Projects

Combination Crypto-Ransomware Vaccine Released

Bitdefender anti-malware researchers have released a new vaccine tool which can protect against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt crypto ransomware families by exploiting flaws in their spreading methods.

“The new tool is an outgrowth of the Cryptowall vaccine program, in a way.” Chief Security Strategist Catalin Cosoi explained. “We had been looking at ways to prevent this ransomware from encrypting files even on computers that were not protected by Bitdefender antivirus and we realized we could extend the idea.”

The new tool is available for download on the Bitdefender website.

A study conducted by Bitdefender in November 2015 on 3,009 Internet users from the US, France, Germany, Denmark, the UK and Romania offers a victim’s perspective on data loss through crypto-ransomware:

  • 50% of users can’t accurately identify ransomware as a type of threat that prevents or limits access to computer data.
  • Half of victims are willing to pay up to $500 to recover encrypted data.
  • Personal documents rank first among user priorities.
  • UK consumers would pay most to retrieve files
  • US users are the main target for ransomware.

About the author

Razvan STOICA

Razvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.

133 Comments

Click here to post a comment
  • Should create a Restore Point before installation.
    [****] removes all the temp files as well as the actula Programme / Application. Have to still try it on our BitDefender protected Machines.
    Regards

  • I already using Bitdefeder Total security. Sould I use bitdefender ransomware tool? thank you..

  • Bonjour,
    Étant client Bitdefender comment puis je profiter de cet outil gratuit.
    Cordialement,

  • Bonjour,
    Nous possedons dans notre entreprise Bitdefender Gravity Zone, Faut il ajouter cet outil aux postes clients ou est il deja intégré dans le logiciel ?

  • Hey thanks for you Soft ! It’s really nice ! GJ.
    Quick question: What about how it works !? Process, CPU, etc etc !?

  • Hello, I try to remotely install this to several computers. I have added the /VERYSILENT to the exe, but I would like also to add these option as default during the install:
    Run when Windows starts to ON
    Minimize on startup to ON
    Miminize to tray to ON

    How can I add this to the setup install?
    Thanks a lot for your help on this.

  • I am using Bit Defender Internet Security 2016, do I need to add this new tool (Crypto Ransomware vaccine) to it ?

  • Could be nice, but how does that work ? would it be possible to have a technical resume about it ? how this will deal with other protection/monitoring programs ? legacy programs ? it’s appealing but if it’s for having hundreds of users complaining all days because that make legacy app broken….

    • It should not break anything, as it doesn’t interact with other apps, unlike an antivirus. It’s still recommendable to test it before use and in any case if you are thinking about securing “hundreds of users” you’re better off using something like Gravity Zone.

  • vaccine tool? What does that mean, if it was a vaccine I would just need to run the software once and I would be inoculated, this however do not seem to be the case? Is a behaviour monotoring tool, does it install a service or do I need to have the GUI running all the time – it is a little unclear if the load with Windows is only the GUI or the entire “protection package”.. Is any license terms available? Anyhow, thanks for a valiant efford.

    • It’s a vaccine, but it can (and probably will) be updated against new strains, hence the need to run at startup. It does not monitor behavior, it just uses some tricks to prevent those specific families of ransomware from infecting your system.
      The software is provided AS-IS, without any implied or explicit guarantees. Redistribution is permitted.

  • Hi,
    Congratulations,my countrymen,for all the software you made.
    Please, enlarge/enhance the number/range of anti-ransomeware types against which you offer protection.

    ALL THE BEST!

    Dan

  • Bonjour. Certainement très bien mais en (Français)car tout le monde ne pratique pas la langue Anglaise.
    MERCI de m’avoir lu. MM

    • Je regrete de vous informer que ca n’est pas possible pour nous parce que le cout de localiser cet logiciel est bien plus grand que le profit qu’il nous apporte 😉

  • with win 8.1 64b trying to execute BDAntiRansomwareSetup.exe 4.46mo I have the msg:
    “Cette application ne peut pas s’exécuter sur votre PC”
    what’wrong?
    trying 3 downloads…

  • more..
    admin mode:
    Windows ne trouve pas ‘D:\_PERSO\Downloads\BDAntiRansomwareSetup1.exe’.
    Vérifiez que vous avez entré le nom correct, puis réessayez.
    ?????

  • Many thanks for this. One question, after install we see the last log entry is “Could not add Locky protection”, is the possibly a rights issue?

  • Thanks Bitdefender for the tool!

    Unfortunately it doesn’t work with my AV because it has also a ransomware protect integrated so they don’t like each other 🙂

    Best regards

  • Are there any command line commands to enable a silent installation? We are a MSP and would love to enable this program to remote install. We are deeply integrated with BD as is. 🙂

    • Please use /SILENT or /VERYSILENT as command line options. This works from any domain admin account.

