Jason L 0 Posted December 6, 2018 Share Posted December 6, 2018 My office has been attacked by a Dharma (.adobe suffix) ransomware variant but my users had ESET Endpoint Security (5.0.2228.1) running on their PCs (with updated signatures, etc.). How would a ransomware attack still be allowed to infect all their local files (not to mention the server drives) as I would have hoped some form of detection or intervention would to happen. I can forward the logs from one particular PC (using the ESET Log Collector app) to someone if they could provide insight. I have an upset client base here and they are questioning the choice of ESET as a viable product, so hopefully I can get them some reasonable answers. Please help. J. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted December 9, 2018 Administrators Share Posted December 9, 2018 Unfortunately, files encrypted by Filecoder.Crysis (aka Dharma) cannot be decrypted. It is very likely that an attacker performed a brute-force RDP attack, disabled or uninstalled AV and ran ransomware to encrypt files. I'd strongly recommend uninstalling Endpoint v5 and installing the latest v7 which also contains Ransomware shield, Network attack protection and also supports streamed updates for a quick response to new threats. Also it is crucial that you secure RDP, e.g. by using 2FA, using RDP only within your LAN and using VPN for remote access, using RDP lockout policies, restricting RDP access on a firewall only to specific IP addresses, etc. Please email the following stuff to samples[at]eset.com: - a couple of encrypted Office documents - payment instructions dropped by the ransomware - ESET Log Collector logs (upload the archive to a safe location, such as OneDrive, DropBox, etc. and provide a download link) - a link to this topic. It is important to understand that installing only an antivirus program without taking other security measures will not ensure safety. If an attacker remotes in with administrator rights, he or she can do virtually anything. However, even if that happens having password protection of settings as well as detection of potentially unsafe applications enabled should prevent him or her from successfully running malware which probably wasn't this case either. Link to comment Share on other sites More sharing options...
itman 1,707 Posted December 9, 2018 Share Posted December 9, 2018 This Eset knowledgebase article also has a few additional recommendations in regards to best practices against ransomware: https://support.eset.com/kb3433/?locale=en_US&viewlocale=en_US Link to comment Share on other sites More sharing options...
Recommended Posts