Ransomware SDEN

[Mauricio Osorio 1]

Hi every one,

Today one of our customer report to us a problem, he has 2 servers encrypted by a ransomware named SDEN, it changes file to a new .sden

They had ESET File Security installed but did not stop the attack. I know it's not just antivirus when we talk about ransomware, but I want to help my client so that it does not happen again. How can you  help me with this case?. What kind of information do I send?

You can see in the attachment some snapshots about it.

[itman 1,659]

It's a new Matrix ransomware variant: https://twitter.com/demonslay335/status/1110188987690504193

Matrix ransomware attacks involved hacked RDP connections as described in this article:

Quote

How to protect yourself from the Matrix Ransomware

In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

As the Matrix Ransomware may be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/

Edited May 13, 2019 by itman

[novice 20]

4 hours ago, itman said:

It's a new Matrix ransomware variant: https://twitter.com/demonslay335/status/1110188987690504193

From ESET  "WHITE PAPER"

Ransomware Shield
ESET Ransomware Shield is an additional
layer protecting users from the threat also
known as extortion malware. This technology
monitors and evaluates all executed applications
using behavioral and reputation-based
heuristics. Whenever a behavior that resembles
ransomware is identified or the potential
malware tries to make unwanted modifications
to existing files (i.e. to encrypt them), this
feature notifies the user. Ransomware Shield
is fine-tuned to offer the highest possible level
of ransomware protection together with other
ESET technologies including Cloud Malware
Protection System, Network Attack Protection
and DNA Detections.

Obviously, the "ransomware Shield" doesn't work. The fact that is a "new" variant is not an explanation.  If would have been an "old" variant , probably would have been detected even by MSE

 

[Marcos 5,074]

Novice, please stop trolling and refrain from ranting. Stop blaming ESET without any proof that we failed to stop ransomware. Without forensic analysis it is impossible to make any conclusions! How do you know that the user had ESET password protected? What if it wasn't, an attacker remoted in via RDP because the OP didn't have RDP secured, paused protection and then ran the ransomware? We don't know yet what happened so we can't make any conclusions without a proof either.

And if you expect 100% malware protection and missing a threat as a big big fail, then show us antivirus with 100% detection that doesn't miss a single threat and we'll prove otherwise.

[novice 20]

4 hours ago, Marcos said:

Stop blaming ESET

This is not the first time when ESET , described with full capabilities to stop a ransomware , failed to do it.

See here:

 

... and your best explanation was " It's been seen on less than 10 machines in total"!!!!!

The OP clearly mentioned that" Other vendors have successfully block the encryption through their behavioral detection layer"  and the detection ratio on Virus Total was  35/63.

Common sense dictates that something is not quite right with ESET. And is not ranting...

 

[itman 1,659]

14 hours ago, Mauricio Osorio said:

They had ESET File Security installed but did not stop the attack. I know it's not just antivirus when we talk about ransomware, but I want to help my client so that it does not happen again. How can you  help me with this case?. What kind of information do I send?

Since attack methods of SamSam are similar to Matrix ransomware, here is a posting I made a while back in regards to additionally RDP mitigations that should be deployed: https://forum.eset.com/topic/17808-samsam-ransomware-targeting-multiple-industries/ .

Also, here is a guide to adding additional HIPS rules to supplement Eset's anti-ransomware shield protection: https://support.eset.com/kb6119/?locale=en_US&viewlocale=en_US .

[Mauricio Osorio 1]

15 hours ago, itman said:

It's a new Matrix ransomware variant: https://twitter.com/demonslay335/status/1110188987690504193

Matrix ransomware attacks involved hacked RDP connections as described in this article:

https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/

Thanks!... this information is very usefull.

[Marcos 5,074]

Files were encrypted by Filecoder.LockedFile. According to the logs, there were about 170,000 failed attempts to log in via RDP as "administrator" and alike in approx. one day when the encryption occurred. Also an older version of EFSW 6.5 without Ransomware shield was installed.

The OP was informed and improvements in protection were suggested.

[itman 1,659]

2 minutes ago, Marcos said:

Also an older version of EFSW 6.5 without Ransomware shield was installed.

That's somewhat what I expected. Thanks for the feedback.

[Mauricio Osorio 1]

Thanks all of you. 

Regards.

[itman 1,659]

6 hours ago, Marcos said:

According to the logs, there were about 170,000 failed attempts to log in via RDP as "administrator" and alike in approx. one day when the encryption occurred.

Will also add this is a classic example of a RDP brute force attack. Simply implementing an account lockout policy after three failed logon attempts would prevent this.

Edited May 14, 2019 by itman