Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Let’s Talk About Ransomware32

Become a Patron of Ask Leo! and go ad-free!

Transcript

Show Transcript

A note on CryptoPrevent and Ransomware32

Whenever I talk about ransomware, I often get comments about CryptoPrevent, a tool designed to prevent malware like ransomware from being able to run, and thus from infecting your machine.

With my expectation that Ransomware32 will make ransomware a tad more common, I was prepared to recommend (or at least mention) CryptoPrevent as an additional layer of security. The technique it supposedly uses seems sound. In fact, it’s so sound, I’m somewhat surprised that other tools, including Windows’ own anti-malware tools, haven’t adopted it or some variation.

In looking at the latest version of the tool and website, I was disappointed at how information about the tool was presented, and in some ways, how little information there was to be had. I don’t recall it being this way in the past, but it appears that while there is a free version, more effort has gone into promoting paid versions than to providing information and support for the average user.

So, I’ll leave it at this, which is pretty much what I’ve been saying all along: use CryptoPrevent if you like, but please don’t let it lull you into a false sense of security. In particular, don’t let your use of this tool keep you from backing up, keeping your other tools up-to-date, and using your own common sense when it comes to malware.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

87 comments on “Let’s Talk About Ransomware32”

  1. I will only open email attachments from specific people & even then we have code words in place to confirm that it is safe to open.

    Reply
    • The big problem: Your most trusted & competent friend might be infected and it may send itself to everyone in his address book. Unless your own anti-malware protects you, you will be infected too.

      Reply
      • “The big problem.” – There is no problem. Ken’s saying that he’ll only open attachments if a) they’re from a known source and b) they contain pre-agreed code words (“I’m a giant mutant hairy-assed hippo!”). It’s a good strategy, albeit not one that would work for everybody.

        Reply
          • Indeed – which is why I said it wasn’t a strategy that would work for everybody. But for somebody who’ll only ever exchange emails/attachments with a small circle of family/friends, it ain’t a bad idea at all.

  2. Thank you Leo for another insightful opportunity. An opportunity to learn that is. Pretty simple instructions but then again so is backing up. One good item with Win 10 is that it gives you an option to back up multiple times a day. Now to train myself to scan any inclosure before I open it! Thanks again.

    Reply
    • Yeah, had I fully recommended CryptoPrevent this is one of the issues I would have had to have explained. In the end it’s interesting for the folks that want to give it a try, but not interesting enough for me to completely endorse it. Issues like this (Dashlane, etc.) don’t help. Thanks.

      Reply
  3. Thanks, as always Leo. It feels so good that staying safe from malware really is pretty easy to do, once we learn what needs to be done and how to do it, and get in the right habits of remembering to do them–which might be a pretty good definition of ‘common sense.’

    Reply
  4. You mention Daily Backup, which is very good, to help avoid consequences of a Ransomware invasion.
    Using Macrium Reflect, which Backup is preferred for this security:
    * Full backup daily?
    * Full backup weekly, then Sequential backup Daily
    * Full backup 2 or 4 weekly, plus Sequential daily?
    Thank you for caring, and sharing your expertise.
    p.s. Love our surprise, the final ‘amazing and wonder daily’ scene, what a view, wow!

    Reply
    • Not sure what you mean by “sequential”. In general I recommend (and perform myself) monthly full and daily incrementals. Naturally that can be adjusted as needs dictate.

      Reply
      • Leo, why does Macrium make the cost of their anti-virus program secret? You have to get all the way to Checkout before you find out how much it costs.

        Reply
        • I didn’t even realize Macrium had an anti-virus program. (But as to the tactic – I have no idea. Other than the generic excuse: “marketing”.)

          Reply
  5. Hi Leo, you talk about ‘common’ sense – I prefer to call it ‘good’ sense because, unfortunately, it ain’t that common!

    Reply
  6. How do you make a backup disk or USB drive that contains all files not just data files.
    The disk should have a menu that has the options of restoring your system before the ransomeware.
    Could you list the instructions in a list format to follow?…..

    and.. once you have been hit by the ransomware, how do you get access to the windows or android tablet system so that you can actually access the backup you made and restore your windows or android system again?

    Is there a test disk out there that can be read at boot up, with the ransomware fix on it?…

    Appreciate your help….
    Thank you for all your helpful articles.