  • is true?

    Doesn’t work for the scenario where an Administrator installs it for users who are not administrators. The installer creates a Scheduled Task which launches the program upon logon of any user, but the the task requires elevation, so it fails to run when a non-administrative user logs on.

  • Great to have another weapon in the armoury against ransomware.

    Would I be correct in assuming that the 4 registry entries thrown up as suspect in an AdwCleaner scan on my Windows 7 PC this morning containing the characters “protector_dll.Protector” are generated by the vaccine and can be ignored?

  • log
    Could not add Locky protection.
    CoInitializeSecurity failed: 80010119
    Could not add app to run key!
    Could not force security logs check thread to terminate.
    Could not save application settings

    ANY SUGGESTIONS

  • Hello, I try to remotely install this to several computers. I have added the /VERYSILENT to the exe, but I would like also to add these option as default during the install:
    Run when Windows starts to ON
    Minimize on startup to ON
    Miminize to tray to ON

    How can I add this to the setup install?
    Thanks a lot for your help on this.
    Can I change this providing an inf file?
    If yes, what is the format of that file?

    Thanks
    Cedric

  • registry entries in current user should allow settings to be set silently e.g. [HKEY_CURRENT_USER\Software\Bitdefender\BitdefenderAntiCryptoWall]

    App runs and uses current user but still to check if it will pick up on the settings if they are in equivalent local machine location. Alternatively GPO / default user could be used.

  • Hello,Bitdefender Anti-Ransomware will not run automatically.Don’t show in Autostart.
    Everything in the program is ON.

  • How do you test that it’s working? Will it automatically update itself? Is their a log file of it’s action?

  • Your tool failed against Tesla V3, ugly. Whats wrong?

    https://www.youtube.com/watch?v=EBi0HfLb5Yk
    (3:57)

  • Dear Staff,

    as you can see in the comments of my blog [http://www.ransomware.it/bitdefender-antiransomware] some users are experiencing issues with scheduled tasks and the need of elevation at launch. Furthermore, it seems that the scheduled task requires elevation, so it fails to run when a non-administrative user logs on and even if standard users do elevate they are not protected. Any suggestions/workarounds?

  • Can you make a tools to recover encrypted files ?
    My encrypted files have such a name :
    “Mis.ini.ID16F13FEF.Vegclass@aol.com.xtbl”
    Please Help

  • Hi there, we are using BD gravity zone in our company.

    in a previous comment you stated, that this tool will not be included in BD gravity zone.

    do you recommend to install this tool additionally to BD gravity zone?

    Thank you in advance

  • I’ve read article
    http://www.pcworld.com/article/3049179/security/free-bitdefender-tool-prevents-locky-other-ransomware-infections-for-now.html
    but still want to know how does it actually do?
    “The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.”

    What does it “vaccines”? What part of Windows tells ransomware it is already infected by it?

  • Hello,

    I know you have mentioned redistribution is permitted. However, is there a written license statement somewhere confirming that the BitDefender vaccine is free for use even in business environment?

    By the way, great job!

    Thank you,

    Martin

    • Thanks for the kind words! Alas, there is no such statement, beyond the release and about two dozen articles in the media, complete with quotes from Bitdefender representatives. You can download and use it in good faith, from our website or any number of freeware sites.
      Please remember, however, that this is experimental stuff and the lack of licensing also means a lack of guarantees of any kind.
      We might discontinue it tomorrow, or cease updating it and never tell anyone, or… you get the drift.

  • I’m using Bitdefender Antivirus Plus 2015. Is this vacine incorporated or do I need to install it seperately?

  • Link in that page is broeken. https://labs.bitdefender.com/2014/12/bitdefender-offers-free-cryptowall-vaccine/

    Via:
    http://www.geekdashboard.com/ransomware-removal-tools/

  • How can I remove the policies applied by BitDefender Anti-Ransomware after its uninstallation?

  • Question about this tool. Will it remove, for instance, the locky malware if still running in the infected computer? Suppose that the idea is to clean the malware from the computer without performing a format to the disk drive.

    • This tool does not remove anything, it just prevents infections with some common ransomware.

  • Hi – does BitDefender Antivirus already offer similar protection or does this vaccine tool complement the antivirus product? Cheers!

    • The antivirus offers protection in various other ways. You could call this complementary, and you’d be almost exactly right.

  • Do you think that it would be possible to change the installer to look for the registry key in HKLM and copy it to HKCU if it finds it? Creating the key just in HKCU makes it impossible for us to silently deploy it alongside the BitDefender AV product we already have on our network.

