Endpoint Protection

Running SEP 12.1.4

Am I safe? Can SEP detect and clean this? I did a search but didn't find anything. I imagine Symantec probably references this virus with another name.

Any recommendations on how we should combat this virus?

CrytopLocker is detected by Symantec, 

https://www-secure.symantec.com/connect/forums/cryptolocker-are-we-safe

Have you checked in virustotal? Did that encrypt any of your files?

I don't know if this is CrytoLocker or a new variant. 

I've seen that link you shared and was wondering if it is the same issue.

The virus I have is definitely calling itself "cryptodefense" 

SEP doesn;t seem to have found anythign yet.

http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information

Yeah I saw that :) they both do the same thing, encrypt and ask money. if you have a sample submit to symantec please

https://submit.symantec.com/websubmit/retail.cgi

tried malware bytes?

SEP has multiple sigantures for the AV componentas well as multiple signatures for the IPS component so it can catch many variants. Ensure both are up to date.

If this is a new variant than you will need to submit it for analysis.

See some goot articles

Killing Conficker: How to Eradicate W32.Downadup for Good

https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good

The Day After: Necessary Steps after a Virus Outbreak

https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Hi M-NYC,

It's impossible to confirm without knowing what exact MD5 that article is about.  From the description, though, it sounds like that article is talking about what Symantec calls Trojan.Nymaim.B.

Trojan.Nymaim.B
http://www.symantec.com/security_response/writeup.jsp?docid=2014-012318-0146-99

AV and IPS protection (System Infected: Trojan.Ransomlock.AJ) will stop known variants of this threat.

Definitely ensure you have IPS protection in place ("Two Reasons why IPS is a "Must Have" for your Network,") and a regular backup schedule.

Hope this helps!

Hi M-NYC,

Just wondering if your query has been answered?  This thread is still marked "needs solution."

All the best,

Mick

This official blog post by Symantc Security Response may be of interest:

CryptoDefense, the CryptoLocker Imitator, Makes Over $34,000 in One Month

https://www-secure.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month

Protection
Although not related, such were the similarities seen between CrytoDefense and Cryptolocker that Symantec initially detected this threat as Trojan.Cryptolocker along with numerous other detections. Symantec detects CryptoDefense under the following detection names:

Antivirus detections

• Trojan.Cryptodefense
• Trojan.Cryptolocker
• Trojan.Gen.2

Heuristic detections

• WS.Trojan.H
• SONAR.Heuristic.112
• SONAR.Heuristic.113

Reputation detections

• Suspicious.Cloud.2
• Suspicious.Cloud.5.A
• Suspicious.Cloud.5.D

Intrusion prevention signatures

• System Infected: Trojan.Cryptodefense Activity

@ Mick2009, team Symantec, excellent analysis here. Concur on the fact that you must definitely ensure you have IPS protection in place ("Two Reasons why IPS is a "Must Have" for your Network,") Much appreciated!!!!!

Hi All,

To prevent cryptolocker, my point of view is ,In order for Symantec to detect the cryptolocker, we might need the help from symantec to do forensic to the infected host because it is beyond our knowledge, also the variant and infectection vector is very different, some of them till now still no idea of it infection vector.

Thanks