What is Deep Freeze and how does it protect against ransomware attacks?

[AliGh]

i woke up this morning i took a look at my computer and i saw a program was open
locker v3.5 ... it said that it had locked my files and it won't let me use them until i pay them with bitcoin
and i took a look it has encrypted all my jpg files
http://s1.upload7.ir/uploads/thumbs/pnh9gd7DRQ8YAAzwMwuETAWCyzPN23Sgf3go6dRN any one has any idea how to take back my files ?
how did this program came to my computer ? i was just downloading some bbc documentries with bittorent

 

[Evo]

You used bittorrent and are surprised? You know it's used to illegally download videos, like those BBC documentaries. And you're surprised you got infected?

 

[AliGh]

You used bittorrent and are surprised? You know it's used to illegally download videos, like those BBC documentaries. And you're surprised you got infected?

im in Iran that's not illegal here ... and i can not purchase them ... there is no other way but to download

 

[Evo]

im in Iran that's not illegal here ... and i can not purchase them ... there is no other way but to download

Bittorrent allows illegal downloads, if the BBC allowed downloads where you are, you would be able to download them directly from the BBC site. Your country may not prosecute illegal downloads, some countries allow their citizens to download illegally without repercussions,that does not make it legal.

For example http://www.zdnet.com/article/downloading-pirate-material-finally-becomes-illegal-in-the-netherlands/

 

[B0b-A]

If the files have actually been encrypted then realistically the encryption cannot be broken.
[ even the police can't crack it ].

Paying the ransom does not guarantee they will provide decryption,
even if the criminals do enable decryption, they could exploit you again in the future if you don't find & remove the malware.
http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

You should have multiple back-ups of all your irreplaceable photos on external-drives and "in the cloud".

[ It's not a question of "if" a data-storage-medium will fail but "when".
Having multiple copies on different media should ensure you always have a copy ].

 

[StevieTNZ]

I feel that if you don't pay, your files will remain encrypted. However even if you do pay there is, as has been mentioned, no certainty they will be unlocked.

You should have security software on your computer that would have stopped such software from infecting your computer. Dodgy torrent files will most likely infect your computer.

 

[AliGh]

I feel that if you don't pay, your files will remain encrypted. However even if you do pay there is, as has been mentioned, no certainty they will be unlocked.

You should have security software on your computer that would have stopped such software from infecting your computer. Dodgy torrent files will most likely infect your computer.

what security software do you recommend ? i have microsoft security essentials now

 

[StevieTNZ]

what security software do you recommend ? i have microsoft security essentials now

I personally use GData Total Protection, but there are many on the market. Look up some reviews and make a judgement call what suits your needs/costs etc.

 

[B0b-A]

what security software do you recommend ? i have microsoft security essentials now

The [crypto]malware can be delivered via a drive-by-download when browsing webpages which include features which use JavaScript or Adobe Flash. The NoScript browser-addon , [free] , can block that sort of thing , [ it reduces the attack surface ]. Such blocking software is a useful addition to anti-virus , but not a substitute for it.

 

[AliGh]

The [crypto]malware can be delivered via a drive-by-download when browsing webpages which include features which use JavaScript or Adobe Flash. The NoScript browser-addon , [free] , can block that sort of thing , [ it reduces the attack surface ]. Such blocking software is a useful addition to anti-virus , but not a substitute for it.

is it really that easy to attack someones computer ?

http://s1.upload7.ir/uploads/thumbs/rAmUXeWPtrR99B2BM3y9Ygrdj3zpHJ62bhNYnzDG

i have these addons should i remove or deactivate them ?

 

[Borek]

Bittorrent allows illegal downloads, if the BBC allowed downloads where you are, you would be able to download them directly from the BBC site.

Yes, bittorrent is quite often used for illegal distribution, but don't link the technology with the piracy. FTP and HTTP protocols can be used for illegal downloads as well. Sigh, there would be no illegal downloads without this internet thing, so perhaps that's where the problem lies? And it is not unheard of that bittorent is used as a way of legal distribution of files. At some point in time Dawkins Christmas lectures on evolution (registered by BBC) were distributed this way (from his foundation site if memory doesn't fail me, so I assume it was perfectly legit).

 

[thankz]

that happened to me once, some ransom ware tried to encrypt my hard drive, windows is the problem when it locks you out of task manager and your forced to reboot only to find some of your files encrypted, it didn't find my external drives(I always have backups) and a rollback fixed the problem, weird thou it went after my music files.

 

[B0b-A]

is it really that easy to attack someones computer ?
http://s1.upload7.ir/uploads/thumbs/rAmUXeWPtrR99B2BM3y9Ygrdj3zpHJ62bhNYnzDG
i have these addons should i remove or deactivate them ?

In that screen-grab, Java , (which is not the same a JavaScript), is disabled by default : you have to give your permission for it to run, so is not a vulnerability if you only allow it to run on sites you trust. However your Flash addon is "always activate", so Flash is a vulnerability.
If you use NoScript you can whitelist sites which are permitted to use Java/JavaScript/Flash ,
all other webpages are blocked from using them by default.

If you are concerned about a webpage try ...
http://www.google.com/safebrowsing/diagnostic?site=physicsforums.com
replace "physicsforums.com" with the site in question.
similarly https://www.mywot.com/en/scorecard/physicsforums.com

 

[Edward Haigh]

Ransomware is not brilliant! Do you have any recovery points or snapshots you can revert back too? Hopefully you made backups of your files in which case reformat your HDD back to factory settings and go from there.

