Cryptolocker ransomeware

[Baldape]

I just heard of a new type of ransomware called Cryptolocker and I doubt it could leak through SBIE, but I wonder if it's even possible for it to break through the sandbox? On that note if I understand correctly a system restore can undue it's encryption of your personal files, although I'm not a %100 sure about this.

[Peter2150]

I just heard of a new type of ransomware called Cryptolocker and I doubt it could leak through SBIE, but I wonder if it's even possible for it to break through the sandbox? On that note if I understand correctly a system restore can undue it's encryption of your personal files, although I'm not a %100 sure about this.

A while back I tested this type of ransomware. If it runs in the Sandbox what will happen is all the files will be encrypted, but the encrypted files will be in the sandbox, and the real ones will be fine. Empty the sandbox and the encrypted ones are gone.

Pete

[Baldape]

Thanks Peter2150 for giving me some sense of relief
But it still begs the question is it possible for a system restore to undue the effects of the malware?

[Guest10]

But it still begs the question is it possible for a system restore to undue the effects of the malware?

I probably shouldn't say anything, since I'm not really familiar with these ransomware programs, but...
Assuming that you are referring to the System Restore that comes with Windows, then I would say no - it will not help in that situation.
System Restore makes backup copies of files that are deleted, not files that are changed.

Plus, it doesn't even back up all files -just a subset of the files. It depends a lot on the file extension and the folder where the files are located.
For example, folders like 'Temp' or 'Tmp' don't usually contain anything useful, and are always excluded by System Restore. There are also exclusions made on a file extension basis, where files with some extensions are not backed up by SR.
I don't know about Windows versions that are later than XP, but on XP there's a file "C:\WINDOWS\system32\Restore\filelist.xml" that tells System Restore what to include in its backup, and what to exclude.

A hard drive backup program will enable you to recover from ransomware - if you make backups to a different drive.
I use a 1 TB external USB drive for my backups.

[Baldape]

But it still begs the question is it possible for a system restore to undue the effects of the malware?

I probably shouldn't say anything, since I'm not really familiar with these ransomware programs, but...
Assuming that you are referring to the System Restore that comes with Windows, then I would say no - it will not help in that situation.
System Restore makes backup copies of files that are deleted, not files that are changed.

Plus, it doesn't even back up all files -just a subset of the files. It depends a lot on the file extension and the folder where the files are located.
For example, folders like 'Temp' or 'Tmp' don't usually contain anything useful, and are always excluded by System Restore. There are also exclusions made on a file extension basis, where files with some extensions are not backed up by SR.
I don't know about Windows versions that are later than XP, but on XP there's a file "C:\WINDOWS\system32\Restore\filelist.xml" that tells System Restore what to include in its backup, and what to exclude..

Yeah I kinda had thought so , oh well what about third party options like AOMIE?

A hard drive backup program will enable you to recover from ransomware - if you make backups to a different drive.
I use a 1 TB external USB drive for my backups.

By the way this nasty piece of ransomware is able to spread to any drives you have attached to your system at the time of the infection.

[Peter2150]

By the way this nasty piece of ransomware is able to spread to any drives you have attached to your system at the time of the infection.

Not if you block access to those drives via Sandboxie

Pete

[Baldape]

By the way this nasty piece of ransomware is able to spread to any drives you have attached to your system at the time of the infection.

Not if you block access to those drives via Sandboxie

Pete

Wow even if you download and recover a file infected with this ransomware SBIE could block from accessing the external drive?

[Peter2150]

By the way this nasty piece of ransomware is able to spread to any drives you have attached to your system at the time of the infection.

Not if you block access to those drives via Sandboxie

Pete

Wow even if you download and recover a file infected with this ransomware SBIE could block from accessing the external drive?

No, I didn't say that. If the infected file runs sandboxed, SBIE can block it from accessing other drives and/or folders. But if you recover it, which I assume means to take it out of the sandbox, then SBIE is out of the issue, UNLESS you run that program sandboxed, by right clicking it.

Pete

[Guest10]

I guess it depends on when you get the infection, and how old your last hard drive backup is.

I try to make weekly backups, so hopefully I would only lose the previous weeks' changes if I had to restore my hard drive. There are backups from previous weeks too, but restoring one of them is not something that I would prefer to do.
Losing one weeks' work is bad enough, so I also keep a hand written log of important updates or uninstalls; paper printouts of product keys and serial numbers; and burn copies of some items to DVD-R.

[Baldape]

Not if you block access to those drives via Sandboxie

Pete

Wow even if you download and recover a file infected with this ransomware SBIE could block from accessing the external drive?

No, I didn't say that. If the infected file runs sandboxed, SBIE can block it from accessing other drives and/or folders. But if you recover it, which I assume means to take it out of the sandbox, then SBIE is out of the issue, UNLESS you run that program sandboxed, by right clicking it.

Pete

Sorry I misunderstood, it sounded kinda odd After all SBIE is not a Firewall but speaking of which I suppose a HIPS program could restrict access to external drives.

And this begs the question, whats the most typical way this type of malware downloads/installs itself? I mean if its a DBD then where all 'pretty much' in the clear.