Cryptolocker Ransomware threat

RonC · Post by **RonC** » Sun Oct 27, 2013 12:38 pm

I see there's only one post on this term, and that's hidden away in Anything Else -- a discussion between perhaps three forum members, who mutually decide they really don't know what to do about it.

Because Cryptolocker Ransomware has recently become a very hot topic, has anyone actually tested this against Sandboxie? Is there any special configuration advice to make certain Sandboxie users have maximum protection?

P.S.: General knowledge is the user has to 'run' an executable to install it, but one report said a 'cracked' web site may infect a user who simply clicks on a link.

Peter2150 · Post by **Peter2150** » Sun Oct 27, 2013 3:53 pm

As long as it executes in the sandbox you should be fine. I have tested other variations of this kind of malware in the past and what happens is it runs, but writes the encrypted files in the sandbox. They are deleted when you delete the sandbox.

Pete

RonC · Post by **RonC** » Sun Oct 27, 2013 6:20 pm

Peter2150 wrote:... it runs, but writes the encrypted files in the sandbox. They are deleted when you delete the sandbox.
Pete

Thanks, Pete!

Were you doing a test with just a few data files, perhaps in a virtual machine, to see where the encrypted files were written? Or, was it on a system with a many, many data files, large enough to fill the sandbox and more?

If yes, do you recall what happens, at that point? Does the malware halt until more space is created?

Peter2150 · Post by **Peter2150** » Sun Oct 27, 2013 7:56 pm

RonC wrote:
Peter2150 wrote:... it runs, but writes the encrypted files in the sandbox. They are deleted when you delete the sandbox.
Pete
Thanks, Pete!

Were you doing a test with just a few data files, perhaps in a virtual machine, to see where the encrypted files were written? Or, was it on a system with a many, many data files, large enough to fill the sandbox and more?

If yes, do you recall what happens, at that point? Does the malware halt until more space is created?

There is a limit on the size of the file copied, but I don't believe there is a limit on how much data is in the sandbox.

RonC · Post by **RonC** » Mon Oct 28, 2013 10:42 am

OK, thanks!

I think - the conclusion is, in summary, Cryptolocker will do no more than fill the sandbox with encrypted files, to be discarded when the box is emptied, leaving the originals intact.

Then, Sandboxie provides total protection against Cryptolocker

-- until we hear from Tzuk, to say otherwise. Or to say, the Configuration File needs special settings to make sure.

tzuk · Post by **tzuk** » Mon Oct 28, 2013 2:11 pm

I don't have first hand experience with ransomware but reports I've heard so far are in line with what Pete said, encrypted copies of files are placed in the sandbox, but original copies outside the sandbox are untouched. That is of course with default settings, as files to which there is direct/full access may indeed be modified outside the sandbox.

Peter2150 · Post by **Peter2150** » Mon Oct 28, 2013 2:57 pm

One other point. I keep all important documents in My Documents and all my sandboxes block access to that area.

The other obvious thing is all the important documents are backed up in several different ways.

Pete

Blues · Post by **Blues** » Mon Oct 28, 2013 3:03 pm

Peter2150 wrote:One other point. I keep all important documents in My Documents and all my sandboxes block access to that area.

The other obvious thing is all the important documents are backed up in several different ways.

Pete

+1, Pete. And in the one sandbox where I do allow access to such documents, for word processing etc., I do not allow internet access by any program, nor is any other program allowed to start/run.
.
(And of course I keep updated images of my hard drive just in case.)

bs1 · Post by **bs1** » Mon Oct 28, 2013 4:01 pm

I use to block access to My Documents. But anymore my preference is to use Write-Only Access. For my purposes, it accomplishes the same thing in terms of keeping spying eyes away from personal information, but doesn't interfere with my testing of sandboxed software like Block Access occasionally did.

ad18888 · Post by **ad18888** » Mon Oct 28, 2013 5:43 pm

I think trick is to not allow programs access outside Sandboxie.

bs1 · Post by **bs1** » Mon Oct 28, 2013 10:23 pm

ad18888 wrote:I think trick is to not allow programs access outside Sandboxie.

No, the trick is layered protection. Restricted access + write only (or blocked) access + Dropped Rights as appropriate.

PepC4U2 · Post by **PepC4U2** » Wed Nov 06, 2013 11:39 pm

A mention of Sandboxie and cryptolocker. (59:20 mark in video)

http://twit.tv/show/security-now/429

Good news!

SuffolkPunch · Post by **SuffolkPunch** » Sat Nov 16, 2013 11:55 am

tzuk wrote:I don't have first hand experience with ransomware but reports I've heard so far are in line with what Pete said, encrypted copies of files are placed in the sandbox, but original copies outside the sandbox are untouched. That is of course with default settings, as files to which there is direct/full access may indeed be modified outside the sandbox.

So, if office-outlook has been given direct access to a mail folder outside the sandbox it's running in, and I click on a link in an email that then launches cryptolocker in the sandbox, does cryptolocker also have direct access to the mail folder outside the sandbox?

Guest10 · Post by **Guest10** » Sat Nov 16, 2013 2:41 pm

SuffolkPunch wrote:
tzuk wrote:...encrypted copies of files are placed in the sandbox, but original copies outside the sandbox are untouched. That is of course with default settings, as files to which there is direct/full access may indeed be modified outside the sandbox.
So, if office-outlook has been given direct access to a mail folder outside the sandbox it's running in, and I click on a link in an email that then launches cryptolocker in the sandbox, does cryptolocker also have direct access to the mail folder outside the sandbox?

The direct access template for Outlook specifies that only outlook.exe has direct access to the folder outside of the sandbox.
So unless you set up your own Direct Access setting to the folder, and you did not specify that the direct access applies only to "outlook.exe", then no other .exe program using that sandbox can use the Direct Access setting.
Examples:
OpenFilepath=(Outlook's mail folder)
All programs have direct access since no program name was specified in the setting.

OpenFilePath=outlook.exe,(Outlook's mail folder)
Only outlook.exe has direct access to the folder.
This is the way the Sandboxie template for Outlook is written. No other .exe program has Direct Access to the folder.

SuffolkPunch · Post by **SuffolkPunch** » Sun Nov 17, 2013 3:08 am

Guest10 wrote:The direct access template for Outlook specifies that only outlook.exe has direct access to the folder outside of the sandbox.
So unless you set up your own Direct Access setting to the folder, and you did not specify that the direct access applies only to "outlook.exe", then no other .exe program using that sandbox can use the Direct Access setting.
Examples:
OpenFilepath=(Outlook's mail folder)
All programs have direct access since no program name was specified in the setting.

OpenFilePath=outlook.exe,(Outlook's mail folder)
Only outlook.exe has direct access to the folder.
This is the way the Sandboxie template for Outlook is written. No other .exe program has Direct Access to the folder.

Thanks - I have granted direct access to he mail folder outside the sandbox (\\SERVERNAME\outlook) just to outlook.exe. So, I should be protected against cryptolocker.

Incidentally, where does Sandboxie record that OpenFilePath=outlook.exe,\\SERVERNAME\outlook? I can't find it in the C:\Program Files\Sandboxie\template.ini.
(Update: have just found that 'Configure/Edit Configuration' gives access to Sandboxie.ini and it's in there.)

Sandboxie Support

Cryptolocker Ransomware threat

Cryptolocker Ransomware threat

Who is online