Ransome Ware Question

Posted on 2016-09-14
Medium Priority
Last Modified: 2016-10-01
I have a client with AVG Cloudcare installed with the Crypto Prevent Installed by FoolishIT.com

This client Still got Infected and all files Encrypted...

What Tools are being used out there for the removal of Ransome Ware???

What Software should I use or combo of tools to make sure my clients do not get infected....

Question by:Joseph Salazar
LVL 12

Assisted Solution

by:Gary Dewrell
Gary Dewrell earned 332 total points
ID: 41798644
Number 1 is to make sure you are doing backups!
The simple fact is that most ransomware infections are caused by users clicking on something they should not. It is a training issue.

I am not aware of any product that can prevent ransomeware 100% of the time.

Some other preventative measures.

Don't run users as local administrators
Don't allow applications to run from the temp directories
Don't give users access to network shares they do not need.

I have even gone to the extreme step of blocking all zip attachments into my network.

Again the #1 most important step is reliable backups.
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41798646
There is no best tool. The only thing you need is a valid backup. That is the secret :-)
LVL 97

Expert Comment

by:Lee W, MVP
ID: 41798667
When someone comes up with a solution - FoolishIT or AVG Cloud Care or ANYONE ELSE, it may work great for everything it knows about - but crypto writers get the solution, figure out how to beat it, and release a new one that the old solutions won't stop.  The ONLY 100% way to be safe is with proper backups.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 88

Assisted Solution

rindi earned 332 total points
ID: 41798688
Use application whitelisting. That way users can only run software that has been allowed in your environment. Anything else is blocked. Also disable macros in m$ Office (or don't use m$ Office) etc., as a large number of ransomware come as macros.
LVL 57

Assisted Solution

McKnife earned 332 total points
ID: 41798692
You need to understand that foolish IT uses blacklisting. Blacklisting is no appropriate measure. Use applocker whitelisting, no chance for malware. Backups need to be done, anyway, any day.
If you need advice on whitelisting, start by reading tutorials like https://technet.microsoft.com/en-us/library/ee791890(v=ws.11).aspx
Please note that Applocker is an enterprise edition feature but the pro editions can use software restriction policies which are almost the same.
LVL 65

Expert Comment

ID: 41798976
Try running hitman.pro alert to see if other exploit can be detected as probably these are the carrier to ransomware delivered to your machine. Do not run in admin account  as default daily usage as this indirectly give those pesky Ransomware and exploits an easier exploitation attempts. Cryptoprevent should be fine but I suspect the threat has gain privileges via exploited authorised appl and negate the protection. Check the USB drive too.

Consider augmenting existing AV with Malwarebytes Anti-ransomware or Winpatrol Winantiransom. There is also decoy (such as TrapX CryptoTrap) that can be setup to allow time to alert user while the decoys divert the Ransomware doings.
LVL 30

Accepted Solution

Thomas Zucker-Scharff earned 1004 total points
ID: 41799012
Cylance insists they have a 100% stop rate. SentinelOne offers a 1million dollar guarantee.  Backups are still the best protection.
LVL 65

Expert Comment

ID: 41799188
You can also take a snapshot on the advice (https://www.nomoreransom.org/prevention-advice.html) on the nomoreransom website by the consortium of security companies, there is no difference from the expert sharing here and clearly backup is the utmost critical item as part of the preventive action plan - plan for worst case scenario - even paying ransom does not warrant data can be recovered or the malware recurrence will not happen.

there is a list of decryptors (https://decrypter.emsisoft.com/) that you may check out if the variant experience is identified - you an use IDransom (https://id-ransomware.malwarehunterteam.com/) for identification.

Author Comment

by:Joseph Salazar
ID: 41819947
Thanks everyone
LVL 65

Expert Comment

ID: 41825057
Looks like my answers has not been helpful. Thanks.

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question