CryptoPrevent 2.2.1

[MrXidus]

CryptoPrevent

Website: http://www.foolishit.com/vb6-projects/cryptoprevent/

CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.

Prevention Methodology

CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there!

Executables are blocked in these paths where * is a wildcard:

• %appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
• %localappdata% (on Vista+) and any first-level subdirectories in there.
• %temp%\rar* directories
• %temp%\7z* directories
• %temp%\wz* directories
• %temp%\*.zip directories

The first two locations are used by the malware as launch points. The final four locations are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well.)

CryptoPrevent In Action



Download CryptoPrevent 2.2.1

CryptoPrevent is completely FREE for personal and commercial usage,

Download the portable version below:

CryptoPrevent.zip (310KB)

Alternately, you can download a setup installer with full uninstall support below.

CryptoPreventSetup.exe (653KB)
 

 

[aztony]

Really appreciate you posting this. Just today, I read about this new type of ransom malware and was wondering what else I could do, besides backups, to protect myself. TY.

 

[Moose]

Will this work on Windows 8.1 Pro?

 

[MrXidus]

Really appreciate you posting this. Just today, I read about this new type of ransom malware and was wondering what else I could do, besides backups, to protect myself. TY.

You're welcome.

Will this work on Windows 8.1 Pro?

I tested CryptoPrevent with Windows 8.1 Pro 64-bit in a virtual machine (VMWare Workstation) and it successfully prevented the CryptoLocker malware sample (Ran As Administrator) from infecting the system.

I've uploaded a short 16 second screen recording of the test to demonstrate.

View (990KB .wmv)

Enjoy.

 

[rebel4life]

which one the portable or exe and is this a good to have on your laptop

 

[MrXidus]

which one the portable or exe and is this a good to have on your laptop

I would just go with the installer version and this software would suit any desktop PC and laptop that has Windows XP to Windows 8.1 installed to protect against CryptoLocker malware.

 

[rebel4life]

i had issues with this i installed it and it blocked best buy and future shop websites and i uninstall it and no problems with websites so what s up with it

 

[MrXidus]

i had issues with this i installed it and it blocked best buy and future shop websites and i uninstall it and no problems with websites so what s up with it

Very odd. I don't see how CryptoPrevent is the cause, Define blocked? Did the websites load for you at all or did you get some message telling you the websites are blocked? Do you use any web filters or other URL filtering security software?

Spoiler

Tested here and I'm able to access those websites fine with CryptoPrevent installed and activated.

 

[aztony]

Very odd. I don't see how CryptoPrevent is the cause, Define blocked?
Tested here and I'm able to access those websites fine with CryptoPrevent installed and activated.

+1 No issues since installing and activating. Accessed both sites cited without issue. What I did notice when installed CryptoPrevent yesterday was that after the required reboot to activate it, my antivirus was really slow to activate once it loaded, and it took me several attempts to login to my password manager on both systems.

 

[rebel4life]

maybe there is an issue with windows 8.1 with this software and to answer mrxidus is that after 3 minutes waiting for the sites to load i stopped and uninstall crytoprevent then both sites was working fine i dont need it ive installed online armor premium 7.0 along with webroot AV

 

[aztony]

Well I want to pass on this tid-bit to those with this app. Last nite I downloaded and tried to to install Sandboxie. The installer would start but failed to open but no errors, nor error messages showed on screen. In event viewer 'applications', I saw an error which said that sandboxie.exe was restricted by administrator because of a policy rule. I am admin of my system(s) and I made no such rule. I set about trying to determine if my AV, or firewall, had gone behind my back with some admin chores of their own. I found nothing upon diligently checking each. Disabling each one was no help, the installer wouldn't run. Then I tried to update my Firefox browser to v25. No go there either. So after much time trying several things, using the process of elimination to trace down the problem, I discovered CryptoPrevent was behind this. When 'block' is initiated from its UI CryptoPrevent institutes policies that override the administrator's rights. It's odd, because after installing CryptoPrevent on Friday, I was able to install a couple more utilities over the following 2 days without issue. And after it blocked Sandboxie it allowed the installation of Recuva which updated to see if the problem was specific to Sandboxie. Anyway, it looks like anytime I need to install a program I'll just need to temporarily unblock CryptoPrevent.

 

[Prorootect]

Finding Cryptolocker Encrypted Files using the NTFS Master File Table : on securitybraindump.blogspot.jp : http://securitybraindump.blogspot.jp/2013/11/finding-cryptolocker-encrypted-files.html

QUOTE:
' I wanted to also comment on using software restriction policies in Windows to block executable's from running from locations such as C:\Users\%userprofile%\AppData\Local\Temp. With no local admin rights, users only have the ability to write to three locations on modern versions of Windows (by default). Thee are;
C:\$Recycle.Bin
C:\ProgramData
C:\Users\%Userprofile%
The attackers know this and 99% of infections I see in my environment are using these locations efficiently (including this one).
Unfortunately, a lot of legitimate software also use these locations. So using, suggestions such as Software Restriction Policies, to stop the execution from these locations in a large enterprise environment may or may not be realistic. I suspect adding rules, to check if the executable is legitimately signed, would reduce false positives. I am, however, seeing malicious code signed on occasion. In conclusion, there is no silver bullet here but I personally plan to explore these defenses more and will update what I find as I do.
Lastly, some online posts of this malware has mentioned the use of the HKEY_CURRENT_USER\Software\CryptoLocker location in the Windows registry as a way to determine what files have been encrypted. I just wanted to mention, that I did carve the ntuser.dat file from the compromised system and noted that this location did exist in the registry. It however, did not contain any entries on what files were encrypted.'

----------------

Edit:
11 things you can do to protect against ransomware, including Cryptolocker : on welivesecurity.com ESET blog: http://www.welivesecurity.com/2013/...ct-against-ransomware-including-cryptolocker/

----------------

Another solution: Cryptolocker Prevention Kit (updated) : on community.spiceworks.com : http://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated