ESET failed to protect against a Ransomware

[SeriousHoax 76]

It's a relatively new ransomware named: GoRansom POC Ransomware

ESET doesn't have a signature for it yet. On execution it failed to detect encryption made by the ransomware. On a side note: Kaspersky which is very well known to protect against ransomware failed to stop this ransomware as well. So, seems like a serious one. My reason of posting is not to blame ESET but want to know what's so special about this ransomware that other reputable AVs ransomware protection module is failing as well. Hopefully ESET will analyze and protect users from similar ransomwares in the future.

A link of the ESET test: https://malwaretips.com/threads/goransom-poc-ransomware-20-09-2019.95105/post-835332

The sample has already been sent to ESET. I can share the sample here if you want.

This is the sha-256 file hash: 83b3dc0ce9250636c0a19335e7991e90646e46b2e0fc376c0d3fa1abf013104d

[itman 1,538]

5 hours ago, SeriousHoax said:

A link of the ESET test: https://malwaretips.com/threads/goransom-poc-ransomware-20-09-2019.95105/post-835332

You need a malwaretips.com logon to see the POC. I suggest you post it here so all can view.

[itman 1,538]

5 hours ago, SeriousHoax said:

This is the sha-256 file hash: 83b3dc0ce9250636c0a19335e7991e90646e46b2e0fc376c0d3fa1abf013104d

Still no detection by Eset or Kaspersky. But Microsoft; i.e. Windows Defender, detects it. Also, BitDefender detects it.

[SeriousHoax 76]

7 minutes ago, itman said:

You need a malwaretips.com logon to see the POC. I suggest you post it here so all can view.

Sorry about that. I forgot.

Here's two screenshots

 

 

[SeriousHoax 76]

9 minutes ago, itman said:

Still no detection by Eset or Kaspersky. But Microsoft; i.e. Windows Defender, detects it. Also, BitDefender detects it.

Yes. WD doesn't have a signature locally but is detected by their cloud signature. ESET & Kaspersky doesn't have signatures and their ransomware protection module fails to stop the threat as well. Bitdefender and AVG has signatures but their Behavior blocker fails to block encryption. The ransomware probably doing something differently that's why able to bypass every AVs behavior blocker/ransomware protection module. Bitdefender's can block encryption of files made by this ransomware in the protected folders. Another example why ESET should have it too. 

Edited September 20, 2019 by SeriousHoax

[itman 1,538]

More details on this ransomware is here: https://translate.google.ru/translate?hl=ru&tab=wT&sl=ru&tl=en&u=https%3A%2F%2Fid-ransomware.blogspot.com%2F2019%2F09%2Fgoransom-poc-ransomware.html

It is using XOR for encryption activities. Suspect this is why it is "flying under the radar" of security solutions monitoring for specific crypto API's.

[itman 1,538]

Of note is none of the Next Gen solutions on VT are detecting this. This would be a clear indication that behavior employed by this ransomware is new and their ML engines haven't been tuned to detect it.

[SeriousHoax 76]

30 minutes ago, itman said:

More details on this ransomware is here: https://translate.google.ru/translate?hl=ru&tab=wT&sl=ru&tl=en&u=https%3A%2F%2Fid-ransomware.blogspot.com%2F2019%2F09%2Fgoransom-poc-ransomware.html

It is using XOR for encryption activities. Suspect this is why it is "flying under the radar" of security solutions monitoring for specific crypto API's.

Interesting. I don't know what XOR is but maybe Windows Defender's Advanced ransomware protection can block this? Any idea?

[SeriousHoax 76]

8 minutes ago, itman said:

Of note is none of the Next Gen solutions on VT are detecting this. This would be a clear indication that behavior employed by this ransomware is new and their ML engines haven't been tuned to detect it.

You're right I think. I'm not much a fan of nextgen AVs anyway.

[itman 1,538]

59 minutes ago, SeriousHoax said:

I don't know what XOR is but maybe Windows Defender's Advanced ransomware protection can block this? Any idea?

This is far from the first ransomware employing XOR techniques. Here are a few other examples:

https://www.rsa.com/en-us/blog/2017-05/how-ransomware-uses-tmp-files-and-the-temp-folder

https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack

https://blog.malwarebytes.com/threat-analysis/2018/04/lockcrypt-ransomware/

So my guess is how it was deployed is new and this is why it wasn't detected by a number of solutions.

This is a perfect example of why everyone needs to backup their User files and keep them off-line; or the online backup location locked down access-wise.

Also another strong case for use of the anti-ransomware solutions like AppCheck or Checkpoint's solution. These use "bait" files to detect file modification and therefore are not dependant upon detecting ransomware behavior methods.

Edited September 20, 2019 by itman

[itman 1,538]

1 hour ago, SeriousHoax said:

maybe Windows Defender's Advanced ransomware protection can block this?

No need for the ASR mitigation.

Assumed is WD's cloud sandbox has Controlled Folders enabled. Unknown process performing repeated file modification activities to same is enough to flag the unknown process. This is why MS had a sig. for it so quickly.

[Marcos 4,704]

It's a PoC with an encryptor and decryptor in one. The instructions for decryption say:

  Run the ransomware in the command line with one argument, decrypt.
  Example: GoRansom.exe decrypt

So detecting the sample would mean that users would not be able to decrypt files if it was detected and blocked by ESET.

