Sandboxie Terminated Ruskie Ransomware

Gnosis

Level 5
Thread author
Apr 26, 2011
2,779
I was randomly surfing with BING and a pop-up appeared. I normally use ALT F4 in that situation, but I clicked the 'x' instead. Next thing I see is pseudo FBI warnings and a message saying my PC is locked, and it will cost 300 dollars to get it back. I immediately clicked "terminate all programs". The sandboxed browser was closed and I was home-free.

I am glad that I did not have a run-of-the-mill security suite, because the odds of deflecting the ransomware would have been much worse.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
RE: Sandboxie Stopped Ruskie Ransomware

Either Windows XP is seriously vulnerable by the click of the mouse, or it was just an image file warning. Thanks for the story.
 

Gnosis

Level 5
Thread author
Apr 26, 2011
2,779
I have preferred virtualization the last couple of years because malware is getting so nasty and plentiful. Besides that, being a bit late in receiving a signature can be devastating. As long as I get Sandboxie's new versions as they arrive, I know I am ALWAYS 99+% protected during random surfing over unfamiliar sites, which I do quite often. An aging OS also warrants virtualization. IMHO

Suites are nice too though, esp. when novices feel the urge to download malicious files that appear safe to them.
 

blues

Level 1
Apr 30, 2011
88
"I immediately clicked "disable forced programs" followed by "terminate all programs". The sandboxed browser was closed and I was home-free."


Why did you click "disable forced programs"?

Unless I am missing something, doing so allows "forced" programs to run outside of the sandbox which would put your "real" system at risk.

Terminating all programs would be the way to go, especially if the sandboxes are set to delete upon closing.

What am I missing here?
 

Gnosis

Level 5
Thread author
Apr 26, 2011
2,779
i agree old wise one the great wiseman gnosis

Thank you for the kind words!

Why did you click "disable forced programs"?

Good question. LOL It is a wreckless habit. ;) I have Sandboxie set to not disable anyway. The default is 10 seconds, but I have it set to 0 seconds. I am going to edit my original #1 post in this thread as to not get those new to Sandboxie in potential trouble or confuse them.
I have not designated any "forced programs" anyway. When I open my browser I don't click a Firefox icon, I click a Sandboxie icon that then causes Firefox to run sandboxed. In essence, I don't have Sandboxie set to force itself upon any given browser, folder or file that I may click to open at any given time, thus I have NO forced programs via the definition given by Sandboxie authors: You may designate some program names for automatic, or "forced", sandboxing. This means that if that program starts unsandboxed, then Sandboxie will automatically force that program to run in the sandbox. The most common use for the Forced Programs setting is to set the Web browser to automatically run sandboxed with out right-clicking and selecting "run sandboxed", or by clicking the Sanboxie icon which then gives you a sandboxed browser without Sandboxie having to "force" anything.


You may designate some program names for automatic, or forced, sandboxing. This means that if that PROGRAM STARTS UNSANDBOXED, then Sandboxie will automatically force that program to run in the sandbox. The most common use for the Forced Programs setting is to set the Web browser to automatically run sandboxed. Use this settings page to select the programs that will be forced to run in the sandbox. Use the Add By Name button to enter the program name, or the Add By File button to select the program file through folder navigation.
http://www.sandboxie.com/index.php?ProgramStartSettings#program
'

So in light of your question, which is a very important one for other users with default settings, NO ONE should "disable forced programs" in a scenario such as this thread if they have manually entered programs into the open field in "sandbox settings" > "program start" > "forced folders/programs" for forcing programs, which I personally never have done, nor need to do.
My BB did not flip out, so Sandboxie obviously contained it to where nothing could be corrupted.
One thing about ransomware: YOU ABSOLUTELY KNOW WHEN YOU ARE INFECTED WITH IT, which means it is too late.

Sandboxie rocks, what did you click?

Right clicked the Sandboxie taskbar icon and selected "terminate all programs". I could have simply closed my sandboxed browser and the same result would have followed since I have Sandboxie set to delete contents of the sandbox upon closing the sandboxed browser.
As far as what I clicked to get the ransomware FBI page in my face; it was a black pop-up window, but I don't recall what it said. Usually I do ALT F4 to knock stuff like that off to avoid clicking the "x" in the corner of the pop-up window, which will sometimes initiate malware activity.
 

blues

Level 1
Apr 30, 2011
88
I generally only disable "forced programs" when I install an update or add-on to a program supervised by Sandboxie. Once the install is completed, I once again allow forced programs.

