Jump to content

Files encrypted by ransomware

SeriousHoax

By SeriousHoax
in Malware Finding and Cleaning

 Share

Recommended Posts

SeriousHoax

SeriousHoax 83

Posted
Posted (edited)

For testing purpose I ran this ransomware in a VM and it encrypted everything of Desktop and Library folders including Documents, Pictures, etc with MZ173801 extension. No alert from any ESET modules. The sample was automatically sent to ESET. Attached the ransom note below. Hopefully necessary steps would be taken so that ESET's ransomware module can detect this kind of encryption in the future and please stop caring too much about false positives if you can.

Virustotal: https://www.virustotal.com/gui/file/7a92a80e742dbcb0d30948dbf6c4d7a6236a5692c5864a1276cfc84d5c71e375/detection

This one looks like related to the ransomware as well. Does the same exact thing as the above: https://www.virustotal.com/gui/file/52d93471de20f886a059f5d6b5751afc1929e1aed28c5e39404445f462069479/detection

Read_ME_PLS.txt

Edited by SeriousHoax
Link to comment
Share on other sites
local

local 0

Posted
Posted (edited)

Malwarebytes Anti-Ransomware is a stand alone program, free for everybody.

Is integrated in malwarebytes paid, but can be used as a standalone program.

see here:

https://blog.malwarebytes.com/malwarebytes-news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

Edited by TomasP
changed font size to regular
Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
27 minutes ago, Hpoonis said:

Whew! I think you need to make that louder.

I think it's because he copied and pasted from another link , recently malwarebytes have lost it's reputation that it built time ago , I stopped trusting them , for security products I would go for 3 of these , ESET , Kaspersky , HitmanPro(as a second opinion scanner)

Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
2 minutes ago, BALTAGY said:

I think learning machine and Ransomware Shield and Hips need to be improved

I did test another one also with no alert from ESET

Was HIPS set to Automatic or Smart?

Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
Just now, BALTAGY said:

Automatic

Wondering if Smart makes any differences ,

Policy / Interactive should prompt you for allowing or denying the actions I think. , I never tried.

Link to comment
Share on other sites
  • ESET Insiders
BALTAGY

BALTAGY 32

Posted
  • ESET Insiders
Posted
Just now, Rami said:

Wondering if Smart makes any differences ,

Policy / Interactive should prompt you for allowing or denying the actions I think. , I never tried.

I did test smart for sometime, i never got any alert

Link to comment
Share on other sites
local

local 0

Posted
Posted (edited)
2 hours ago, Rami said:

recently malwarebytes have lost it's reputation

It is true, but the ransomware shield from Malwarebytes  was acquired from another company, is not an "in house" product.

Moreover , is a behavior shield, not signature based.

 

I tested several times with live ransomwares (Wannacry one of them) each and every time I had 4 files encrypted and , after that ,the ransomware was quarantined.  

Edited by local
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

The vendors detecting this sample at VT are doing so generically. That is either through initial hueristic/behavior methods at run time. I assume this by monitoring user AppData directories for file encryption activities.

Assumed is this sample must be employing new encryption methods that have not been learned by Eset's advanced machine learning or deep behavioral inspection.

If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories.

-EDIT- Maybe time to "revive" the need for Eset to provide Controlled Folders protection thread?

Edited by itman
Link to comment
Share on other sites
  • ESET Insiders
BALTAGY

BALTAGY 32

Posted
  • ESET Insiders
Posted
16 minutes ago, itman said:

The vendors detecting this sample at VT are doing so generically. That is either through initial hueristic/behavior methods at run time. I assume this by monitoring user AppData directories for file encryption activities.

Assumed is this sample must be employing new encryption methods that have not been learned by Eset's advanced machine learning or deep behavioral inspection.

If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories.

-EDIT- Maybe time to "revive" the need for Eset to provide Controlled Folders protection thread?

