Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“Vaccine” Available for CTB-Locker, Locky, TeslaCrypt

Users can now “vaccinate” their computers to prevent getting infected by a series of ransomware families, including CTB-Locker, Locky and TeslaCrypt.

Users can now “vaccinate” their computers to prevent getting infected by a series of ransomware families, including CTB-Locker, Locky and TeslaCrypt.

Last week, French Cybersecurity company Lexsi detailed some of the operations that users could perform on their computers to prevent possible Locky infections. They call these operations a “vaccine,” as they are meant to render the computer immune to this type of ransomware, though the company says the methods won’t work against some newer variants.

According to the security company, users can improve their computer’s defenses by making a series of minor changes to their systems. These include the creation of a specific mutex or registry key, or the changing of a simple system parameter, as long as the modification does not create an inconvenience to the user.

Lexsi’s Sylvain Sarméjeanne notes in a blog post that Locky avoids infecting computers that have Russian as the system language, and that modifying the language would prevent infection. However, that change would certainly not be feasible for non-Russian users.

However, what users could do is to create the HKCUSoftwareLocky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.

Sarméjeanne explained that Locky also checks the key for the id (computer identifier), pubkey (public key fetched from the server), paytext (text to be displayed to the user, in the system language) and completed values. The latter indicates the end of the encryption process and, if it is set to 1 and if the id value contains the correct identifier, it terminates execution.

It was also discovered that Locky uses the pubkey during the encryption process and that this process fails if the pubkey value contains an invalid value. Moreover, if the pubkey exists, the ransomware uses it without prior verification, meaning that users could force the malware to use a public RSA under their control, for which they have the corresponding private key.

While these operations might keep computers safe from Locky, they do require some advanced knowledge when performed, meaning that beginners might not be able to apply the vaccine manually. However, an automated tool to help users add the extra protection layer to their machine was released by security researchers at Bitdefender, and is now available as a free download.

Advertisement. Scroll to continue reading.

The above operations are specifically targeting the Locky ransomware, while Bitdefender’s new vaccine tool is currently capable of efficiently preventing the CTB-Locker, Locky and TeslaCrypt ransomware families from infecting a compromised system, the company says.

The tool builds on the success of the previous vaccine for CryptoWall, which was retired last week, as it was no longer efficient in offering protection, because of the latest updates in the targeted ransomware. Bitdefender told SecurityWeek that the new vaccine is picking up steam at the moment, and that they are waiting to see how the targeted malware evolves to learn whether it requires any modification.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way. We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea,” Chief Security Strategist Catalin Cosoi explained in a blog post.

Bitdefender wouldn’t share details on how their tool works, and for good reason: they don’t want the bad guys to learn what they need to change in their malware to circumvent protection.

Last November, Bitdefender security researchers released a decryption tool for the Linux.Encoder1< /a> ransomware after discovering a flaw that allowed them to recover the files held for ransom for free.

Using a recent and up to date version a reputable antivirus product will help protect against most common ransomware attacks. However, with more variants emerging, keeping a backup of your files in a locaiton that is not connected to your system can help you recover in the event one of these nasty variants locks your files. 

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.