This has worked well for me over the years with no issues to report during that period.

It bears repeating that anyone who runs into malware / ransomware with a browser under the supervision of Sandboxie should merely select the option to "terminate all programs" if they cannot otherwise close the browser normally. (Having the browser's sandbox auto-delete upon closing goes a long way to enhancing security as well.)
 

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
So what you are saying is you were just web surfing with Bing and you suddenly got infected with ransomware out of no where and Sandboxie saved your behind?

Zero day drive by downloads affect you even with EMET and your beloved ThreatFire? (If you still use that?)

I haven't come across such a thing since I was on Windows XP.
 

rebel4life

Level 9
Verified
Sep 30, 2012
667
a little humor here guys

so a wise man (a.k.a Gnosis) says to be smart use sandboxie so it will protect you from nasty stuff off the web

PLEASE USE SAVE SEX ONLINE USE SANDBOXIE it will save your ass for ya lmao
 

Gnosis

Level 5
Thread author
Apr 26, 2011
2,779
So what you are saying is you were just web surfing with Bing and you suddenly got infected with ransomware out of no where and Sandboxie saved your behind?

Actually, I clicked on some BS pop-up window to get it out of my way, and that is what triggered the whole thing. I should have ALT F4'ed it, but I get complacent while using Sandboxie. LOL
 

Gnosis

Level 5
Thread author
Apr 26, 2011
2,779
I would also like to add that the forcing programs and folders feature of Sandboxie is only available in the registered version.
As it is, I am good with the free version, but the forcing folders and programs feature is a great aspect of added security for many paid Sandboxie users.
 

Ramblin

Level 3
May 14, 2011
1,014
Gnosis said:
Actually, I clicked on some BS pop-up window to get it out of my way, and that is what triggered the whole thing. I should have ALT F4'ed it, but I get complacent while using Sandboxie. LOL

Nice story Gnosis. To get rid of all popups start using NoScript and Adblock plus in Firefox. You would have never seen that popup or exposed to this malware if you had been using those addons.

Bo
 

Littlebits

Retired Staff
May 3, 2011
3,893
Surely the popup was not from Bing, it was an infected site that you visited.
As long as you did not download a file from that site, you should have been safe anyway.

Maybe you need to get better browser add-ons which would have blocked this in the first place.

Sandboxie does an excellent job blocking malware don't get me wrong but this sounds like something that could have been blocked without the use of Sandboxie.

Thanks. :D
 

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
'..I clicked the 'x' instead.'
- jajajaj, your fault here!

'I immediately clicked "terminate all programs". The sandboxed browser was closed and I was home-free.'
- it was sufficient to kill the browser process (processes) only, I think ..

'One thing about ransomware: YOU ABSOLUTELY KNOW WHEN YOU ARE INFECTED WITH IT, which means it is too late.'
Hmm, not too late, if you see the first malware page, and act quickly .. but in your case, there are a second page, then work for Sandboxie ..

'Right clicked the Sandboxie taskbar icon and selected "terminate all programs".'
- good, but this same result you have by kill browser process (processes) only, in: Process Hacker, ProcNetMonitor, PCHunter, PowerTool etc etc .. By ProcNetMonitor - it's no braining, because one click on big 'Kill Process' button, to kill one browser process, which is already highlighted above all other processes. After that, the next process becomes hightlighted, so ..

'I could have simply closed my sandboxed browser and the same result would have followed ..'
- sure.

'Usually I do ALT F4 to knock stuff like that off to avoid clicking the "x" in the corner of the pop-up window, which will sometimes initiate malware activity.'
-This ransomware it's serious malware, then click on 'x' or elsewhere on the malware page initiate the malware, it's well known ..
 

Gnosis

Level 5
Thread author
Apr 26, 2011
2,779
I have Sandboxie set to where all contents of the sandbox are deleted upon closing my browser, so that is all I cared about. That and "drop admin. rights".
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top