Crypto Trojans and protection - if it bleeds you can decrypt it ...

Hello security friends.

Please no troll comments like 'use Linux/Mac OS' it's not the answer to everything.

​

In the past/now we get a massive attack especially from crypto trojans. If you not know what ransomware is you minimum need to read this.

Here I want to show and inform others how to protect against this (Windows) in a way which should be understandable for everyone. Since ransomeware not want to touch OS related files which would require admin privileges it's pretty dangerous because it runs-out-of-the-box without any UAC prompt. Another dangerous is that the payload changes which means you're AV is pretty useless since an good AV needs around 24-48 hours to update the signatures and then it already was changed so that this is already outdated to the same time you get new signatures.


What you can do?
* Work with ACL (Access Control List) [example given in screenshots to restrict normal executables for a folder]
* Do Offline or cloud based backups
* Show hidden files and extensions to ensure an picture (.jpn/.png/...) is really a picture and not an .exe with an .png overlay icon to fool you.
* Disable files running from AppData/LocalAppData folders and restrict them via secpol.msc (requires Windows Pro/Enterprise).
* Disable RDP (Remote Desktop Protocol)
* Patch and upgrade your software.
* Disconnect from WiFi or unplug from the network immediately
* Filter .exe/.js in your Mail program, most programs have options to do so. Like Thunderbird to disable html/JavaScript view and limit attachment size or disable it.
* Work with VeraCrypt/Bitlocker/.. and ensure after you work is done that you lock the drive so that it not accidentally can be encrypted with Locky and other malware.
* Ensure you use latest Office or alternatives like LibreOffice
* Since I'm not a fan of AV's or such 'solutions' (like Malwarebytes anti-ransomeware) I not recommenced it, due above mentioned reason + it mostly ends up with false positives + it confuses beginners.
* Disable Windows Script Host so that it can not execute the scripts in background.
* I better suggest to work with an VM/Sandbox or and HIPS based firewall like Comodo Firewall to ensure you get minimum an notification or an environment you can work with. Doesn't matter which products you prefer, they working mostly the same by isolating and notifying about xyz threads. Of course for beginners this is difficult because you not know what to allow and what not, so I suggest to start with Sandboxie to in general protect Browser + Mail program.


What if you already infected?
* DO NOT DELETE YOUR DATA! OR PAY FOR IT TO UNLOCK! Don't do it!
* It's depending with which variant you infected, some variants are 'harmless' because Kaspersky and other revealed the keys. E.g. If you got infected with ransomware like Locky, you have a high change to get your data back, they keys are here.
* Kaspersky and others offers some utilities to remove or decrypt ransomware, they are all free avl. over here.
* In case you#re infected with latest TeslaCrypt you maybe never get you're files back because it's currently not possible to decrypt it. But no reasons to delete your files, just wait, maybe someday we get the keys.


[FONT=&amp]Paying the criminals may get your data back, but there have been plenty of cases where the decryption key never arrived or where it failed to properly decrypt the files. Plus, it encourages criminal behavior! Ransoming [/FONT]anything is not a legitimate business practice, and the malware authors are under no obligation to do as promised – they can take your money and provide nothing in return, because there is no backlash if the criminals fail to deliver.


Here is an example to restrict (via ACL) an folder so that you not even or malware can kill your programs and disallow other applications to interference.













[video=youtube_share;nsacrHzUYrY]https://youtu.be/nsacrHzUYrY[/video]
[video=youtube_share;equvK65PakY]https://youtu.be/equvK65PakY[/video]
[video=youtube_share;3YXYnAiSYrY]https://youtu.be/3YXYnAiSYrY[/video]
[video=youtube_share;PyOMKC-h2Ug]https://youtu.be/PyOMKC-h2Ug[/video]


For Petya crypto-trojan:

Code:

bootrec /RebuildBcd
bootrec /fixMbr
bootrec /fixboot

^^ is good enough. As long the second 'wave' not worked, which means entire pc will be encrypted (mostly after a BSOD). If you see after a restart an 'repairing file system C:' dialog, please shutdown the PC immediately! Because at this point your hdd get's encrypted by this malware. Boot into to repairing mode, open notepad via cmd which allows you to browse trought the pc. 'Open file dialog'.


Fake processes via PS:

Code:

# Simulate fake processes of analysis sandbox/VM that some malware will try to evade# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...
# https://gist.github.com/x0rz/e8b36fee33b87aa7e4e5dfd4c0cfc1a6


# Usage: .\fake_sandbox.ps1 -action {start,stop}


param([Parameter(Mandatory=$true)][string]$action)


$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
    "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
    "idag.exe", "ImmunityDebugger.exe", "idaq.exe", "idaq64.exe", "idaw.exe", "idaw64.exe")


if ($action -ceq "start") {
    # We will store our renamed binaries into a temp folder
    $tmpdir = [System.Guid]::NewGuid().ToString()
    $binloc = Join-path $env:temp $tmpdir


    # Creating temp folder
    New-Item -Type Directory -Path $binloc
    $oldpwd = $pwd
    Set-Location $binloc


    foreach ($proc in $fakeProcesses) {
        # Copy ping.exe and rename binary to fake one
        Copy-Item c:\windows\system32\ping.exe "$binloc\$proc"


        # Start infinite ping process (localhost) - that's kind of ugly
        Start-Process ".\$proc" -WindowStyle Hidden -ArgumentList "-t -4 127.0.0.1"
        write-host "[+] Process $proc spawned"
    }