    Pat Corrao
    {email address remmoved]

    Reply
    • That would be by making a system image backup of your computer.
      https://askleo.com/how_do_i_backup_my_computer/

      Ransomware generally allows your system to boot normally, because if you couldn’t run Windows, you wouldn’t be able to pay them. But if you do get locked out, backup programs allow you to create a bootable CD or USB thumb drive which boots a standalone version of the backup program which you can use to restore from your external backup.

      Reply
    • Pat asks, “How do you make a backup … that contains all files not just data files?” That’s called an image backup, and it’s the backup type that Leo recommends.
      “How do you get access … so that you can actually access the backup?” That’s called a emergency or rescue CD or flash drive. One boots off that disk or drive to restore the system if it’s not bootable or is otherwise damaged.
      Every backup program I know of, including the free ones from Windows, Macrium, and Easeus, all have the ability to do image backups and create a rescue disk/drive for emergency restores. Of course, one has to remember to create the rescue disk *before* it’s needed.
      Finally, it really doesn’t matter which one you use as long as you use some method of backup. Something is way, way, better than nothing.

      Reply
    • You asked “How do you make a backup disk or USB drive that contains all files not just data files.”
      I think such a backup is known as an image.
      Check out Macrium Reflect.
      (Refer to Leo’s advice / books about how to use it)

      Reply
  7. I have had one laptop to fix with ransomware – it was brand new and they downloaded their photos to it but did not install antivirus or anti malware – they deleted all photos from the camera and in this first day of use got the ransomware. All I could do was a factory reset on the laptop and then installed the necessary anti’s. Fortunately I was able to recover all their photos from the camera card and explained all about having more than one copy. Great video as usual.

    Reply
  8. I have an internal data drive I use only for backups. Is that at risk of ransomware if the computer gets infected?
    I have been thinking of an external drive for some time now that I would disconnect after each backup.
    Thanks

    Reply
      • External USB 3 drives are as fast as your internal drive. You can get a couple of Terabytes for under $100. Also, look for one with an on/off switch on the back. That makes it very easy to turn it on for your back up and off when done. Ease of use is the most important thing for timely back ups.

        Reply
    • Debra [and anyone else reading this], please do not rely on any internal drives as your ‘backup’ in this increasingly malware infested world. As Mark says, internal drives are vulnerable since malware will typically search for [and encrypt] all the files it can find on any internal [and attached external] drives. You’re only really safe if you backup to an external device [USB drive or USB ‘stick’] that you disconnect except when you’re ‘backing up’.

      Reply
      • And … it is much more likely that a hardware failure could take out not only the working drive, but the “backup” drive at the same time. I’ve had a failed power supply blow out all attached HDs (4 of them at the time) in one swift blow.

        Reply
    • It depends on the ransomware, but the absolute answer is that “yes, any drive connected to your system is at risk”. MOST ransomware encrypts only data files on C:, but variants are appearing that are encrypting data files found on other drives as well – even network connected drives.

      Reply
  9. My laptop became infected with ransom-ware last summer, while I was visiting my daughter in the Pacific northwest. At the time, I was only connected to the internet, not reading my email _or_ web surfing. So, not opening attachments from unknown (or even known) sources won’t protect you. Sorry.

    Reply
      • So would I. I don’t know if it was dormant in the system for some time, or was something that attacked the laptop because it was connected.

        Also, I wasn’t questioning _you_. I was reading the replies and saw one from someone who indicated they didn’t open attachments so they could avoid these. So, I commented that you could get one just by being connected. This happened on July 3rd (or 4th), of 2015.

        To Ray’s comment:
        I do know the laptop had been “goofy” for several months, and had been thru 2 IT folks who tried to fix it. The last one said there was something in there that they couldn’t ID, even with MalwareBytes or one other program. All jpg, pdf, doc, and one or 2 other file types were infected. All the photos were viewable the day before, as I had shown a slide show to my daughter and son-in-law. I still think it was an attack on a connected machine, not an email attachment. I believe all of these were backed up elsewhere.

        Reply
        • ” I still think it was an attack on a connected machine.” – That’s not how Crypto viruses work. In fact, “viruses” is really a misnomer: Cryptos do not replicate or jump between PCs, even if those PCs are on the same network. The only thing a Crypto will do is encrypt files on the PC on which it’s installed and, possibly, files on any directly-attached or network-attached storage devices. The ONLY way to get a Crypto are 1) via an infected email attachment (very common) or 2) via drive-by download (much less common).

