Jump to content
SeriousHoax

Files encrypted by ransomware

Recommended Posts

For testing purpose I ran this ransomware in a VM and it encrypted everything of Desktop and Library folders including Documents, Pictures, etc with MZ173801 extension. No alert from any ESET modules. The sample was automatically sent to ESET. Attached the ransom note below. Hopefully necessary steps would be taken so that ESET's ransomware module can detect this kind of encryption in the future and please stop caring too much about false positives if you can.

Virustotal: https://www.virustotal.com/gui/file/7a92a80e742dbcb0d30948dbf6c4d7a6236a5692c5864a1276cfc84d5c71e375/detection

This one looks like related to the ransomware as well. Does the same exact thing as the above: https://www.virustotal.com/gui/file/52d93471de20f886a059f5d6b5751afc1929e1aed28c5e39404445f462069479/detection

Read_ME_PLS.txt

Edited by SeriousHoax

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Ransomware is a stand alone program, free for everybody.

Is integrated in malwarebytes paid, but can be used as a standalone program.

see here:

https://blog.malwarebytes.com/malwarebytes-news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

Edited by TomasP
changed font size to regular

Share this post


Link to post
Share on other sites

Ah silly me, I didn't notice it's the anti-ransomware you're talking about. I'll check that in my free time.

Share this post


Link to post
Share on other sites
27 minutes ago, Hpoonis said:

Whew! I think you need to make that louder.

I think it's because he copied and pasted from another link , recently malwarebytes have lost it's reputation that it built time ago , I stopped trusting them , for security products I would go for 3 of these , ESET , Kaspersky , HitmanPro(as a second opinion scanner)

Share this post


Link to post
Share on other sites

I think learning machine and Ransomware Shield and Hips need to be improved

I did test another one also with no alert from ESET

Share this post


Link to post
Share on other sites
2 minutes ago, BALTAGY said:

I think learning machine and Ransomware Shield and Hips need to be improved

I did test another one also with no alert from ESET

Was HIPS set to Automatic or Smart?

Share this post


Link to post
Share on other sites
Just now, Rami said:

Was HIPS set to Automatic or Smart?

Automatic

Share this post


Link to post
Share on other sites
Just now, BALTAGY said:

Automatic

Wondering if Smart makes any differences ,

Policy / Interactive should prompt you for allowing or denying the actions I think. , I never tried.

Share this post


Link to post
Share on other sites
Just now, Rami said:

Wondering if Smart makes any differences ,

Policy / Interactive should prompt you for allowing or denying the actions I think. , I never tried.

I did test smart for sometime, i never got any alert

Share this post


Link to post
Share on other sites
2 hours ago, Rami said:

recently malwarebytes have lost it's reputation

It is true, but the ransomware shield from Malwarebytes  was acquired from another company, is not an "in house" product.

Moreover , is a behavior shield, not signature based.

 

I tested several times with live ransomwares (Wannacry one of them) each and every time I had 4 files encrypted and , after that ,the ransomware was quarantined.  

Edited by local

Share this post


Link to post
Share on other sites

I would rather use this link instead of the softonic one

https://www.bleepingcomputer.com/download/malwarebytes-anti-ransomware/

Share this post


Link to post
Share on other sites

The vendors detecting this sample at VT are doing so generically. That is either through initial hueristic/behavior methods at run time. I assume this by monitoring user AppData directories for file encryption activities.

Assumed is this sample must be employing new encryption methods that have not been learned by Eset's advanced machine learning or deep behavioral inspection.

If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories.

-EDIT- Maybe time to "revive" the need for Eset to provide Controlled Folders protection thread?

Edited by itman

Share this post


Link to post
Share on other sites
16 minutes ago, itman said:

The vendors detecting this sample at VT are doing so generically. That is either through initial hueristic/behavior methods at run time. I assume this by monitoring user AppData directories for file encryption activities.

Assumed is this sample must be employing new encryption methods that have not been learned by Eset's advanced machine learning or deep behavioral inspection.

If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories.

-EDIT- Maybe time to "revive" the need for Eset to provide Controlled Folders protection thread?

Personally i know there's no 100% protection but machine learning and hips need to be improved and used more

Also folder control is another way to be more protected i agree

When i tested another ransomware, Bitdefender machine learning detected it but not ESET, and today i saw 3 other new ransomware that not detected by ESET

Share this post


Link to post
Share on other sites

Also it might be time to review how ransomware is delivered.

It doesn't just "magically" arrive on your PC as a stand alone script or executable. The vast majority of ransomware is delivered via e-mail methods. If the dropper or delivery mechanism is detected, the ransomware is never executed.

Bottom line - stand-alone ransomware sample testing is suspect to wrong assumptions about overall security product detection methods.

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites
15 minutes ago, BALTAGY said:

Yes, but the common denominator is???   

Microsoft detected all of them.

Edited by local

Share this post


Link to post
Share on other sites
3 hours ago, BALTAGY said:

I did test smart for sometime, i never got any alert

Smart mode isn't very smart but still an improvement over Automatic mode. I don't understand why Smart isn't the default mode yet.

Share this post


Link to post
Share on other sites
3 minutes ago, SeriousHoax said:

Smart mode isn't very smart but still an improvement over Automatic mode. I don't understand why Smart isn't the default mode yet.

Did you test it ? and had different results? (I'm just curious to know)

 

Share this post


Link to post
Share on other sites
10 minutes ago, local said:

Yes, but the common denominator is???   

Microsoft detected all of them.

Microsoft is known with very high false positive

Share this post


Link to post
Share on other sites
2 minutes ago, Rami said:

Did you test it ? and had different results? (I'm just curious to know)

 

No I didn't have the time yet. Maybe ESET is already detecting it via LiveGrid. I'll try checking when I get back home.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

If you want 100% ransomware protection from Eset, create appropriate HIPS rules to lock down file modification activities in the user AppData directories and learn to live with the resultant access alerts from legit apps attempting access to those directories.

You know this isn't suitable for day to day use, at least not the way ESET is at the moment. I create this kind of rule in Kaspersky and in case of Kaspersky instead of only AppData I select the whole C drive and other important folders in other drives. It's practical in Kaspersky thanks to Appliation Manager and reputation info from KSN, there you can make rules to allow trusted programs automatically and ask permission when something else try to do any modification. ESET doesn't have anything similar to that but it's very much possible to implement something like this into the product as it already has LiveGrid.

Edited by SeriousHoax

Share this post


Link to post
Share on other sites

It's now detected by ESET : Win32/Filecoder.NZG

In my opinion what needs to be improved is the machine learning and HIPS , but I am not expert like those who program at ESET for sure , also as SeriousHoax said , Application Manager and Reputation(rep is already there) , to be combined with everything , so the AI could try to decide if this app is trying to do malicious things or it's not.

But I could be mistaken , I don't know , but also as ITman said , nothing is 100% safe.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...