On Wed, 16 Sep 2015, Robert Feldman wrote:
There is a ramsomware variant that encrypts the files but silently decrypts them when they are accessed. It does this for six months before deactivating the on-demand decryption and displaying the ransom message, the theory being that by that time all of the backups will be of the encrypted files, and thus will be useless for restoring good versions.
Thereby rendering generations of backups ineffective. When you restore, you still can not get back any of the file modifications (work) done in the last 6 months. Thus, the only acceptable solution would be early detection.
Neither AVG (resident), nor McAfee (manually run weekly) detected my infection of Cryptowall. What WILL detect it?
As to how one can become infected, see http://www.theregister.co.uk/2015/08/27/malvertising_feature/?page=1. Major sites, such as The New York Times, Reuters, Yahoo!, and Bloomberg, have been serving malware -- including ransomeware -- through hijacked advertisements. No need to click on anything, the ad serves up the malware.
But, those still require a gullibility error on the part of the user, don't they? Do the ads actually load and run the ransomware, or just present the fraudulent upgrade offer to bring it in?