          Reply
    • “At the time, I was only connected to the internet, not reading my email _or_ web surfing.” – But that’s probably not the time your PC became infected. Some Crypto viruses work on a fuse/delayed start basis and their encryption processes do not begin until a certain time/date. Additionally, Crypto viruses do not alert you to their presence until all your data has been encrypted which, depending on how much data you have and how long your PC spends on, could take days or even weeks.

      It’s almost a sure-thing that you picked up the virus from an email attachment. As far as I know, Crypto viruses do not spread in any other way. Not at the moment, anyway.

      Reply
  10. Leo,

    Thank you for the (once again) level-headed discussion of an important topic, and your continuing emphasis on common sense is very gratifying as it acknowledges that technology alone cannot manage all possible risks – personal judgment and intelligent thinking are just as important.

    Would appreciate your thoughts about ransomware possible being executed through documents that are transmitted via file-sharing providers like Dropbox and SendBigFiles, which give you links to download files rather than sending emails with attachments. Is using these providers safer because the files are not attachments to emails?

    Thanks again.

    Reply
    • There’s really no difference in how you download a file. Malware is malware regardless of how you invite it in to your computer. Email may even be slightly safer as email service providers like GMail won’t send emails which contain executable files (this is not surefire as there are many executables which which might get through).
      One extra layer of protection is to set your File/Windows Explorer to view file extensions. Make sure ‘Hide extensions for know file types’ is turned off. This will allow you to see if an attachment or a downloaded file is actually a program and should never be opened on unless you know for sure you were expecting to get that program. This article explains how to change this Windows default setting.
      https://askleo.com/one_change_you_should_make_to_windows_explorer_right_now_to_stay_safer/

      Here is a list of file extensions for executable files (it’s not comprehensive, so I’d recommend only opening files with extensions you are sure of: documents, picture, videos etc)
      http://pcsupport.about.com/od/tipstricks/a/execfileext.htm

      Reply
    • No, they could be used for virus transmission. Basically any means of getting a file onto your machine could be used. (But you would have to run or open the file – its mere presence isn’t enough.)

      Reply
  11. You mentioned that ransomware “…sometimes encrypts…files on connected (i.e. external) drives”.
    So if your backup image has been written to a connected (external) drive, then your backup image is safe from ransomware only if you disconnect the connected (external) drive after the connected drive contains your backup.
    I’ve been using Macrium Reflect to write an image file each evening, saving it to a 1 TB external drive.
    Macrium is set to limit the number of images to 14, so each evening the oldest image is deleted.
    Then each evening I copy the latest image file to a second 1 TB external drive.
    The 1st external drive remains connected to my laptop, but I disconnect the second drive.

    Reply
    • Ron; the point to consider as part of your ‘data protection’ is that if YOU [that is, your Windows system] can see the drives, because they’re connected and they have a drive letter, then so can any malware, whether it’s the specific ransomware Leo mentions above or any other malware. Thus, ANY drive, internal, external or network connected, is at risk …

      You can only BE SURE that it’s not affected is by making sure it’s disconnected!

      Reply
  12. Sandboxing is another layer of defense. I run my browser in a Sandboxie sandbox, and read my mail in the browser. Theoretically, even if I did open a malware attachment, the malware would only encrypt my files within the sandbox. Delete the sandbox, and poof, malware gone and files not encrypted.

    Would not recommend this as the only layer of defense, of course. Still use EaseUS ToDo, Crashplan, Avast, and Malwarebytes as other layers of security/backup. Oh, and common sense. :)

    Reply
  13. Leo,

    Do you know anything or can you comment on Malwarebytes Anti-Exploit Free. It is described as “Blocks unknown and common exploit kits, including Blackhole, Sakura, Phoenix, and Incognito”. Since you mentioned that Ransomeware32 was made using an exploit kit I wondered if Anti-Exploit would be of any benefit.

    Great job on this topic as usual.

    Reply
    • “Since you mentioned that Ransomeware32 was made using an exploit kit I wondered if Anti-Exploit would be of any benefit.” Malwarebytes Anti-Malware may detect/block it; Malwarebytes Anti-Exploit likely would not. Crypto viruses (currently) spread via email attachments/user action, not by exploiting vulnerabilities/exploits. That could,, of course, change – and more than likely will.

      It’s important to remember that Crypto viruses are changing all the time, with new variants constantly being released – and the security companies are constantly playing catch-up. Security programs may catch a Crypto virus, or it may not. There’s not way to tell. Consequently, security software should be viewed very much as a second-line of defense. The first – and best – line of defense is the user.

