Bitdefender distributes ‘vaccine’ to combat growing ransomware threat

[Porthos]

https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/

The Bitdefender Antiransomware vaccine defends against the CTB-Locker, Locky and TeslaCrypt versions of crypto ransomware, by making your system appear as if it has already been infected by malware in the past.

Various strains of ransomware, such as versions of Locky and TeslaCrypt, often use a system where it will detect if a computer has been infected by the ransomware in the past and had its files encrypted. Bitdefender’s new software claims that it can fake these checks so if your computer ever encounters ransomware, the virus will skip it.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way,” said Bitdefender chief security strategist, Catalin Cosoi. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”

 

[Larry Sabo]

I've been using it for about a week or two (Win7 x64) and no issues. No idea how effective it is.

 

[CLC]

I've been using this for over a year, at least it looks exactly the same, and it hasn't affected any programs as of yet. Bitdefender has this built into their regular av now also.

 

[carrcomp]

Yeah - the question is how long before they just don't have the infection check anymore?

 

[fencepost]

Yeah - the question is how long before they just don't have the infection check anymore?

Hard to say, but there are a couple things in favor of keeping it: most people won't have this ("I don't have to be faster than the wolf - I just have to be faster than you.") and if they don't check then their rate of cleanup drops. People will pay more for a 90+% decryption than for a 50/50 rate.

 

[Moltuae]

I think it's a good approach but no doubt just a temporary defence that will become ineffective as ransomware evolves.

The pedant in me finds the use of the word 'vaccine' annoying though. A vaccine provides acquired immunity, suggesting that this software 'teaches' the computer to recognise the infection, whereas in fact it fools the infection, making it appear that the computer is already infected. Sounds more like how a contraceptive pill works than a vaccine.

I would imagine a better approach would simply be to detect any attempts to encrypt files and stop them, with the option to prompt the user for authorisation if necessary.