Combination Crypto-Ransomware Vaccine Released

Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families by exploiting flaws in their spreading methods.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”

The new tool is available for download on the Bitdefender website.

A study conducted by Bitdefender in November 2015 on 3,009 Internet users from the US, France, Germany, Denmark, the UK and Romania offers a victim’s perspective on data loss through crypto-ransomware:

  • 50% of users can’t accurately identify ransomware as a type of threat that prevents or limits access to computer data.
  • Half of victims are willing to pay up to $500 to recover encrypted data.
  • Personal documents rank first among user priorities.
  • UK consumers would pay most to retrieve files
  • US users are the main target for ransomware.

116 Responses to Combination Crypto-Ransomware Vaccine Released


  1. Trin says:

    thz a lot

  2. Don Strand says:

    Thank you, from a very worried old man!

  3. mike says:

    I have locky ransonware. Thanks for you job.

  4. Klaes Visser says:

    Many thanks for the help against Ransomeware

  5. Karl Hansen says:

    Should create a Restore Point before installation.
    [****] removes all the temp files as well as the actula Programme / Application. Have to still try it on our BitDefender protected Machines.
    Regards

  6. Borrel says:

    Hello

    incompatible with [****] Internet 2016
    he takes it for Trojan.Win32.Generic

    best regard

  7. Hamza ALTAN says:

    I already using Bitdefeder Total security. Sould I use bitdefender ransomware tool? thank you..

  8. nnks a lot! says:

    Ok thanks a lot !

  9. ys kikm says:

    one week ago my pc was attacked by locky ransome ware.

  10. Krittaporn Ualapun says:

    check

  11. stan p says:

    thank you thank you —-you guys are amazing

  12. 이정재 says:

    thanks for bitdefender!!

  13. Pedro says:

    Gracias

  14. Venancio says:

    Bonjour,
    Étant client Bitdefender comment puis je profiter de cet outil gratuit.
    Cordialement,

  15. Calin says:

    Multumesc

  16. David says:

    Bonjour,
    Nous possedons dans notre entreprise Bitdefender Gravity Zone, Faut il ajouter cet outil aux postes clients ou est il deja intégré dans le logiciel ?

  17. David says:

    Gravity zone ne protege pas contre les ransomware ?

  18. John Cabanding says:

    Is there a possible method to decrypt the files?

    Thanks

  19. Juan Carlos says:

    I already have Bitdefender Total Security 2016. Do I still need this?

    Thank you,

  20. Francisco says:

    This tool could recover files encrypted by Locky?
    Thank you!

  21. Vincent says:

    Hey thanks for you Soft ! It’s really nice ! GJ.
    Quick question: What about how it works !? Process, CPU, etc etc !?

  22. Mihir Joshi says:

    Will it work with existing AM/AV? Existing AM/AV is not BitDefender

  23. monic says:

    Many thanks

  24. June says:

    Thanks and it is great !

  25. zenfei says:

    Can I using this program in Company?

  26. Cedric says:

    Hello, I try to remotely install this to several computers. I have added the /VERYSILENT to the exe, but I would like also to add these option as default during the install:
    Run when Windows starts to ON
    Minimize on startup to ON
    Miminize to tray to ON

    How can I add this to the setup install?
    Thanks a lot for your help on this.

  27. Michel says:

    I am using Bit Defender Internet Security 2016, do I need to add this new tool (Crypto Ransomware vaccine) to it ?

  28. Johan says:

    What does this tool exactly scan?

    All internet traffic, services, processes, etc?

  29. Pascal says:

    Could be nice, but how does that work ? would it be possible to have a technical resume about it ? how this will deal with other protection/monitoring programs ? legacy programs ? it’s appealing but if it’s for having hundreds of users complaining all days because that make legacy app broken….

    • Razvan Stoica says:

      It should not break anything, as it doesn’t interact with other apps, unlike an antivirus. It’s still recommendable to test it before use and in any case if you are thinking about securing “hundreds of users” you’re better off using something like Gravity Zone.

  30. Michael says:

    vaccine tool? What does that mean, if it was a vaccine I would just need to run the software once and I would be inoculated, this however do not seem to be the case? Is a behaviour monotoring tool, does it install a service or do I need to have the GUI running all the time – it is a little unclear if the load with Windows is only the GUI or the entire “protection package”.. Is any license terms available? Anyhow, thanks for a valiant efford.