[peteyt 359]

55 minutes ago, Marcos said:

It's a PoC with an encryptor and decryptor in one. The instructions for decryption say:

  Run the ransomware in the command line with one argument, decrypt.
  Example: GoRansom.exe decrypt

So detecting the sample would mean that users would not be able to decrypt files if it was detected and blocked by ESET.

Could it not block them before it wa able to encrypt then you wouldn't need to decrypt?

[itman 1,538]

3 hours ago, Marcos said:

It's a PoC with an encryptor and decryptor in one. The instructions for decryption say:

  Run the ransomware in the command line with one argument, decrypt.
  Example: GoRansom.exe decrypt

So detecting the sample would mean that users would not be able to decrypt files if it was detected and blocked by ESET.

Translating, it presently falls into the category of "educational" ransomware. There are others in this category. These types of ransomware are used for lab demonstration and forensic purposes. However as the ID- Ransomware previously linked article notes, these type of ransomware are often used maliciously:

Quote

According to the Intezer-analysis, it can be connected with leaked to the Network tools of the cybergroup APT34 (aka Oilrig and HelixKitten ), which could be used by other cybercriminals.

As such, there is absolutely no excuse Eset should not be detecting this sample. At the very least, it should be detected as a PUA.

Oh, I forgot. Eset, God forbid, might possibly be "dinged" for a FP detection on it.

Edited September 20, 2019 by itman

[itman 1,538]

As far as "educational" ransomware being used maliciously is the infamous Hidden Tear incident aptly documented by Trend Micro here: https://blog.trendmicro.com/trendlabs-security-intelligence/a-case-of-too-much-information-ransomware-code-shared-publicly-for-educational-purposes-used-maliciously-anyway/

Edited September 20, 2019 by itman

[itman 1,538]

VT update - Kaspersky and even MalwareBytes detects, but still not Eset ..............................

Edited September 20, 2019 by itman

[Marcos 4,704]

Not true, it takes VT some time to update. Plus VT doesn't take into account when a particular file was blacklisted in LiveGrid which happened hours ago.

ECLS Command-line scanner, version 7.0.2097.0, (C) 1992-2018 ESET, spol. s r.o.
Module loader, version 1018.1 (20190709), build 1054
Module perseus, version 1554.1 (20190731), build 2050
Module scanner, version 20053 (20190920), build 42838
Module archiver, version 1291 (20190823), build 1305
Module advheur, version 1193 (20190626), build 1175
Module cleaner, version 1195 (20190610), build 1293

name="70e50d0eae76044b3c022cdb423bd47e525a8891", threat="Win32/Filecoder.NXW trojan"

 

[itman 1,538]

1 hour ago, Marcos said:

Plus VT doesn't take into account when a particular file was blacklisted in LiveGrid which happened hours ago.

Since I have no way to dispute this, the statement is taken at face value.

For testers, I advise you test your sample hourly and maintain a log of test times till Eset blacklist detection. This evidence can be then used to dispute any Eset claims otherwise.

1 hour ago, Marcos said:

name="70e50d0eae76044b3c022cdb423bd47e525a8891", threat="Win32/Filecoder.NXW trojan"

Per VirusRadar database, this was added to the 20053 sig. update I received at 3:37 PM EST. This is approx. 11 hours after @SeriousHoax made his initial posting in this thread and submitted the sample to Eset for analysis. .

Edited September 20, 2019 by itman

[itman 1,538]

For anyone interested, there is a video on this ransomware here: https://app.any.run/tasks/707d4e41-ff12-4179-85dc-1f41d6f85531/

Edited September 21, 2019 by itman

[URBAN0 12]

How relevant this results are, It failed simulation big time,  Is it because ESET doesn't support simulation or Its having hard time comparing to a real, should I be worried 😉

Edited September 21, 2019 by URBAN0

[Marcos 4,704]

There is nothing to worry about. While we internally recognize Ransim, it's a simulator that doesn't do any harm and whether an AV passes the test or not doesn't tell anything about how well the AV protects against actual ransomware or other types of malware.

[itman 1,538]

31 minutes ago, URBAN0 said:

Is it because ESET doesn't support simulation

Yes. Refer to my previous thread on RanSim here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/

[URBAN0 12]

My limited knowledge shows😀

Thank you

 

Edited September 21, 2019 by URBAN0

[SeriousHoax 76]

20 hours ago, itman said:

Per VirusRadar database, this was added to the 20053 sig. update I received at 3:37 PM EST. This is approx. 11 hours after @SeriousHoax made his initial posting in this thread and submitted the sample to Eset for analysis

One thing I noticed that, if a sample is submitted to ESET via email, they response fast. Few days ago they replied with a verdict of the malwares within 25 minutes and another time within 13 minutes. Both time sent them 3 samples. The response time may vary depending on the work load and time of the day but certainly a better procedure than sending via the product. 

[itman 1,538]

46 minutes ago, SeriousHoax said:

One thing I noticed that, if a sample is submitted to ESET via email, they response fast.

I have seen quick response via product submission. What gets their attention is supporting verbiage provided plus references to authoritative sources detection such as VT. Better yet, a Hybrid-Analysis scan and Dr. Web detailed analysis if provided there.

Edited September 21, 2019 by itman