      Reply
      • Agreed, but this user has the usual human frailties (perhaps more owing to advanced age) and needs as much automated help as he can find.

        Reply
        • That’s a great point. Not every PC needs the same level of security and not every person is equally at risk. For example, if you have sensitive business data on a laptop, encryption is a must. If you use a desktop primarily for gaming and Facebook, then encryption would probably overkill. And the less experienced you are, the more likely it is that you’ll do something silly.

          Security is really a balancing act, and having too much can be as bad as having too little. Encryption is a good example of this. If you don’t know what you’re doing, it’s very easy to permanently lose access to encrypted data (in fact, even if you do know what you’re doing, it’s pretty easy to lose access). Consequently, it’s not something that should be used unless there’s a clear need.

          The simple fact is that any software you install has the potential to causes problems, and this is especially true when it comes to security software. It can impact performance, conflict with other apps or cause weird problems that can sometimes be very difficult to diagnose.

          As I said, it’s a balancing act. You want enough security, but not too much. And how much is too much will not be the same for everybody.

          Reply
          • “And the less experienced you are, the more likely it is that you’ll do something silly. ” Really??? I’m a pretty experienced techie, and I’ve screwed up in ways that a noob couldn’t dream of ;-) .

          • @Mark – Yup, we’ve all had oh-no moments. But the fact remains that the less you know, the more likely you are to make a mistake. The outcomes of some of my home DIY projects are excellent examples of that :P

  14. Thank you, Leo. I hadn’t heard about Ransomware32. And I’ve been BusyBusyBusy and have only been backing up about every 10 days. I’m going to do better!

    btw, I’m also interested in H Davis’ question about Malwarebytes Anti-Exploit. I’m using the Premium version. I feel safer with it running, but I hope it’s giving me more than just a feeling of safety :)

    Reply
    • “I feel safer with it running, but I hope it’s giving me more than just a feeling of safety.” – Malwarebytes is a good company, so I’m sure that Anti-Exploit does exactly what it says on the tin. The only issue I have with the product is that it doesn’t seem to have been subject of any non-sponsored third-party testing and, consequently, it isn’t clear how good it actually is at blocking the real-world exploits. Will your PC be significantly more secure with it installed than without? I really have no idea. That said, it’s probably not worth using Anti-Exploit if you’re already running a security program that offers exploit protection, such as certain products from Kaspersky, ESET and Bitdefender. In fact, in this situation, it’d probably be best not to use Anti-Exploit.

      My personal opinion, FWIW, is that if you and other users of the PC exercise common-sense – in other words, exercise extreme caution with email, avoid crappy freeware/freeware sites and avoid the darker side of the internet – then the protection provided by Windows Defender is good enough that you don’t need to use/buy other security solutions. Plenty of people will, of course, hold a different opinion.

      It’s worth noting that security programs are always something of a trade-off. They may improve the security of your PC, but they may also cause stability issues or other problems. For example, the latest update to Anti_exploit fixed conflicts with Microsoft Office, some popular banking software plugins and other security products.

      Reply
  15. Excellent heads up, Leo.

    My external (USB 3.0) HDD is hard to reach and thus physically disconnect and reconnect after and before every (nightly) scheduled Macrium Reflect image backup. If I use “Safely Remove Hardware” in Windows 7 to unmount it, will that adequately protect it from ransomware? And, if so, is there a way to remount it without having to physically unplug and replug its USB connector. Even better would be a batch file or app that would automate that mount/unmount process just prior to and after each backup.

    Reply
  16. Thank you Leo for this most informative video about ransomware32.

    Here is what I do to protect myself from ransomware or from the almost inevitable hard drive failure

    1-My main drive (C: ) is a Samsung 850 Evo 250GB. It contains my OS and all installed programs. Nothing else.

    2- A full backup image of my main drive is done AUTOMATICALLY weekly on every Saturday with Macrium Reflect v.6. I do not have to think about doing anything. The backup is pre-programmed in Macrium Reflect and gets carried out automatically in the middle of the night while I am sound asleep. The resulting image goes into a folder named “My Images” on a second drive (F:) inside my PC. Drive F: also contains my data files (photos, documents, music etc…). Anything I want to save is stored on drive F:. Drive F: capacity is 1TB. I keep about 6 full images of my drive C:.

