The issue is that you should not be trying to avoid just one specific kind of malware. Cryptolocker is malware with particularly bad effects, but it’s malware nonetheless. We should be doing what we can to avoid all malware, not just CryptoLocker.

 

“

.. if CryptoPrevent were to actually make a difference on your machine it’s because you already allowed CryptoLocker to be downloaded …

The problem is of course, that the next malware that comes along could be as bad or worse and not do it the same way that CryptoPrevent is preventing. My concern is that running CryptoPrevent will just give people a false sense of security. It prevents one very specific class of malware, and that’s it.

 

In fact, if CryptoPrevent were to actually make a difference on your machine it’s because you already allowed CryptoLocker to be downloaded on to your machine! That is what needs to be prevented, because the things that prevent you from downloading Cryptolocker are the kinds of things that prevent all malware.

 

The right way to deal with CryptoLocker is to treat it just like any other malware. Remember, only you can prevent malware. Don’t open email attachments that you aren’t absolutely certain are safe, and as I understand it CryptoLocker currently propagates most commonly via email attachments.

 

In general, remember to use the internet safely and with a healthy degree of skepticism. My article, “Internet Safety: 8 Tips to Keep Your Computer Safe on the Internet” covers the basics of how to keep your machine safe not just from CryptoLocker but from all malware.

 

If you’re interested, you can find a discussion of CryptoLocker, how it works, why it works, and how CryptoPrevent works, in excruciating detail at bleepingcomputer.com.

I want to provide that as interesting information, but it’s not the approach I want most people to follow. What I truly care about is that people learn to stay away from malware in general. Those techniques will work not just for CryptoLocker, but for all the other malware that’s out there as well.

https://askleo.com/why-havent-you-mentioned-cryptoprevent/

 

 

This is no cure for all ransomware  its for CryptoLocker

40 minutes ago, Holmes said:

stop items from downloading anything to the appdata folder thats prevention.

This not a cure ether some ransomware like Petya Ransomware stores its self in many places

• %AppData%
• %LocalAppData%
• %ProgramData%
• %WinDir%
• %Temp%

 

[Holmes]

Cryptoprevent doesnt say teslaprevent or ctbprevent it prevents all ransomware unfortunately creating a inconvenience for the user and there is malwarebytes anti-ransomware for those that do not wish to use cryptoprevent.  The problem with this article is it is misleading and its not a vaccine likke I said the developer is aware of this and there going to create a new variant if they havent done it and distributed it.  You can use the free version of cryptoprevent which gives some prevention for the best prevention you have to buy the premium version where you can create customized prevention rules allowing you to specify many locations and file types and what not:

 

https://www.foolishit.com/cryptoprevent-malware-prevention/

 

It started out as cryptolocker prevention and has developed into additional ransomwares and each week they add additional ransomware.

[steven36]

Just now, Holmes said:

Cryptoprevent doesnt say teslaprevent or ctbprevent it prevents all ransomware unfortunately creating a inconvenience for the user and there is malwarebytes anti-ransomware for those that do not wish to use cryptoprevent.

Quote

CryptoPrevent does not target specific ransomware variants but rather protects against certain behaviors exhibited by many types of ransomware.

  Meaning that if a ransomwarewas made to get around  it ...It would.

[Holmes]

That is a possibility and when a ransomware gets made to workaround it cryptoprevent developers are going to update there software to reflect those changes.

[steven36]

2 hours ago, Holmes said:

There is a decryption tool for teslacrypt this so called vaccine is not required. 

Quote

There is no way of decrypting TeslaCrypt 4.0 or TeslaCrypt 3.0 .xxx, .ttt, .micro, .mp3 variants unless you pay the ransom since they use a different protection/key exchange algorithm, a different method of key storage and the key for them cannot be recovered. The .xxx, .ttt, micro and .mp3 variants do not have a SharedSecret*PrivateKey so they are not supported by the current version of TeslaViewer. The tool can decrypt TeslaCrypt 3.0 files only if you have the private key acquired from the malware developer after paying the ransom. If infected with any of these extensions, backup all your encrypted files and wait for a possible solution.

http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-3040-xxx-ttt-micro-mp3-support-topic/?p=3967397

 

TeslaCrypt is very dangerous  stuff it uses 256(AES) no way to get you're files back if infected

[Holmes]

Not what I read Ill find the link and post it and here it is:

 

http://blogs.cisco.com/security/talos/teslacrypt

 

As I promised.

