Ransomware Getting Worse - Will Lock Your OS

Had one virus trash my computer a few years ago and it couldn't be repaired.  Had to buy another.  So I'

ve been there and try and watch where I go and what emails I open but that's getting harder to do.

Sadly, such malware can be surreptitiously inserted in elements of very legitimate websites or in the advertising feeds that accompany them and you have no defense unless you have anti-ransomware & anti-exploit software deployed.  I'm using Cybereason RansomFree, MalwareBytes Premium which incorporates both functions and Bitdefender which also has anti-ransomware & anti-exploit modules.

Not sure that's enough.

With all the variants, the lag in signature updating is impossible to narrow... damned criminals.

Once again....

The absolute very best way to protect your system, yes that means OS (and yes protecting it from yourself) is now and always has been to never ever run any process with privileges it doesn't NEED.

Specifically any application and/or process that may ever come into contact with the internet (ie. browser, email, hell...pretty much any app these days). So....in that vein, USE your system from a heavily restricted account, and only ever break out the admin account when 'modification' of system properties is ABSOLITELY necessary.

Listen to the_Monk.  Apply his principles.  Live long and prosper. 

Boot sector viruses.... everything old is new again :p

what the_Monk said and make an external back-up of OS and files.

ransomware... this world is crazy

I actually thought this world would become less and less crazy, but in the last decade craziness skyrocketed...

If it were only that simple...how about apps which elevate privileges on installation...paradoxically, antivirals and anti-malware apps. They themselves become the holes in your system.

Absolutely.  Which is why one should seriously consider the 'need' for any/all apps, as well as additional security software.

Of course that doesn't change the fact that most payloads of malware that can start the delivery/installation process by simply 'touching' infected code via a web resource will in fact not be able to perform their nefarious tasks if you just simply don't 'browse the resource' with elevated privileges in hand.  That alone is a huge step towards keeping your system safe.

What a sad, sad world we live in!  The amount of people trying to do unto others what they wouldn't want done to them is horrendous... and given this latest turn of events, things just seem to be getting worse.  If only these things could be traced back to the source so that appropriate action could be taken.

As for this newer ransomware infecting the MBR, I recall reading something a few years ago about undoing MBR attacks in the BIOS.  Whether that's possible with this new wave of ransomware or not, I don't know, but it's worth looking into.

Also, with the increase in malware and cyber attacks in recent times, the_Monk's advice is spot on.  Surfing the net and checking emails from a non-priveleged account is the best protection one can employ.  If you haven't done it as yet, go to Settings> User Accounts and create a new non-priveleged account.

If only, Mark. The MBR is encrypted, just like data files...which in most cases can't be de-encrypted.

You can also run your browser (and other apps as well) in a sandbox.

You can actually boot off the windows install disc and replace (not decrypt) the MBR without reinstalling windows. The command for it is different than it used to be the last time I had to do that but it should still be there even in 10.

Of course, that doesn't help unless the OS files themselves are still usable. Not sure if this encrypts those as well or not.

fixboot /mbr  [I think it was]

Thanks for the reminder.  It was a while ago so I wasn't 100% sure what the process was, having never had to do it, but that's pretty much what I read back then.  As for still being there in Win 10, I imagine it would be.  It's one thing for MS to remove things like WMP, but this is an important system tool and is likely still there.

I sort of recall [from the same article I think] that a similar thing could be done from the motherboard disc, though again I'm not 100% because my memory isn't what it used to be.

No, not fix /mbr... because it is encrypted.  The command needs to be rebuild /mbr or something like that... new /mbr perhaps.

Okay, just looked it up for Win 10..... c:\boot>bootrec /rebuildbcd

According to this article, that's how it's done in Win 10.  The article also covers the methods for XP; Vista; Win 7; Win 8/8.1

Hope this helps everyone... should it ever be needed.

This won't solve the encrypted file issue but what if you boot to a flash drive and install a new boot record?  At least if you have a backup oif your files you can reimage the OPC after that.  Or why not simply reimage from the flash drive and a backup disk?

Best horse-has-bolted solution is True Image [or equivalent] and a daily incremental backup of your OS.

When you're 'hit' just restore image back to day prior...;)

Otherwise just listen to the_Monk for best advice for avoidance...;)

Yes, I created a non-priveleged account to surf the net and check emails.  It wasn't as straight forward in Win 10 as previous Windows editions, but I got there.  There's new and different steps to add another account in Win 10 and you need to record an email address for it.  I didn't want to be bothered with all that so just created a local account instead.

I think that only full system backup (OFFLINE) is the best passive protection against ransomware that can save your data/time/money/health.

http://manual-removal.com/hakunamatata/

How many revisions do you keep?  Because if it's less than a week you may want to reconsider.  Here's why.

If I'm a ransomware creator, I know that people are employing tactics to prevent infection by me including everything listed in this thread.  I simply create the 'infection' in stages.  The first program circumvents your security by piggy-backing on the elevated credentials too many people still USE their systems with.  I immediately use those elevated privileges to effectively modify system properties allowing my infection to reside in your system undetected.  Then I wait......maybe a week.......maybe two.  Why?  Because I know by then your backups will have overwritten themselves with new ones including my 'modified version' of your OS.  Then, maybe a week later I progress to stage two, and actually deploy the parts of the malware that will cause damage (ie. encrypt files etc.).  Sure you can go back to an OFFLINE backup.  So what?  I still possess the 'keys to your kingdom' and can re-infect at will.

I am not saying that backups are useless.  Backups are VERY useful.  Just don't over-think what they provide to the end user.  Backups provide a certain level of 'peace of mind'.  Privilege reduction/restriction is the only way to afford real protection especially from ourselves. 

If you get infected with one of these, does it affect separate drives used for files? For example my SSD has windows and my games on it. I have a HDD internal for most pictures and porn. Then i have another external HDD that has the bulk of my pictures, movies and such. 

My solution for viruses has always been to simply drop in my windows disc and reinstall. Will that work in this case and would the virus destroy the other HDD drives or would  you still have them and the data on them?

In my experience I have seen it corrupt/encrypt data on any/all connected devices (ie. drives connected via USB as well as including networked resources).

It really depends on the virus. The worst I've probably seen bypassed the surge protector, and fried the computer. 

By now, I was looking forward to flying cars...

Regression is so prevalent I wonder if publishing "Recipes for Bar-B_Q squirrel" wouldn't be more practical...

Here's my 'routine'.

I have the usual - Cybereason Ransomfree, Malwarebytes Pro, Kaspersky.

In addition, I prepare for the worst.

I have Acronis doing daily backups. I also have another set of daily backups going to an Acronis Securezone, which, I'm assured, can only be accessed by Acronis.

I have my programs on an SSD, documents on another drive and several backup drives. I also have another backup drive which is always disconnected.

Once a month I connect the backup drive to copy my files across. The only really 'mobile' files I have are my camera RAW files. Should I have to wipe the drives in between backups, the RAW files are still on the camera (it can store 1100 files).

So, worst case scenario, I get hit and all my drives and data are locked. I can format all the drives and start again. I can load the latest image from the secure zone so my C:/ is back up and running (I could even do a clean install if need be). I can then connect the offline backup drive and copy back my documents.

A bit excessive, but better safe than sorry.