    3- Drive F: is then synchronized to another drive (G:), that is also inside my PC. It is synchronized with the software Goodsync. Drive G: capacity is also 1TB. At this point, G: contains all my personal files and all weekly images of my Drive C:. This synchronization is done daily to make sure file additions or deletions are picked up in the backup operation.

    4-Given that ransomware can encrypt all drives connected to my PC, I need to have everything on a drive THAT IS NOT connected to my PC. For this purpose , I use an external drive (W:). Goodsync synchronizes daily drive G: to this external drive THAT GETS DIOSCONNECTED from my PC after the synch job is carried out.

    If ransomware strikes or if a drive in my PC dies, I have my back covered.

    All this seems very time consuming at first glance but it is not. It only requires a few minutes of my time every day because Goodsync only copies new files and deletes files previously deleted from drive G:. It is a synchronization software.

    Well worth a few minutes a day in order to sleep well at night.

    Reply
    • Best practice is to adopt the frequently recommended 3-2-1 backup strategy: 3 copies of your data on 2 different devices/medium with 1 copy being offsite. That offsite copy can help protect your data against things like fires, floods, theft, power surges that occur at a times when all your devices happen to be connected, etc., etc. If all copies of data are held onsite, you’re vulnerable.

      http://www.hanselman.com/blog/TheComputerBackupRuleOfThree.aspx

      Reply
  17. I wonder if a backup system that uses and external disk is safe from Ransomware. I have Acronis True Image 2015 – paid version, and do a full backup once a month and an incremental daily. Can Ransomware get to that backup? It is, in reality, just another disk in my system.

    Reply
    • Maybe, maybe not. There’s at least one variant that attempts to delete backup files in order to prevent restoration. The best advice is to supplement your local backup with online/cloud backup.

      Reply
    • Yes and no. Here’s the deal: newer forms of ransomware are, indeed, encrypting files on all drives, including backup drives. BUT, they’re not encrypting ALL files. Ransomware focuses on common data files like “.doc”, “.jpg”, “.xls” and so on. To the best of my knowledge they are not (yet) encrypting backup image files.

      Reply
      • That’s a pretty big yet. I remember when ransomware was not YET encrypting external drives. As a preemptive measure, I’d prepare for the worst.

        Reply
        • I totally agree. Targeting image backup files would seem to be a very logical progress and I’m surprised it hasn’t already happened.

          Reply
  18. “backing up, keeping your other tools up-to-date, and using your own common sense when it comes to malware.” that’s about your BEST defense against these bloody things. they’re actually very easy to avoid (and/or deal with) if you do this.

    Reply
  19. One final though very thin layer of defense against malware is to re-enable the hated user account control (UAC) option that dates to the Windows Vista days. It at least gives one a second or two to stop and look at the name of the program and to reconsider opening it before automatically hitting the ENTER key. As one of the articles in the January PCMATIC newsletter reminds us, the human factor is the weakest link of all in PC security.

    Reply
  20. Having read the comments about the risk of infection downloading from a file shearing sites (the answer it which I thought was pretty obvious) how about streaming from these sites, as the data is just being read from a temp file and not stored is there any risk of infection from streaming, is it possible to to hide an .exe within video streaming data.

    Reply
  21. This afternoon I went to my Windows 7 computer and typed in a web address and up popped a blue screen and a message that my computer was infected with malware. There was also an official sounding verbal message telling me I needed to call a particular phone number. I shut down the computer. The computer needed to update before shutting down. Is this an example of ransomware?

    Reply
    • No, this was a phishing scam. If you’d phoned the number, they’d have charged you to remove the supposed malware. It’s really no different to the “Your computer is infected” telephone scams. Chances are you mistyped the address of the site you wanted to visit (“AksLeo.com” instead of “AskLeo,com”, for example) and ended up at the rogue/scam site. Anybody and everybody visiting the site would have seen that message. It doesn’t mean your computer is or was infected.

      But what do you mean when you say, “The computer needed to update before shutting down.” Was it simply a standard Windows Update?

      Reply
  22. If you have some kind of secondary device for booting, USB, DVD, etc., have you tested it? Many are religious about backups, but don’t really know if they work. My Dell laptop will NOT boot to a secondary device until first changing some settings inside windows. The old days of using F8 to change boot sequence are gone. Suggest testing your backup boot device.

    Reply
    • Great advice. It’s best to understand how to restore a backup before you need to do it – especially as, come that time, you may have lost access to the only device that enables you to search the web!

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.