Users can now “vaccinate” their computers to prevent getting infected by a series of ransomware families, including CTB-Locker, Locky and TeslaCrypt.
Last week, French Cybersecurity company Lexsi detailed some of the operations that users could perform on their computers to prevent possible Locky infections. They call these operations a “vaccine,” as they are meant to render the computer immune to this type of ransomware, though the company says the methods won't work against some newer variants.
According to the security company, users can improve their computer’s defenses by making a series of minor changes to their systems. These include the creation of a specific mutex or registry key, or the changing of a simple system parameter, as long as the modification does not create an inconvenience to the user.
Lexsi’s Sylvain Sarméjeanne notes in a blog post that Locky avoids infecting computers that have Russian as the system language, and that modifying the language would prevent infection. However, that change would certainly not be feasible for non-Russian users.
However, what users could do is to create the HKCU\Software\Locky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.
Sarméjeanne explained that Locky also checks the key for the id (computer identifier), pubkey (public key fetched from the server), paytext (text to be displayed to the user, in the system language) and completed values. The latter indicates the end of the encryption process and, if it is set to 1 and if the id value contains the correct identifier, it terminates execution.
It was also discovered that Locky uses the pubkey during the encryption process and that this process fails if the pubkey value contains an invalid value. Moreover, if the pubkey exists, the ransomware uses it without prior verification, meaning that users could force the malware to use a public RSA under their control, for which they have the corresponding private key.
While these operations might keep computers safe from Locky, they do require some advanced knowledge when performed, meaning that beginners might not be able to apply the vaccine manually. However, an automated tool to help users add the extra protection layer to their machine was released by security researchers at Bitdefender, and is now available as a free download.
The above operations are specifically targeting the Locky ransomware, while Bitdefender’s new vaccine tool is currently capable of efficiently preventing the CTB-Locker, Locky and TeslaCrypt ransomware families from infecting a compromised system, the company says.
The tool builds on the success of the previous vaccine for CryptoWall, which was retired last week, as it was no longer efficient in offering protection, because of the latest updates in the targeted ransomware. Bitdefender told SecurityWeek that the new vaccine is picking up steam at the moment, and that they are waiting to see how the targeted malware evolves to learn whether it requires any modification.
“The new tool is an outgrowth of the Cryptowall vaccine program, in a way. We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea,” Chief Security Strategist Catalin Cosoi explained in a blog post.
Bitdefender wouldn’t share details on how their tool works, and for good reason: they don’t want the bad guys to learn what they need to change in their malware to circumvent protection.
Using a recent and up to date version a reputable antivirus product will help protect against most common ransomware attacks. However, with more variants emerging, keeping a backup of your files in a locaiton that is not connected to your system can help you recover in the event one of these nasty variants locks your files.