    • Razvan Stoica says:

      It’s a vaccine, but it can (and probably will) be updated against new strains, hence the need to run at startup. It does not monitor behavior, it just uses some tricks to prevent those specific families of ransomware from infecting your system.
      The software is provided AS-IS, without any implied or explicit guarantees. Redistribution is permitted.

  31. Dan Dumiro says:

    Hi,
    Congratulations,my countrymen,for all the software you made.
    Please, enlarge/enhance the number/range of anti-ransomeware types against which you offer protection.

    ALL THE BEST!

    Dan

  32. Michael says:

    use [***]Enpoint Security 10 Maintenance 2.
    Can i Use with BD AntiRansomware??

  33. duck says:

    Like it!

  34. MICHAUD.M says:

    Bonjour. Certainement très bien mais en (Français)car tout le monde ne pratique pas la langue Anglaise.
    MERCI de m’avoir lu. MM

    • Razvan Stoica says:

      Je regrete de vous informer que ca n’est pas possible pour nous parce que le cout de localiser cet logiciel est bien plus grand que le profit qu’il nous apporte 😉

  35. chouka038 says:

    with win 8.1 64b trying to execute BDAntiRansomwareSetup.exe 4.46mo I have the msg:
    “Cette application ne peut pas s’exécuter sur votre PC”
    what’wrong?
    trying 3 downloads…

  36. chouka038 says:

    more..
    admin mode:
    Windows ne trouve pas ‘D:\_PERSO\Downloads\BDAntiRansomwareSetup1.exe’.
    Vérifiez que vous avez entré le nom correct, puis réessayez.
    ?????

  37. DC says:

    Many thanks for this. One question, after install we see the last log entry is “Could not add Locky protection”, is the possibly a rights issue?

  38. Steven says:

    What command-line options will force “Minimize to tray” on startup and close button?

  39. Mike says:

    Thanks Bitdefender for the tool!

    Unfortunately it doesn’t work with my AV because it has also a ransomware protect integrated so they don’t like each other 🙂

    Best regards

  40. Gerald says:

    Are there any command line commands to enable a silent installation? We are a MSP and would love to enable this program to remote install. We are deeply integrated with BD as is. 🙂

    • Razvan Stoica says:

      Please use /SILENT or /VERYSILENT as command line options. This works from any domain admin account.

  41. Ahmad Shahizan says:

    […] detected BD antiransomware as Trojan

  42. G says:

    is true?

    Doesn’t work for the scenario where an Administrator installs it for users who are not administrators. The installer creates a Scheduled Task which launches the program upon logon of any user, but the the task requires elevation, so it fails to run when a non-administrative user logs on.

  43. gruntled1 says:

    Great to have another weapon in the armoury against ransomware.

    Would I be correct in assuming that the 4 registry entries thrown up as suspect in an AdwCleaner scan on my Windows 7 PC this morning containing the characters “protector_dll.Protector” are generated by the vaccine and can be ignored?

  44. epa says:

    log
    Could not add Locky protection.
    CoInitializeSecurity failed: 80010119
    Could not add app to run key!
    Could not force security logs check thread to terminate.
    Could not save application settings

    ANY SUGGESTIONS

  45. format says:

    www.facebook.com/stopcryptovirus

  46. Crash says:

    Is it allowed for commercial use? I mean company use, I couldn’t find any licence agreement.

  47. Cedric says:

    Hello, I try to remotely install this to several computers. I have added the /VERYSILENT to the exe, but I would like also to add these option as default during the install:
    Run when Windows starts to ON
    Minimize on startup to ON
    Miminize to tray to ON

    How can I add this to the setup install?
    Thanks a lot for your help on this.
    Can I change this providing an inf file?
    If yes, what is the format of that file?

    Thanks
    Cedric

  48. Fx Leroy says:

    Hello
    Thanks for the nice program
    Will you include a Payta protecion to it ?

  49. david says:

    My AV flagged this as W32.OutBrowse.kdex

  50. raif says:

    Hello, can you please tell me does this software create some locky reg file in regedit?

    Br.
    R.

  51. Des Quinn says:

    registry entries in current user should allow settings to be set silently e.g. [HKEY_CURRENT_USER\Software\Bitdefender\BitdefenderAntiCryptoWall]

    App runs and uses current user but still to check if it will pick up on the settings if they are in equivalent local machine location. Alternatively GPO / default user could be used.