  • Ok i see it in revo-uninstaller. was unsure since i On a different win7-pc(mine is winxp)i could see a bitdefender popup(dont know exact name anymore) which couldnt be removed but is now gone after a clean. will check revo uninstaller. dont know if other person installed bitdefender software. MS security essentials in there as default.

  • Does this program also protect against "CryptoLocker" and "CryptoWall"? As far as I read it in the Wikipedia, these are other ransomware families than just CTB-Locker, Locky and TeslaCrypt. I'm kinda confused now…

    I also found a program called "Bitdefender Anti-CryptoLocker 1.0.7.5" Do I need to install this also, or is this program outdated?

  • MSP here deploying this via powershell using /verysilent switch and everything installs fine. The only thing is it is not set to start automatically with Windows and to minimize to Systray. Are there any other switches during install to make sure BDAntiRansomware is started with Windows?

  • Why does it create these two registry entries:
    1. HKEY_CURRENT_USER\SOFTWARE\LOCKY
    2. HKEY_CURRENT_USER\…(not sure of exact path)…\Qi…

  • I update Bitdefender Anti-Cryptowall with last version and Chome crash with "He's dead Jim!. Either Chrome ran out of memory or the process" …
    I try to uninstall,restart then install Chrome but Chrome stop, even setting not work…
    I unninstall Bitdefender Anti-Cryptowall last update and everything is OK.

    WinXp SP3, Pentium dual-core 2.6Ghz, 4G RAM, Chrome 49

    Liviu

  • The program created some registry entries like: …\Software\Locky
    Why does it create that entry?
    Usually Locky itself creates the …\Software\Locky

  • I noticed that Bitdefender Anti-Cryptowall block first time extension from chrome (adblock, ietab …) then Chrome crash…

  • Hello,
    We plan to deploy this tools at a large scale.
    Would it be possible to have all the possible install parameters?Would be greatly appreciated 🙂
    Kind regards,

  • A un cliente le llego el .locky por correo y lo ejecuto.
    El archivo es "Document 2.docm" y bloquea todo xlsx, docx pdf rar zip exe ,etc. Tengo este archivo si lo quieren. Como desencripto los archivos?

  • Buna ziua,
    Versiunile 1,0,11,47 si 1,0,21,1 blocheaza deschiderea urmatoarelor: arhiva zip, WinSCP, Remote Desktop Connection, Adobe reader. De cele mai multe ori, fara erori. Se rezolva daca se reincearca deschiderea a 2-a oara, la alte programe a 3-a oara. Daca s-a deschis ap;icatia, la reincercare deschide din prima.
    OS: XP SP3, 32 bits, cu Bitdefender Free si nod 32 evaluare 30 zile. Versiunile anterioare nu au avut aceasta manifestare.
    In log-ul C:\Program Files\Bitdefender\Tools\BDAntiRansomware\Logs\BDAntiRansomware\BDAntiRansomwareXXX.log nu vad nici o eroare marcata la ora corespondenta cand nu pornesc aplicatiile.
    NOTA: WinSCP afiseaza ecranul de pornire dar fara continut text butoane ( transparente ), arhivele dau un "blink" de sunet fara mesaj.
    Event Viewer nu consemneaza nici o eroare.

  • Victim of Ransom ware personal files were encrypted into .micro extension, anti-malwarebytes helped in removing it.. still no clue how to get back those encrypted files.

  • To Rahul
    Try this:
    1)http://support.*.com/kb6051/?viewlocale=en_US
    2)http://www.bleepingcomputer.com/forums/t/605185/teslacrypt-3040-xxx-ttt-micro-mp3-support-topic/page-80#entry4002886

  • What good does this do if you are already infected with the virus? I am not seeing it helping with the computer that was infected that I put it on. How do you get it removed???

  • If I have this running on a server will it protect the shares, if another computer gets infected to tries to search for connected shared drives?

  • We are your customer in Thailand. Your local engineer recommended my team to install this tool but it has conflict with Sage 300 ERP. Do you have the resolution for this case? Thank you.

  • does Bitdefender Antivirus Plus 2016 guard against ransomware, e.g. Locky and Zepto and thier variants? Or do I have to purchase a different security package?

  • just had a skype reinstall request but apperently anti ransomware was blocking it
    telling me "The Windows Installer service could not be accessed"

  • How do I get back my encrypted files which have been encrypted by cerber ransomware without succumbing to the demands thereof? Kindly advice.

  • its it real my 1tb hard disk was encrypted with .cerber3 type of encryption if it was help pls tell yes or no

    • The Crypto-ransomware vaccine is a proactive protection mechanism. If used when your computer is in a clean state, it would render potential ransomware impossible to execute. However, if you have already fallen victim to ransomware, the tool won't be able to decrypt the files for you.