    Set-Location $oldpwd
}
elseif ($action -ceq "stop") {
    foreach ($proc in $fakeProcesses) {
        Stop-Process -processname "$proc".Split(".")[0]
        write-host "[+] Killed $proc"
    }
}
else {
    write-host "Bad usage: need '-action start' or '-action stop' parameter"
}

Cheers
CK


Research:
* http://www.ghacks.net/2016/03/30/anti-ransomware-overview/
* https://blog.kaspersky.com/cryptolocker-is-bad-news/3122/
* https://support.kaspersky.com/viruses/common/10646
* http://www.howtogeek.com/174343/ran...-is-so-dangerous-and-how-to-protect-yourself/
* www.foolis**t.com/vb6-projects/cryptoprevent/
* https://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
* http://www.bleepingcomputer.com/new...al-files-and-unmapped-network-shares/#cid1473
* https://www.youtube.com/watch?v=G2sUQFME0bE&feature=youtu.be
* https://thehackernews.com/2016/03/macro-malware-protection.html
* http://0xec.blogspot.de/2016/04/reversing-petya-ransomware-with.html


Decrypters (downloads .exe files to unlocked the specific Ransomeware):
* helpme@freespeechmail.org
* TorLocker
* TeslaCrypt
* CoinVault
* CryptoLocker
* uTorrent decryption keys
* Petya Sector Extractor
* JigsawDecryptor
* Ransomware Removal Kit
* decrypt_autolocky.exe
* Emsisoft Decrypter tools (includes a bunch of decryptors)
* RannohDecryptor (CryptXXX)


Iso (get's regular updates):
* Kaspersky Rescure disk (comes with bunch of tools)


Preventation tools only:
* Trend Micro Anti-Ransomware Tool
* BitDefender Anti-Ransomeware
* Malwarebytes Anti-Ransomeware
* HitManPro Alert
* CryptoPrevent
* AppGuard
* WinAntiRansome


Ransomeware online service (Allows you to upload ransom notes or encrypted file samples to identify the ransomware used to attack you):
* https://id-ransomware.malwarehunterteam.com/index.php


Network based ransomeware attacks (no protection yet, except restricting access):
* Crypto-ransomware has turned every network intrusion into a potential payday

 

Last point of the FAQ 'What types of Remote Desktop connections should I allow?".

Sr, this is not true, this isn't malware which want to change system related files, which means you not need extra privileges. So you not see any UAC or other prompts, I do agree that working with folder restrictions or limited user accounts lowers the surface attack but in this case it is useless. There are also new variants which want to change MBR, then it crashes you're PC to force you to restart and then you see an ASCII picture which introduce you how to pay. This mostly only works in older Systems and then you (in this cases) would require other privileges. The 'normal' Javascript / batch based ransomware I know not need special rights, that's why they are so dangerous together with the fact that the payload changes often. An Firewall will not prevent from been infected in this case, but it would block (if general script hosting is blocked) the payload and then you have a higher change to detect it. As mentioned some firewalls (even free ones) are coming with Sandbox/HIPS based systems (like Comodo) if you set to paranoid, then you need to allow everything manually and if I say everything I really mean everything which changes e.g. registry, scripting related things and more. For beginners I think this is an good option to start with. It requires some work and reading to understand but even you clicked on something dangerous you're mostly secure to go since you get an prompt.

 

I added several decrpytors, most of them are so easy to use that you can download and just execute it if you're infected (just try to boot into Windows live cd or safe mode - if that is locked, just try to boot into console (cmd mode I call that) ... open notepad with it (just type notepad into console) and then you're in ~~> since you can use 'open file' dialog to navigate like within explorer and then you can execute everything normally).

The Petya ransomeware is a bit special, that's why I added the entire article because it's not so easy especially for beginners, so please take your time and read.

In meantime I re-tested all tools, they are all bull*it, I not can say this in other words, because they costs money (most of them) and it's not worth, even the free ones not detect most stuff (or not my tested examples). HitManPro also had several negative side-effects if you use the strongest settings because e.g. some applications needs fronts otherwise they just stop working (if you block external fonts with it). I still think EMET (Microsoft free solution) should be preferred or simply work with ACL and then you're good to go. There is a lot of hype about these tools and it's not worth they promises you a lot but simply click not on everything is a lot of better as possible troubles like you get with such tools.

I not want yet to start a discussion about which tool or not, it's up to you but please keep in mind that Windows itself offers several protection layers and mostly you just can work with them and get the same results. This is also not time consuming because that needs to be only done once. - I will update it as soon I have more time, may a Youtube video is a little bit better - I will think about such thing.

 

I added Emsisoft decryptor tools, it's more a collection/pack which includes the following:

• Decrypter for AutoLocky
• Decrypter for Nemucod
• Decrypter for DMALocker2
• Decrypter for HydraCrypt
• Decrypter for DMALocker
• Decrypter for CrypBoss
• Decrypter for Gomasom
• Decrypter for LeChiffre
• Decrypter for KeyBTC
• Decrypter for Radamant
• Decrypter for CryptInfinite
• Decrypter for PClock
• Decrypter for CryptoDefense
• Decrypter for Harasom

Does't really matter which one you choose e.g. for locky, there exist several solutions which working all the same.

The problem still remains that there (for beginners) are not really an easy solution, I already contacted several AV's and ask them to add maybe an information link or directly something to their solutions to show 'mortals' how to e.g. deal with Windows own mechanism, but I doubt that will be added because otherwise they could not advertise their own products.