HitmanPro.Alert CryptoGuard prevents files from being taken hostage

Yesterday we released a new build of HitmanPro.Alert (free tool) which includes a universal solution against crypto ransomware like CryptoLocker, Dorifel (aka XDocCrypt) and others.
 
This new feature, called CryptoGuard, monitors the file system for suspicious file operations (CryptoGuard is a driver, installed by HitmanPro.Alert). When suspicious behavior is detected, the malicious code is blocked (write, delete, rename is revoked) and an Alert is presented to the user. So even while ransomware is active, it can't harm your files.
 

 
CryptoGuard works silently in the background at the file system level, keeping track of processes modifying your personal files. CryptoGuard works autonomously, so no user interaction is required.
 
Compared to CryptoPrevent
We've received several questions regarding how CryptoGuard compares to CryptoPrevent. In short, they are totally different. In fact, they can be used to complement each other.
 
CryptoPrevent is a tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. Typical locations set by CryptoPrevent are %appdata% and %localappdata%.
 
But malware is not restricted to the above locations. Malware runs as an exploit in your web browser, it can inject itself into running processes (e.g. explorer.exe, svchost.exe, etc.). Malware can copy itself to the desktop or startup folder on your start menu. And so on ...
 
This is where CryptoGuard differs from CryptoPrevent.
 
CryptoGuard doesn't look at where the ransomware is running, it looks at what it is doing to the file system.
 
More information
We've put up a page with more information on our new CryptoGuard feature in HitmanPro.Alert.
Note that HitmanPro.Alert is a separate tool. It is different from the HitmanPro anti-malware application.
http://www.hitmanpro.com/cryptoguard
 
Demonstration video

Lastly, a video says more than a thousand words:

Wondered when someone would get round to detecting this type of behavior. How much write overhead does the driver introduce?

^^^ Ditto...

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?

let me know how "user" friendly it is. 

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?

 

Well you can get infected by Zbot on pages with exploit kits for Java and/or Flash player and Zbot can download and install CryptoLocker.

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?

Certainly appears that way... and it would seem to back up Ratbuddy's claims.  IIRC, he also visited a TV show download website when he got infected....

 

 

 

let me know how "user" friendly it is.

Seems to be running fine so far on my desktop and laptop....(FF).  Got a weird "1053 error" on my laptop, but after reboot all seems to be fine.  Am also running CryptoPrevent 4.0 (autoupdates) on both computers.

Edited by Joe_BubbA, 06 November 2013 - 09:22 AM.

Wondered when someone would get round to detecting this type of behavior.

Actually Emsisoft Anti-Malware has been detecting this behavior for a while now.

Please let me [ us ] know more about "your" program.
.
As it stands now ...... when I click your posted link it attempts to take me to another website.
.
So until I can find the time to research your info,

 

I will watch your progress from here.

.

@ erikloman

I have moved this topic to a more appropriate area.

Also please read this: Announcement: Product Topics and how to create them

 

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?

Certainly appears that way... and it would seem to back up Ratbuddy's claims.  IIRC, he also visited a TV show download website when he got infected....

 

 

 

 

Nope, I didn't get infected. My mom's computer did, and I'm not sure where it came from. Well, I'm sure it came from her having Java 1.6 patch 11 or so installed, but I don't know what site infected the computer. She helpfully decided to clear the browser history and temporary files two days before the Cryptolocker message came up. She didn't have any email attachments, and she uses Gmail anyway, which I think blocks executable files.

Erik can you tell me more about Hitman.Alert and how CryptoGuard is part of it? Are they the same thing or is CryptoGuard a program under the Hitman.Alert umbrella?

Erik can you tell me more about Hitman.Alert and how CryptoGuard is part of it? Are they the same thing or is CryptoGuard a program under the Hitman.Alert umbrella?

 

HitmanPro.Alert is our free tool (1.8MB) that alerts the user when banking malware has compromised their web browser.

 

We've added CryptoGuard as a feature to this tool/platform since Alert already provides an alerting mechanism to the end user. Technically, CryptoGuard is a filter driver that is installed by HitmanPro.Alert. For reference, Process Monitor (Sysinternals) also uses a filter driver to monitor file system events.

 

Past months we received an increasing number of reports of computers being infected with crypto ransomware while there was no real solution other than keeping your AVs up-to-date. We all know how good they work against zero-day attacks: it varies a lot.

 

We decided to take a different approach (blocking the right binaries is really hard) and came up with CryptoGuard. Instead of looking at the binary, look at what it is doing.

 

So yes, CryptoGuard is a feature under the HitmanPro.Alert umbrella.

Edited by erikloman, 06 November 2013 - 05:22 PM.

OK thanks. So if they install this software they not only gain the benefit of the cryptoguard but of the banking malware alerts?

OK thanks. So if they install this software they not only gain the benefit of the cryptoguard but of the banking malware alerts?

 

Yes. Alert will warn immediately when it sees that critical web browser APIs (like cryptography and network APIs) have been compromised by banking malware like Zeus, SpyEye, Sinowal (aka Mebroot and Torpig), Citadel, Cridex, Carberp, Shylock, Tinba, etc.

 

In addition Alert vaccinates the computer by setting a few markers that some malware families look for when infecting a computer. With these markers the computer looks like a research computer and some malware families won't deploy. See also this article: https://community.rapid7.com/community/infosec/blog/2013/05/13/vaccinating-systems-against-vm-aware-malware

 

See this Alert settings dialog for a brief overview:

 

Edited by erikloman, 06 November 2013 - 06:11 PM.