Mauricio Osorio 1 Posted May 13, 2019 Share Posted May 13, 2019 Hi every one, Today one of our customer report to us a problem, he has 2 servers encrypted by a ransomware named SDEN, it changes file to a new .sden They had ESET File Security installed but did not stop the attack. I know it's not just antivirus when we talk about ransomware, but I want to help my client so that it does not happen again. How can you help me with this case?. What kind of information do I send? You can see in the attachment some snapshots about it. Link to comment Share on other sites More sharing options...
itman 1,538 Posted May 13, 2019 Share Posted May 13, 2019 (edited) It's a new Matrix ransomware variant: https://twitter.com/demonslay335/status/1110188987690504193 Matrix ransomware attacks involved hacked RDP connections as described in this article: Quote How to protect yourself from the Matrix Ransomware In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. As the Matrix Ransomware may be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network. It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/ Edited May 13, 2019 by itman Link to comment Share on other sites More sharing options...
novice 20 Posted May 14, 2019 Share Posted May 14, 2019 4 hours ago, itman said: It's a new Matrix ransomware variant: https://twitter.com/demonslay335/status/1110188987690504193 From ESET "WHITE PAPER" Ransomware Shield ESET Ransomware Shield is an additional layer protecting users from the threat also known as extortion malware. This technologymonitors and evaluates all executed applications using behavioral and reputation-based heuristics. Whenever a behavior that resembles ransomware is identified or the potential malware tries to make unwanted modifications to existing files (i.e. to encrypt them), this feature notifies the user. Ransomware Shield is fine-tuned to offer the highest possible level of ransomware protection together with other ESET technologies including Cloud Malware Protection System, Network Attack Protection and DNA Detections. Obviously, the "ransomware Shield" doesn't work. The fact that is a "new" variant is not an explanation. If would have been an "old" variant , probably would have been detected even by MSE Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted May 14, 2019 Administrators Share Posted May 14, 2019 Novice, please stop trolling and refrain from ranting. Stop blaming ESET without any proof that we failed to stop ransomware. Without forensic analysis it is impossible to make any conclusions! How do you know that the user had ESET password protected? What if it wasn't, an attacker remoted in via RDP because the OP didn't have RDP secured, paused protection and then ran the ransomware? We don't know yet what happened so we can't make any conclusions without a proof either. And if you expect 100% malware protection and missing a threat as a big big fail, then show us antivirus with 100% detection that doesn't miss a single threat and we'll prove otherwise. Link to comment Share on other sites More sharing options...
novice 20 Posted May 14, 2019 Share Posted May 14, 2019 4 hours ago, Marcos said: Stop blaming ESET This is not the first time when ESET , described with full capabilities to stop a ransomware , failed to do it. See here: ... and your best explanation was " It's been seen on less than 10 machines in total"!!!!! The OP clearly mentioned that" Other vendors have successfully block the encryption through their behavioral detection layer" and the detection ratio on Virus Total was 35/63. Common sense dictates that something is not quite right with ESET. And is not ranting... Link to comment Share on other sites More sharing options...
itman 1,538 Posted May 14, 2019 Share Posted May 14, 2019 14 hours ago, Mauricio Osorio said: They had ESET File Security installed but did not stop the attack. I know it's not just antivirus when we talk about ransomware, but I want to help my client so that it does not happen again. How can you help me with this case?. What kind of information do I send? Since attack methods of SamSam are similar to Matrix ransomware, here is a posting I made a while back in regards to additionally RDP mitigations that should be deployed: https://forum.eset.com/topic/17808-samsam-ransomware-targeting-multiple-industries/ . Also, here is a guide to adding additional HIPS rules to supplement Eset's anti-ransomware shield protection: https://support.eset.com/kb6119/?locale=en_US&viewlocale=en_US . Link to comment Share on other sites More sharing options...
Mauricio Osorio 1 Posted May 14, 2019 Author Share Posted May 14, 2019 15 hours ago, itman said: It's a new Matrix ransomware variant: https://twitter.com/demonslay335/status/1110188987690504193 Matrix ransomware attacks involved hacked RDP connections as described in this article: https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/ Thanks!... this information is very usefull. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted May 14, 2019 Administrators Share Posted May 14, 2019 Files were encrypted by Filecoder.LockedFile. According to the logs, there were about 170,000 failed attempts to log in via RDP as "administrator" and alike in approx. one day when the encryption occurred. Also an older version of EFSW 6.5 without Ransomware shield was installed. The OP was informed and improvements in protection were suggested. 0xDEADBEEF, JamesR, itman and 1 other 4 Link to comment Share on other sites More sharing options...
itman 1,538 Posted May 14, 2019 Share Posted May 14, 2019 2 minutes ago, Marcos said: Also an older version of EFSW 6.5 without Ransomware shield was installed. That's somewhat what I expected. Thanks for the feedback. Link to comment Share on other sites More sharing options...
Mauricio Osorio 1 Posted May 14, 2019 Author Share Posted May 14, 2019 Thanks all of you. Regards. Link to comment Share on other sites More sharing options...
itman 1,538 Posted May 14, 2019 Share Posted May 14, 2019 (edited) 6 hours ago, Marcos said: According to the logs, there were about 170,000 failed attempts to log in via RDP as "administrator" and alike in approx. one day when the encryption occurred. Will also add this is a classic example of a RDP brute force attack. Simply implementing an account lockout policy after three failed logon attempts would prevent this. Edited May 14, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts