Orascu Vlad 1 Posted March 26, 2018 Share Posted March 26, 2018 Hello Can anyone tell me how is ESET treating the Zenis Ransomware threat? Thank you Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted March 26, 2018 Administrators Share Posted March 26, 2018 If you are a registered user then yes, we will likely be able to decrypt files. Link to comment Share on other sites More sharing options...
Orascu Vlad 1 Posted March 26, 2018 Author Share Posted March 26, 2018 Yes, I have a license for about 600 computers Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted March 26, 2018 Administrators Share Posted March 26, 2018 Please email samples[at]eset.com and provide: - logs collected by ELC - a handful of examples of encrypted documents Link to comment Share on other sites More sharing options...
Orascu Vlad 1 Posted March 26, 2018 Author Share Posted March 26, 2018 Hello, I do not have this problem yet, I was just trying to be proactive and see if I can do something to prevent it, such as maybe install an update to the product or something Sorry if I did not explain myself clearly enaugh Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted March 26, 2018 Administrators Share Posted March 26, 2018 You can provide me with ELC logs for a review of your ESET configuration and I will tell you if there's anything you could do to improve protection. Also let me know if you use legitimate scripts (vbs, js, hta, ps) or if it's ok to block script execution with HIPS. Link to comment Share on other sites More sharing options...
itman 1,746 Posted March 26, 2018 Share Posted March 26, 2018 (edited) Lock down RDP access. Quote As previously stated, we do not know how the Zenis Ransomware is currently being distributed. Based on the elusiveness of the ransomware samples and comments from infected people, it could be distributed via hacked Remote Desktop services. https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/ Also according to bleepingcomputer.com, decryption of files is not possible. Edited March 26, 2018 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted March 26, 2018 Administrators Share Posted March 26, 2018 18 minutes ago, itman said: Also according to bleepingcomputer.com, decryption of files is not possible. We've already decrypted files for several users Link to comment Share on other sites More sharing options...
bbahes 29 Posted March 26, 2018 Share Posted March 26, 2018 30 minutes ago, Marcos said: We've already decrypted files for several users decrypted as protected or decrypted per customer request ? Link to comment Share on other sites More sharing options...
itman 1,746 Posted March 26, 2018 Share Posted March 26, 2018 37 minutes ago, Marcos said: We've already decrypted files for several users I stand corrected. Read the bleepingcomputer.com thread on the ransomware and someone did develop a decryptor. Perhaps Eset is "Demonslay335"? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted March 26, 2018 Administrators Share Posted March 26, 2018 I've heard from others that Demonslay335 is an admin. Link to comment Share on other sites More sharing options...
Orascu Vlad 1 Posted March 27, 2018 Author Share Posted March 27, 2018 15 hours ago, Marcos said: You can provide me with ELC logs for a review of your ESET configuration and I will tell you if there's anything you could do to improve protection. Also let me know if you use legitimate scripts (vbs, js, hta, ps) or if it's ok to block script execution with HIPS. Hello Marcos Please see attached logs and let me know if I have collected them correctly. eea_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,250 Posted March 27, 2018 Administrators Share Posted March 27, 2018 5 minutes ago, Orascu Vlad said: Please see attached logs and let me know if I have collected them correctly. ESET is basically configured with default settings, ie. for maxim protection. I'd suggest removing all exclusions since each creates a potential security hole when otherwise recognized malware can run undetected in excluded folders. Use exclusions only as a last resort if certain issues cannot be resolved even with the assistance of customer care. If you don't plan to use scripts, you can create HIPS rules for cscript.exe, wscript.exe, mshta.exe, jave.exe and powershell.exe that will block execution or ask when a script attempts to be executed. Link to comment Share on other sites More sharing options...
Marios Kontos 0 Posted March 27, 2018 Share Posted March 27, 2018 I have been affected with Zenis Ransomware. How can I proceed to decrypt my files? Link to comment Share on other sites More sharing options...
itman 1,746 Posted March 27, 2018 Share Posted March 27, 2018 (edited) 3 hours ago, Marios Kontos said: I have been affected with Zenis Ransomware. How can I proceed to decrypt my files? Are you a registered Eset user? If not, I suggest you post your current situation in this bleepingcomputer.com thread: https://www.bleepingcomputer.com/forums/t/673319/zenis-ransomware-help-support-topic-zenis-zenis-instructionshtml/page-2?hl=%2Bzenis#entry4471645 Edited March 27, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted March 27, 2018 Share Posted March 27, 2018 22 hours ago, Marcos said: I've heard from others that Demonslay335 is an admin. Appears to be Michael Gillespie. Link to comment Share on other sites More sharing options...
Marios Kontos 0 Posted March 27, 2018 Share Posted March 27, 2018 What do you mean register user, I am endpoint corporate client Link to comment Share on other sites More sharing options...
itman 1,746 Posted March 27, 2018 Share Posted March 27, 2018 34 minutes ago, Marios Kontos said: What do you mean register user, I am endpoint corporate client See prior above posting by @Marcos pertaining to sample submission, ECL logs, and encrypted documents. Link to comment Share on other sites More sharing options...
Marios Kontos 0 Posted March 27, 2018 Share Posted March 27, 2018 Find attached infected files. What else do you need? Marios.rar Link to comment Share on other sites More sharing options...
khairulaizat92 9 Posted March 27, 2018 Share Posted March 27, 2018 6 hours ago, Marios Kontos said: Find attached infected files. What else do you need? Marios.rar Hi im just assisting them, please also provide ELC (Eset Log Collector), You can look how to use it at Marcos signature how to use Eset Log Collector. and another thing is which country are you from? called me old timer, but i do think have Eset Rep (Distributor or Related to ESET) to visit the case site to also access the situation might be in someway fasten the process. Link to comment Share on other sites More sharing options...
Recommended Posts