Status
Not open for further replies.

Syafiq

Level 11
Verified
Recently, my friend told me that his gaming laptop was infected with a .cosacos ransomware. All of his files were encrypted. Unfortunately i can't find anything about it on the web except this https://sensorstechforum.com/cosacos-virus-files-ransomware-how-to-remove-it/. Since he didn't knows how to restore his files, he wiped out all of his storage drive and reinstall windows. I think the criminals left this ransom note on my friend's laptop.
 

Attachments

Last edited by a moderator:

Jack

Level 85
Verified
Staff member
Hello @Syafiq,
The computer is infected with ransomware from the STOP/DJVU family. Here's an article about this ransomware, different extensions but from the same family: Djvu Ransomware.
There's a very small chance to recover the files if they were encrypted using an offline key (How do I know if I was infected with an offline key?) with Michael Gillespie’s STOPDecrypter decryption tool. Unfortunately, in most cases, the files cannot be recovered.
 

Burrito

Level 18
Verified
But he should use protection programs against future ransom attacks
- CyberSight RansomStopper is free for personal use
-Acronis Ransomware Protection is free for personal use
Video can help you retrieve your files.

Correlate raises a good point.

Prevention is the key.

On every machine, I have more than one ransomware defense. Probably most people here at MT have this too. RansomStopper and other free products can be used with AVs -- most of which now have an anti-ransom component.

And even if multiple mitigations fail, recovery is the next base to cover.

In review...

1. Prevention: More than one method to block. The perpetual MBAR Beta is worth a look as a secondary product.
1565101167009.png



2. Recovery: If #1 fails...... A method to recover. There are multiple threads about this.


And that's it. Ransomware is no longer an ominous threat.

And you live happily ever after.
 
4

436880927

On every machine, I have more than one ransomware defense. Probably most people here at MT have this too. RansomStopper and other free products can be used with AVs -- most of which now have an anti-ransom component.

You do not need multiple anti-ransomware solutions - one is more than enough. The best defense against ransomware is ensuring that all of your data is regularly backed up, because all anti-ransomware solutions will inevitably fail if you put it up against enough ransomware samples.

Playing with multiple solutions for ransomware protection is asking for unexpected performance and security issues. It is very easy for overlapping conflicts, regardless of whether you are or aren't aware of them. It is typical security software forum & immature behavior.

This is basic stuff I would expect such an important expert you usually try and make yourself look like to know.
 
Last edited by a moderator:

Burrito

Level 18
Verified
That is a retarded thing to do.

You do not need multiple anti-ransomware solutions - one is more than enough. The best defense against ransomware is ensuring that all of your data is regularly backed up, because all anti-ransomware solutions will inevitably fail if you put it up against enough ransomware samples.

Playing with multiple solutions for ransomware protection is asking for unexpected performance and security issues. It is very easy for overlapping conflicts, regardless of whether you are or aren't aware of them. It is typical security software forum & immature behavior.

This is basic stuff I would expect such an important expert you usually try and make yourself look like to know.

Some solutions are designed specifically to work along side others. MBAR in particular is designed this way. Cylance is designed this way.

While your concern with conflicts is valid, your post, uh, in your own words.... is retarded.
 
4

436880927

Some solutions are designed specifically to work along side others. MBAR in particular is designed this way. Cylance is designed this way.
Some solutions are designed to specifically work along side others, so feel free to list examples and explain to me on a technical level how they work and why they would not conflict. You're online and active right now, clearly, so it should be simple for you to do if you know what you're talking about.


your post, uh, in your own words.... is retarded
Playing cat and mouse with many different anti-ransomware solutions is immature behavior and you know it.
 

Wraith

Level 13
Verified
Malware Tester
A dedicated anti ransomware module can be an extra companion depending on what AV you use. Nowadays most AV's have built in antiransomware protection, so you don't need to add one. It is important to note that those anti ransomwares that do not have a backup or rollback feature will have a negative point. Generally an anti ransomware module will not kick in unless it detects that something is encrypting files in an unusual manner. By the time it reacts, at least some of your important files may be encrypted and lost forever. IMO the best practice for protecting against ransomwares is a properly updated backup kept in an OFFLINE location.
 
4

436880927

@devjit2018 Some good points.

For the record, overlapping doesn't always refer to conflicts. It can merely refer to inefficiency and redundancy... most of the anti-ransomware solutions are using bait files or monitoring file system behavior from a file system mini-filter. So most of the time, all you are doing is just wasting system resources, even if you're using many different solutions to cover the same thing which aren't causing real conflict. It would be like employing ten people to do a five people job where everyone is doing the same thing, even when they can do their jobs without conflict with one another.

Some of them might watch for file extension changes, dropping of ransomware notes, monitoring the use od vssadmin, etc. I've even seen cryptography libraries being hooked before in user-mode.

I would go for your last practice than the rollback idea. The rollback features are just another example of cat and mouse - will it work or will it fail?

If you have good backups of your data, there is low chance of failure. You can have several backups on the cloud - be sure to encrypt them appropriately - and offline. If for whatever one backup goes south, the others should be fine.

If your data is backed up and your prevention layers fail, you won't even have to consider the idea of paying a ransom or hoping that the data can be recovered by someone with a decrypter. Even worse if the ransomware was never designed to support recovery and thus by paying a ransom, you get nothing.

The rollback features have to store the original data somewhere. Even with compression, if you support rollback for a lot of data, it is going to consume disk space. It'a inevitable. I personally would just advise backups.
 

Raiden

Level 13
Verified
Content Creator
For the record, overlapping doesn't always refer to conflicts. It can merely refer to inefficiency and redundancy... most of the anti-ransomware solutions are using bait files or monitoring file system behavior from a file system mini-filter. So most of the time, all you are doing is just wasting system resources, even if you're using many different solutions to cover the same thing which aren't causing real conflict. It would be like employing ten people to do a five people job where everyone is doing the same thing, even when they can do their jobs without conflict with one another.
Agree,

A lot of it really has to do with the typical security forum paranoia that is often present, generally speaking. More and more layers isn't going to necessarily make you more secure, many times it can either make it worse, or potentially make your system unusable. I would argue that ransomware has been, still kinda is, very rampant that most security vendors have developed ways to deal with it, but they will never be 100% every time. The same goes for any other 3rd party application that offer "ransomware protection." Many times rather than adding more and more protections, if someone does want more protection against ransomware, doing things like disabling scripting, disable/uninstall powershell, etc... will be far more effective IMO, as you are taking away the mechanisms that ransomware uses. You can do this manually, or use a program such as OSA, Syshardener, H_C which will do it for you and will probably be more effective, but even then may not be 100% either.

If your data is backed up and your prevention layers fail, you won't even have to consider the idea of paying a ransom or hoping that the data can be recovered by someone with a decrypter. Even worse if the ransomware was never designed to support recovery and thus by paying a ransom, you get nothing.
+1

I always preach that when it comes to ransomware (or just malware in general), having proper back ups is the only sure 100% guaranteed way to protect against these things. Having multiple backups will protect you in the even something happens to the other backups like you said. I don't see the need to fear and get stressed about ransomware if you have proper offline backups. This is security 101, while playing with security programs is fun and all, we cannot forget the basics. They often do more to keep you safe compared to having a ton of security programs.;)(y)
 
Status
Not open for further replies.