Ransonware Test Results

[itman 1,659]

Ref.: https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf

 

For testing, we used 28 malicious software files of crypto ransomware. Among others there were: Cerber, CryptXXX, DetoxCrypto, Hitler Ransomware, HolyCrypt, Locky, Numecod, Petya, Jigsaw, Vipasana, Stampado and many others. The study included the total amount of 28 samples collected in a collaboration with independent researchers.

 

Test Results

 

Smart Security ver. 9 - 25/28

Smart Security ver. 10 beta - 27/28

 

Summary

 

Upgrade to ver. 10 ASAP. Perhaps Eset could have them retest w/final of ver. 10?

 

[itman 1,659]

Also noteworthy is the vast majority of ransomware is delivered via e-mail; primarily in attachments. The overwhelming ransomware delivered this way is Locky as noted below. Would be illuminating to see a test of Eset's Internet/Smart Security client e-mail protection against Locky. 

 

 

According to the 2016 Verizon DBIR, email is the #1 delivery channel for malware. And what percentage of that malware delivered over email is ransomware? According to Proofpoint, over 96 percent.

 

 

Ref: https://blog.barkly.com/ransomware-attacks-bypassing-antivirus#0

Edited November 11, 2016 by itman

[itman 1,659]

In regards to Locky ransomware, they are variants of it that begin their infection process using .bat scripts. Would like to know if Eset's ver. 10 script protection includes monitoring of cmd.exe which can run hidden and conhost.exe

[Marcos 5,074]

I don't recall seeing Locky started by batch files. It's mainly js or vbs files that are spread by spammed email and when run, they download Locky's binary and execute it.

[itman 1,659]

FYI.

 

After some additional deobfuscation on the VBA macro I combined the 3 parts to reveal full script and the actions performed.

 

1.     VBA macro creates file %temp%\arra.bat

 

2.     Writes decodes and writes value of textbox1 and textbox2 to arra.bat

 

3.     Executes %temp%\arra.bat

 

3.1.  Arra.bat in turn creates %tmp%\dasdee.vbs

3.2.  Echo’s the script contents to the dasdee.vbs script

3.3.  Executes dasdee.vbs using cscript

 

3.3.1.      dasdee.vbs performs a GET request to the http address passed in parameter %0% and saves the response to the location in parameter %1%

 

 

 

3.4.   The bat file then executes the file save by the vbs script, deletes the vbs scripts and deletes itself.

 

Ref.: https://www.sternsecurity.com/blog/locky-ransomware-analysis

Edited November 13, 2016 by itman

[itman 1,659]

Noteworthy is that Microsoft has "beefed up" macro protection in Office 2016 and recently 2013. So cmd.exe protection is not that critical in those versions. However, there are still enterprises and individuals using pre-2013 Pro. or non-Pro. versions of Office.

[itman 1,659]

A-V Comparative did a recent commissioned test comparative for PC Matic. They used 1000 ransomware samples. Eset Smart Security ver. 9 scored 100% detection rate!

 

hxxp://www.av-comparatives.org/wp-content/uploads/2016/11/avc_sp_pcpitstop_2016_en.pdf

[Marcos 5,074]

The latest TorrentLocker

 

        Baidu                      Win32.Trojan.WisdomEyes.16070401.9500.9928
        ESET-NOD32                 a variant of Win32/Injector.DIOL
        CrowdStrike                malicious_confidence_89% (D)
3/56 ON 2016-12-09 09:41:16

[itman 1,659]

Here's one for Eset to research: https://malwaretips.com/threads/self-made-ransomware-vs-antivirus-products.66903/

Basically a 0-day that remained so for quite a while. Introduced into the wild on 12/12. Nine days later, only 12 vendors on VirusTotal had a signature for it and Eset was not one of them. As noted in the testor's comments on Malwaretips, Eset Smart Security failed to detect it.

[itman 1,659]

Latest AV Lab report where Eset gets 100% in ransomware protection; also 100% in financial malware protection:

https://www.mrg-effitas.com/wp-content/uploads/2017/02/MRG-Effitas-360-Assessment-Q4-2016.pdf