Personally i know there's no 100% protection but machine learning and hips need to be improved and used more

Also folder control is another way to be more protected i agree

When i tested another ransomware, Bitdefender machine learning detected it but not ESET, and today i saw 3 other new ransomware that not detected by ESET

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

Also it might be time to review how ransomware is delivered.

It doesn't just "magically" arrive on your PC as a stand alone script or executable. The vast majority of ransomware is delivered via e-mail methods. If the dropper or delivery mechanism is detected, the ransomware is never executed.

Bottom line - stand-alone ransomware sample testing is suspect to wrong assumptions about overall security product detection methods.

Link to comment
Share on other sites
  • ESET Insiders
BALTAGY

BALTAGY 32

Posted
  • ESET Insiders
Posted (edited)

Have a look at this one, Bitefender don't detect it but Bitdefender machine learning did
https://www.virustotal.com/gui/file/6a9042b3670116b6f553833799e1dd172c670341e48e9bb94309b87bdc28544a/detection

https://www.virustotal.com/gui/file/ca15b28914dc22461fbf8f213047673de7a0434d7ca0d8b796c1a6038f169e23/detection

Edited by BALTAGY
Link to comment
Share on other sites
local

local 0

Posted
Posted (edited)
15 minutes ago, BALTAGY said:

Have a look at this one, Bitefender don't detect it but Bitdefender machine learning did
https://www.virustotal.com/gui/file/6a9042b3670116b6f553833799e1dd172c670341e48e9bb94309b87bdc28544a/detection

https://www.virustotal.com/gui/file/ca15b28914dc22461fbf8f213047673de7a0434d7ca0d8b796c1a6038f169e23/detection

Yes, but the common denominator is???   

Microsoft detected all of them.

Edited by local
Link to comment
Share on other sites
SeriousHoax

SeriousHoax 83

Posted
  • Author
Posted
3 hours ago, BALTAGY said:

I did test smart for sometime, i never got any alert

Smart mode isn't very smart but still an improvement over Automatic mode. I don't understand why Smart isn't the default mode yet.

Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
3 minutes ago, SeriousHoax said:

Smart mode isn't very smart but still an improvement over Automatic mode. I don't understand why Smart isn't the default mode yet.

Did you test it ? and had different results? (I'm just curious to know)

 

Link to comment
Share on other sites
  • ESET Insiders
BALTAGY

BALTAGY 32

Posted
  • ESET Insiders
Posted
10 minutes ago, local said:

Yes, but the common denominator is???   

Microsoft detected all of them.

Microsoft is known with very high false positive

Link to comment
Share on other sites
SeriousHoax

SeriousHoax 83

Posted
  • Author
Posted
2 minutes ago, Rami said:

Did you test it ? and had different results? (I'm just curious to know)

 

No I didn't have the time yet. Maybe ESET is already detecting it via LiveGrid. I'll try checking when I get back home.

Link to comment
Share on other sites
SeriousHoax

SeriousHoax 83

Posted
  • Author
Posted (edited)
1 hour ago, itman said:

If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories.

You know this isn't suitable for day to day use, at least not the way ESET is at the moment. I create this kind of rule in Kaspersky and in case of Kaspersky instead of only AppData I select the whole C drive and other important folders in other drives. It's practical in Kaspersky thanks to Appliation Manager and reputation info from KSN, there you can make rules to allow trusted programs automatically and ask permission when something else try to do any modification. ESET doesn't have anything similar to that but it's very much possible to implement something like this into the product as it already has LiveGrid.

Edited by SeriousHoax
Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted

It's now detected by ESET : Win32/Filecoder.NZG

In my opinion what needs to be improved is the machine learning and HIPS , but I am not expert like those who program at ESET for sure , also as SeriousHoax said , Application Manager and Reputation(rep is already there) , to be combined with everything , so the AI could try to decide if this app is trying to do malicious things or it's not.

But I could be mistaken , I don't know , but also as ITman said , nothing is 100% safe.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...