[steven36]

1 hour ago, Holmes said:

Not what I read Ill find the link and post it and here it is:

 

http://blogs.cisco.com/security/talos/teslacrypt

 

As I promised.

You're  post is outdated TeslaDecoder is  it dont work on .xxx, .ttt, .micro, .mp3 variants

 

Only TeslaCrypt 2.0 can be decrypted TeslaCrypt 3.0/4.0   the malware writers  has fixed this vulnerability with the new releases it  can not be decrypted TeslaCrypt 3.0 files only if you have the private key acquired from the malware developer  It no longer has a SharedSecret*PrivateKey.

 

If you get infected with TeslaCrypt 3.0/4.0 all you can  do is back up you're encrypted files  and wait tell and if  they ever get decryption method or pay the Ransom.

 

 

 

[Holmes]

It does work on the variant it was coded to work on I figured they would release new variant of teslacrypt.  This is a immunization a prevention and there are better immunizations out there like the ones I posted.  The decryption tool I posted was created by cisco talos team called tesladecrypter..  The original teslacrypt the tool worked on mentioned the files were encrypted by RSA-twothousand fortyeight bit asymmetric encryption when in fact it used symmetric aes and the decryption keys were on the victims hard drives.  I knew they were going to release a new variant of teslacrypt was a matter of time.  I recommend users not use the immunization provided in this article as it works for three ransomwares and not a broad range of many different ones like cryptoprevent and additional immunization programs do.  There are tools created by users in bleeping computer one is the one you posted tesladecoder and one by blooddolly:

 

http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-teslacrypt-allows-victims-to-recover-their-files/

 

I think the tool is teslacrack and it was developed by googulator.

[steven36]

11 hours ago, Holmes said:

it does work on the variant it was coded to work on

Yes and that's just TeslaCrypt 2.0 a outdated version of the malware.  The malware authors updated it were it dont work with the latest versions of TeslaCrypt  . Once  malware  has been cracked by security researchers it becomes not  useful  to the malware authors and they update it or they stop using it . They dont send ransom ware out for fun  they send it out to get paid .

 

 

[Holmes]

I know this and I hope users they do get infected with the old teslacrypt find the decryption tools that are available for it.

[steven36]

14 minutes ago, Holmes said:

I know this and I hope users they do get infected with the old teslacrypt find the decryption tools that are available for it.

There's support topics for all known rasomware  at bleepingcomputer.com  You can find support  and tools  for old version here

http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/

 

If they ever get tools to remove the latest versions of TeslaCrypt it will posted  at  bleepingcomputer.com for now only the latest versions of TeslaCrypt can be prevented .

 

Here's a gudie  The best defensive strategy post #223

http://www.bleepingcomputer.com/forums/t/595215/cryptowall-40-help-your-files-ransomware-support-topic/page-15#entry3873236

 

Only Bitdefender's new ransomware security tool is only meant to be a extra layer of security in combination with other anti malware products    .

[Holmes]

The best prevention is using programs like malwarebytes anti-ransomware and malwarebytes anti-exploit premium as most ransomware is delivered by exploits and drive-by-downloads one of the most used kits is angler and from what I read recently malware developers are doubling up on the malware visiting a site I read about you get the bedep trojan and ransomware both at the same time.

[steven36]

4 minutes ago, Holmes said:

The best prevention is using programs like malwarebytes anti-ransomware and malwarebytes anti-exploit premium as most ransomware is delivered by exploits and drive-by-downloads one of the most used kits is angler and from what I read recently malware developers are doubling up on the malware visiting a site I read about you get the bedep trojan and ransomware both at the same time.

If i had ever had ransomware  i would be more worried  about it but since Im careful ive not even had a malware infection at all since like 2008 and that was easily removed . Ill stick to using NOD32 witcch has anti explot and hips  and MAM  realtime , adblocker and script blockers  and ill add this BD tool  the next time  i  fell like getting on windows all the others i read about  like malwarebytes anti-ransomware and Cryptoprevent have side effects and/or false positives  i dont like that.

[Holmes]

I have used cryptoprevent and didnt experience false positives with it its just tight security.  You can use what you want Im just suggesting if someone wants good security against ransomware without making there security to tight to use malwarebytes anti-exploit and cryptoprevent the problem is true cryptoprevent security and malwarebytes anti-exploit security isnt free (unless you use medicine).