cryptxxx This Ransomware Is Evolving Too Quickly for the Good Guys to Keep Up

[Reefa]

Researchers are fighting back against ransomware, and have released plenty of “decryptor” tools for unlocking victims’ files. A program launched last year to combat TeslaCrypt; researchers published instructions for getting rid of the pernicious Jigsaw ransomware, and, most recently, cybersecurity company Kaspersky announced its own tool for victims of the CryptXXX ransomware.

 

But the authors of CryptXXX counter-attacked, and released a new version of their ransomware that makes Kaspersky's efforts totally mute.

 

“The latest version of CryptXXX, which appeared in the wild today, renders that tool ineffective, returning the focus on CryptXXX to detection and prevention,” researchers from cybersecurity company Proofpoint wrote in a blog post, published earlier this week.

 

CryptXXX works in much the same way as other pieces of ransomware. After a potential victim visits a malicious webpage, their browser is redirected to an exploit kit, such as Angler. From here, the kit delivers CryptXXX to the target machine, and locks down personal documents and other files stored on it.

 

“There are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW!” the message that appears on CryptXXX victims machines reads, according to a screenshot published by Proofpoint.

 

In its latest iteration, CryptXXX locks the screen and makes the infected computer unusable. This move, Proofpoint hypothesised, was a “quick and dirty” way to make it impossible for victims to use the Kaspersky decrypt tool.

 

Instead, the CryptXXX authors have found another way to bypass that, Proofpoint writes, although it's not totally clear what that method is. (Proofpoint published a screenshot of an error message from the Kaspersky tool).

 

Another tweak from CryptXXX is that ransom messages are now unique to each victim, and are based on a personal ID generated for each machine.

 

“The files that alert the victim that they are infected were previously “de_crypt_readme” with bmp, txt, and html extensions. These files are no longer used; instead the filenames are the unique “Personal ID” from the infected machines,” Proofpoint continued.

 

Some ransomware authors have made amateur mistakes, which in turn allowed for the creation of decryptor tools. With CryptXXX however, researchers might have more of a battle on their hands.

 

source

[SPECTRUM]

fighting back against ransomware is really easy, just create a monitoring app to detect when a process is trying to encrypt a file and alert to the user what process is trying to do that with a window showing detailed info about the app that is trying to do that and then let the user decide what to do, with buttons for allow and deny.

[steven36]

44 minutes ago, SPECTRUM said:

fighting back against ransomware is really easy, just create a monitoring app to detect when a process is trying to encrypt a file and alert to the user what process is trying to do that with a window showing detailed info about the app that is trying to do that and then let the user decide what to do, with buttons for allow and deny.

Been testing WinAntiRansom it really have no sense at all  mostly false positives if and app has a false positive and one day scums to ransomware  you're just screwed ..

 

Here is some good advise

Quote

 

 

 

Malware is a fast evolving beast and their is no single solution which will protect you. But you can reduce the risk in various ways. First you need to know how the malware gets delivered:

• A major delivery vector for malware is mail, i.e. either as an attachment in the mail or mail which includes a link to some site you should visit. While many of the mails look suspicious others are get really hard to detect because they seem to provide expected or unexpected invoices or delivery notices from Amazon, Ebay, Paypal, DHL etc or even have the the of a friend as alleged sender. Typical attachments are various kinds of office documents, PDF or ZIP files containing JavaScript or Windows binaries. Sometimes the real type of the file is hidden, i.e. document.pdf.exe might look like a PDF from name and symbol but is actually a program.
• The other major delivery vector is the web. This will be illegal sites where you can watch movies, but more and more malware gets delivered through ads and through formerly trusted but now hacked sites.

Once the malware is on your system it needs to be run to start malicious part. This can be done with exploits or with social tricks:

• The major attack targets are Flash-, Silverlight and Java-Plugin, Acrobat Reader, Office and also the Windows system including Internet Explorer. Thus remove anything of these which you don't need (Java, Silverlight, Flash) and keep everything else always updated. There are lots of exploits out there which use problems in unpatched versions of Office, thus if you have some out-of-date Office software which is no longer supported you better remove it.
• Other attacks need your help, i.e. they lure you to enable macros in office, to update your Flash plugin with the alleged newest version which the attacker helpfully provides for you, to install some plugin or download program you need to access specific content etc. Or it tries to scare you with some dialog which claims to have found malware on your system and offers you a software to remove this malware. Don't fall on these tricks.

Thus how you can protect against these threats?

• Educate yourself and know what can go wrong. Then don't do anything which might be dangerous. Don't open unexpected attachments or links, don't install some software from the internet unless you are completely sure that it is definitely the one you need.
• Keep the system clean: Remove any software you don't need or which does not have any more updates. Always get the latest updates for the other software.
• Protect yourself with technologies like Adblocking and Antivirus. Use a browser which includes good protection technologies by itself - Chrome/Chromium is probably currently the best here. While none of these provide fulls coverage they reduce the attack surface (even if some claim that Antivirus is dead).
• Always have current backups in case anything goes wrong. These backups should be offline so that they don't get affected. And you should have backups from multiple days in case you realize an infection too late and the backup itself is infected.

There can be much more hardening done, like only run whitelisted applications, disable Javascript in browsers, use virtual machines, using a more secure operating system ... . But after a while these protections get too much in the way of the normal work. Thus you have to find some balance between security and comfort and the risk you are willing to take.

http://security.stackexchange.com/questions/121258/the-best-way-to-prevent-ransomware-and-virus/121265#121265