  52. mirek says:

    Hi Could I use it for My business 17 computers?

    Thanks

  53. eckil says:

    Hello,Bitdefender Anti-Ransomware will not run automatically.Don’t show in Autostart.
    Everything in the program is ON.

  54. KWeilbacher says:

    How do you test that it’s working? Will it automatically update itself? Is their a log file of it’s action?

  55. Mike M. says:

    Your tool failed against Tesla V3, ugly. Whats wrong?

    https://www.youtube.com/watch?v=EBi0HfLb5Yk
    (3:57)

  56. subhash says:

    M S word files infected by LOCKY virus wish to recover

  57. Ransomware Blog says:

    Dear Staff,

    as you can see in the comments of my blog [http://www.ransomware.it/bitdefender-antiransomware] some users are experiencing issues with scheduled tasks and the need of elevation at launch. Furthermore, it seems that the scheduled task requires elevation, so it fails to run when a non-administrative user logs on and even if standard users do elevate they are not protected. Any suggestions/workarounds?

  58. Mick says:

    You can complement this with […] Anti-Ransomware !

  59. PPG says:

    thank you

  60. Hamid says:

    Can you make a tools to recover encrypted files ?
    My encrypted files have such a name :
    “Mis.ini.ID16F13FEF.Vegclass@aol.com.xtbl”
    Please Help

  61. Febe says:

    Hi there, we are using BD gravity zone in our company.

    in a previous comment you stated, that this tool will not be included in BD gravity zone.

    do you recommend to install this tool additionally to BD gravity zone?

    Thank you in advance

  62. David says:

    I’ve read article
    http://www.pcworld.com/article/3049179/security/free-bitdefender-tool-prevents-locky-other-ransomware-infections-for-now.html
    but still want to know how does it actually do?
    “The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.”

    What does it “vaccines”? What part of Windows tells ransomware it is already infected by it?

  63. Martin Smid says:

    Hello,

    I know you have mentioned redistribution is permitted. However, is there a written license statement somewhere confirming that the BitDefender vaccine is free for use even in business environment?

    By the way, great job!

    Thank you,

    Martin

    • Razvan Stoica says:

      Thanks for the kind words! Alas, there is no such statement, beyond the release and about two dozen articles in the media, complete with quotes from Bitdefender representatives. You can download and use it in good faith, from our website or any number of freeware sites.
      Please remember, however, that this is experimental stuff and the lack of licensing also means a lack of guarantees of any kind.
      We might discontinue it tomorrow, or cease updating it and never tell anyone, or… you get the drift.

  64. frank says:

    I’m using Bitdefender Antivirus Plus 2015. Is this vacine incorporated or do I need to install it seperately?

  65. Amar says:

    Link in that page is broeken. https://labs.bitdefender.com/2014/12/bitdefender-offers-free-cryptowall-vaccine/

    Via:
    http://www.geekdashboard.com/ransomware-removal-tools/

  66. Stoyan says:

    How can I remove the policies applied by BitDefender Anti-Ransomware after its uninstallation?

  67. Francisco says:

    Question about this tool. Will it remove, for instance, the locky malware if still running in the infected computer? Suppose that the idea is to clean the malware from the computer without performing a format to the disk drive.

    • Razvan Stoica says:

      This tool does not remove anything, it just prevents infections with some common ransomware.

  68. Mark says:

    Hi – does BitDefender Antivirus already offer similar protection or does this vaccine tool complement the antivirus product? Cheers!

    • Razvan Stoica says:

      The antivirus offers protection in various other ways. You could call this complementary, and you’d be almost exactly right.

  69. Franko says:

    Looking to test this out; any idea where I could find some infected files? (Sounds crazy I know!)

  70. Robert says:

    Do you think that it would be possible to change the installer to look for the registry key in HKLM and copy it to HKCU if it finds it? Creating the key just in HKCU makes it impossible for us to silently deploy it alongside the BitDefender AV product we already have on our network.

  71. Carola says:

    Why is creating HKCU\SOFTWARE\LOCKY\ ?

  72. Michael Przewrocki says:

    How can it be deinstalled-removed? where can we see it?

  73. Michael Przewrocki says:

    Ok i see it in revo-uninstaller. was unsure since i On a different win7-pc(mine is winxp)i could see a bitdefender popup(dont know exact name anymore) which couldnt be removed but is now gone after a clean. will check revo uninstaller. dont know if other person installed bitdefender software. MS security essentials in there as default.

