Ransomware Protection Available

Thursday, March 31, 2016 @ 10:03 AM gHale


There is now a way to protect computers from ransomware like CTB-Locker, Locky and TeslaCrypt.

In one case, users could perform techniques on their computers to prevent possible Locky infections, said French cyber security company Lexsi. These maneuvers can render the computer immune to this type of ransomware. While the techniques can work against certain types of ransomware, the company said they may not be as effective against some newer variants.

RELATED STORIES
Fileless Ransomware Continues Evolution
Ransomware Uses Viewing App in Attack
Hole Found in Ransomware
Ransomware in Mac Attack

Users can improve their computer’s defenses by making a series of minor changes to their systems, Lexsi researchers said.

The changes include creating a specific mutex or registry key, or changing a simple system parameter, as long as the modification does not create an inconvenience to the user.

Locky avoids infecting computers that have Russian as the system language, and that modifying the language would prevent infection, Lexsi’s Sylvain Sarméjeanne said in a blog post. However, that change would certainly not be feasible for non-Russian users.

What users could do is to create the HKCU\Software\Locky registry key, which is the first thing the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures the malicious application does not execute.

Sarméjeanne said Locky also checks the key for the id (computer identifier), pubkey (public key fetched from the server), paytext (text to be displayed to the user, in the system language) and completed values. The latter indicates the end of the encryption process and, if it is set to 1 and if the id value contains the correct identifier, it terminates execution.

It was also discovered Locky uses the pubkey during the encryption process and this process fails if the pubkey value contains an invalid value. Moreover, if the pubkey exists, the ransomware uses it without prior verification, meaning users could force the malware to use a public RSA under their control, for which they have the corresponding private key.

While these operations might keep computers safe from Locky, they do require some advanced knowledge when performed, meaning beginners might not be able to apply the vaccine manually. However, an automated tool to help users add the extra protection layer to their machine released by security researchers at Bitdefender, and is now available as a free download.

The above operations are specifically targeting the Locky ransomware, while Bitdefender’s new vaccine tool is currently capable of efficiently preventing the CTB-Locker, Locky and TeslaCrypt ransomware families from infecting a compromised system, the company said.