 

[enorbet]

Certainly the best solution is a recent snapshot of your system but if you were doing that it is unlikely you would be posting here so I'm going to offer a possible solution. You can try booting in Safe Mode as it is possible the "encryption" is not really encryption but just some scam that confuses the system as to how to deal with those files with that extension - in this case jpg. A change of attributes can easily cause this. It's difficult to estimate the odds that this is so but it only takes a few minutes to rule this out.

If Safe Mode fails to allow viewing of your jpegs then the next step is to boot from an external source, preferably with some tools handy. I recommend getting the latest version of Hirens Boot CD (last I looked it was 15.2). You download an iso image file and burn image (not copy) to disk and the results is a bootable media, whether USB, CD or DVD.

Upon booting one is greeted by a boot menu. That menu includes a very nice Linux system but also a Windows system based on the perfectly legal PE. Once you get to desktop navigate to your jpegs and see if they function properly. If not right click on one and check "Properties" for attributes and permissions. Obviously they should have at least "Read Only" permissions for any User.

Hirens comes with a few free versions of various AV and Malware scanners and due to the ability to connect to the internet (and the safety from being now an unwritable media) with no persistence, it can download the most recent updates and run them in RAM temporarily. Then you can scan your Windows system from this external, guaranteed clean environment. You will find many other useful tools on the disk including backup and disk cloning..

One caveat! This bootable Hirens media contains extremely powerful tools and you can create havoc if you don't research or already understand how these tools work. As always the only real damage can be to software but it appears as if you have little to lose unless you really imagine these crooks will actually hand over the keys and let you go on your merry way. IMHO under no circumstances should you even respond to these criminals.

FWIW torrents are not intrinsically illegal. Many people and companies use this method to mitigate the impact on bandwidth to any single server. That said one should be careful to verify legality of the specific torrent otherwise one opens the door to ruinous, unsavory elements.

 

[B0b-A]

... I recommend getting the latest version of Hirens Boot CD ... Upon booting one is greeted by a boot menu. That menu includes a very nice Linux system but also a Windows system based on the perfectly legal PE.

The Windows "PE" on Hiren's CD isn't legal ... http://www.bleepingcomputer.com/forums/t/464504/hirens-not-allowed/#entry2800130

 

[rootone]

One point worth mentioning is never to download media files, even if you're quite sure they are legal, if the provider has 'packaged' them as an .exe file.
There is no good reason for a provider to do such 'packaging' other than it's the easiest way to install malwares.

 

[JorisL]

[...]
That said one should be careful to verify legality of the specific torrent otherwise one opens the door to ruinous, unsavory elements.

One million times this, usually infection can be tracked to some "mistake" the user made.
I truly believe a huge part of *ware is "social engineering" (this doesn't do true social engineering justice) were you gain the targets trust.
What can be used for this online?
Things like "I earned $ xxxx using this program last month" are an example probably works well.
Then there's the warez environment and more dangerous, cracks and key generators for illegal software.

Fortunately security programs are quite good nowadays, some even offering to run unknown programs in a sandbox.
On my windowsboxes I use(d) comodo antivirus. At first it will require you to allow quite some programs to run.
However in the 3 years I used it I never had a successful infection (successful for the creator of the malicious code)
And if I can trust http://en.wikipedia.org/wiki/Comodo_Internet_Security#Reviews the recent versions are really quite good.

 

[enorbet]

The Windows "PE" on Hiren's CD isn't legal ... http://www.bleepingcomputer.com/forums/t/464504/hirens-not-allowed/#entry2800130

If you will notice that thread is nearly 3 years old. It is my understanding that while Hirens used to be "greyware" it has not been for awhile at the very least since version 15.2. I suppose this may vary some from one country to the next but in the US it appears to be legal now and is available from common, reputable sites.

If it worries you, build a similar bootable media with BartsPE which has always been legal. That legality was tested and it was found that the Preinstall Environment not only does not qualify for the protections of the full system (it is quite limited and not really useful as a full time system) but also it is expected that it is not likely to be running the full and fully licensed system at the very same time as the PE. In OPs case since he is attempting to fix his fully licensed copy he is well within both the letter and the spirit of the EULA.

 

[Superposed_Cat]

My friend has removed ransom ware from 2 pcs recently because there exists software to remove it specifically. just from googling that exe in your screenshot I got
http://sensorstechforum.com/remove-locker-virus-completely/

 

[ujellytek]

It's a new type of scam. Hackers are using it excessively now.

 

[Electrolyte]

The easiest way to guard your computer...

http://www.faronics.com/products/deep-freeze/standard/

Electro

 

[enorbet]

@Electrolyte - Have you used Deep Freeze? If so I'd like to understand how it is any different than taking a system snapshot with each boot. That it returns to such a state must be modifiable in some way or the system would never save changes. How is this done? What is the discriminating factor? I looked at the website and saw the diagram regarding the allocation table but (naturally) that doesn't explain who or what is the arbiter between what is saved and what is discarded. Can you mention something of your experiences and/or understanding?

 

[Electrolyte]

@enorbet Yes, I've used Deep Freeze before. To sum it up, any program that wishes to make changes to the registry/start up area of the system needs permission from the program administrator to do so. Simple changes to documents, pictures, etc, will be kept on the system even after a re boot. Unless the newer versions have changed, you also had the option to restore the system from a "restore point' like today's Microsoft operating systems. I'd like to think that Microsoft acquired their "restore point" feature because Deep Freeze had it in it's software. Most computer labs use this application, so a hands on demonstration could possibly be found at a local school or university nearby. I find the program well worth the investment.