  74. Nebojsa says:

    Puno pozdrava od Nebojse stevanovic iz Kragujevca Serbia

  75. ecsa says:

    how do I get immunization on? Don't see where to do this.

  76. Marc says:

    Does this program also protect against "CryptoLocker" and "CryptoWall"? As far as I read it in the Wikipedia, these are other ransomware families than just CTB-Locker, Locky and TeslaCrypt. I'm kinda confused now…

    I also found a program called "Bitdefender Anti-CryptoLocker 1.0.7.5" Do I need to install this also, or is this program outdated?

    • Razvan Stoica says:

      Anti-Cryptolocker is deprecated. The Vaccine does what it says on the tin, and only that.

  77. Paul says:

    Thank you very much.

  78. Paul says:

    MSP here deploying this via powershell using /verysilent switch and everything installs fine. The only thing is it is not set to start automatically with Windows and to minimize to Systray. Are there any other switches during install to make sure BDAntiRansomware is started with Windows?

  79. Bert Love says:

    Thanks Guys just downloaded very grateful

  80. AH says:

    Why is it creating: HKCU\SOFTWARE\LOCKY\
    and HKCU\SOFTWARE\Qi…. (stuff)

  81. Mike says:

    Why does it create these two registry entries:
    1. HKEY_CURRENT_USER\SOFTWARE\LOCKY
    2. HKEY_CURRENT_USER\…(not sure of exact path)…\Qi…

  82. Liviu says:

    I update Bitdefender Anti-Cryptowall with last version and Chome crash with "He's dead Jim!. Either Chrome ran out of memory or the process" …
    I try to uninstall,restart then install Chrome but Chrome stop, even setting not work…
    I unninstall Bitdefender Anti-Cryptowall last update and everything is OK.

    WinXp SP3, Pentium dual-core 2.6Ghz, 4G RAM, Chrome 49

    Liviu

  83. Armian says:

    The program created some registry entries like: …\Software\Locky
    Why does it create that entry?
    Usually Locky itself creates the …\Software\Locky

  84. cliv says:

    I noticed that Bitdefender Anti-Cryptowall block first time extension from chrome (adblock, ietab …) then Chrome crash…

  85. Steve says:

    Hello,
    We plan to deploy this tools at a large scale.
    Would it be possible to have all the possible install parameters?Would be greatly appreciated 🙂
    Kind regards,

  86. cliv says:

    Sorry AntiCryptowall work OK but AntiRansomware block load of all extension in Chrome….

  87. Claudio says:

    A un cliente le llego el .locky por correo y lo ejecuto.
    El archivo es "Document 2.docm" y bloquea todo xlsx, docx pdf rar zip exe ,etc. Tengo este archivo si lo quieren. Como desencripto los archivos?

  88. Daniel says:

    Buna ziua,
    Versiunile 1,0,11,47 si 1,0,21,1 blocheaza deschiderea urmatoarelor: arhiva zip, WinSCP, Remote Desktop Connection, Adobe reader. De cele mai multe ori, fara erori. Se rezolva daca se reincearca deschiderea a 2-a oara, la alte programe a 3-a oara. Daca s-a deschis ap;icatia, la reincercare deschide din prima.
    OS: XP SP3, 32 bits, cu Bitdefender Free si nod 32 evaluare 30 zile. Versiunile anterioare nu au avut aceasta manifestare.
    In log-ul C:\Program Files\Bitdefender\Tools\BDAntiRansomware\Logs\BDAntiRansomware\BDAntiRansomwareXXX.log nu vad nici o eroare marcata la ora corespondenta cand nu pornesc aplicatiile.
    NOTA: WinSCP afiseaza ecranul de pornire dar fara continut text butoane ( transparente ), arhivele dau un "blink" de sunet fara mesaj.
    Event Viewer nu consemneaza nici o eroare.

  89. Rahul says:

    Victim of Ransom ware personal files were encrypted into .micro extension, anti-malwarebytes helped in removing it.. still no clue how to get back those encrypted files.

  90. Daniel says:

    To Rahul
    Try this:
    1)http://support.*.com/kb6051/?viewlocale=en_US
    2)http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-3040-xxx-ttt-micro-mp3-support-topic/page-80#entry4002886

Leave a Reply

Your email address will not be published. Required fields are marked *