Files encrypted by ransomware

[local 0]

21 minutes ago, BALTAGY said:

Microsoft is known with very high false positive

AV TEST Sep/Oct 2019

 

Microsoft FP =1  Average Industry =4

[BALTAGY 32]

1 minute ago, local said:

AV TEST Sep/Oct 2019

 

Microsoft FP =1  Average Industry =4

I don't like these tests, we also don't need to prove this fact but look at this
https://www.av-comparatives.org/tests/false-alarm-test-september-2019/

[SeriousHoax 83]

13 minutes ago, Rami said:

It's now detected by ESET : Win32/Filecoder.NZG

In my opinion what needs to be improved is the machine learning and HIPS , but I am not expert like those who program at ESET for sure , also as SeriousHoax said , Application Manager and Reputation(rep is already there) , to be combined with everything , so the AI could try to decide if this app is trying to do malicious things or it's not.

But I could be mistaken , I don't know , but also as ITman said , nothing is 100% safe.

I agree, ESET has a lot of room for improvements in the proactive area. Bitdefender recently has put their AI into testing in Virustotal and it's doing really well. It would be great to see ESET's Augur in action. User "itman" even suggested this in another thread few weeks ago. Bitdefender probably after training their AI for a year or two will implement into their product which would greatly benefit them. After implementing Augur into version 13 there were lot of complain in the forum about ML/Augur detection. I wonder if ESET has toned downed the AI for now in later updates.

[Marcos 5,074]

48 minutes ago, local said:

Yes, but the common denominator is???   

Microsoft detected all of them.

Detection by MS at 6:48 GMT:

At 8:05 GMT:

 

At 8:55 GMT the file was blocked in LiveGrid. So far the file has been seen only once worldwide and by "coincidence" only in the country from which the OP is.

[SeriousHoax 83]

2 minutes ago, Marcos said:

At 8:55 GMT the file was blocked in LiveGrid. So far the file has been seen only once worldwide and by "coincidence" only in the country from which the OP is.

Ah this just reminded me I forgot to use VPN which I do for safety before testing any malware.

[local 0]

6 minutes ago, Marcos said:

So far the file has been seen only once worldwide

ESET has a specialized anti-ransomware shield, a HIPS shield and a "Machine learning" shield, so the malware doesn't need to be seen , not even once. This is the purpose of all these 3 , signature less shields.

As long as is "seen' any anti-malware can generate a signature and block it.

If Microsoft was able to detect it 50 min . earlier than ESET than  what would be  the benefit of using a paid anti-malware???

 

[Marcos 5,074]

3 minutes ago, local said:

ESET has a specialized anti-ransomware shield, a HIPS shield and a "Machine learning" shield, so the malware doesn't need to be seen , not even once. This is the purpose of all these 3 , signature less shields.

There's nothing like perpetual motion in the AV world either, ie. a product that would proactively detect 100% of malware with zero false positives. Every AV program needs to update on a regular basis in order to protect users from new borne malware.

[itman 1,659]

18 minutes ago, Marcos said:

At 8:55 GMT the file was blocked in LiveGrid. So far the file has been seen only once worldwide and by "coincidence" only in the country from which the OP is.

Which gets us back to the prevalence bit.

I have seen multiple examples of WD ATP not triggering until 5 instances or so of the ransomware being detected by WD ATP installations; usually within country. Translation - these 5 installations got nailed.

So the question of any product detecting 0-day ransomware is very much debatable. Note that once the sample is uploaded to VT, Hybrid-Analysis; i.e. ClouldStrike, or where ever, it is now no longer 0-day ransomware.

[itman 1,659]

1 hour ago, SeriousHoax said:

It's practical in Kaspersky thanks to Appliation Manager and reputation info from KSN, there you can make rules to allow trusted programs automatically and ask permission when something else try to do any modification.

The problem here is when malware does a process hollowing routine on your trusted program or similar code injection method, and runs its ransomware code from that process.

[SeriousHoax 83]

48 minutes ago, itman said:

The problem here is when malware does a process hollowing routine on your trusted program or similar code injection method, and runs its ransomware code from that process.

That's where behavior protection module would kick in. Of course behavioral protection isn't going to be effective always and it behaves differently on different product. Like, Emsisoft has an excellent behavior blocker but that's extremely sensitive and false positive prone while Kaspersky has the best behavior blocker yet almost no false positives like ESET. ESET care too much about false positives and that's why they are behind than most other big guns in behavioral protection section. There's no logic behind still setting HIPS to Automatic by default. It should be set to Smart mode and should trigger when something suspicious is detected. ESET is excellent at detecting new variants of known malware but if it's something new it barely does anything to stop that. Sadly, Quick Heal an Indian AV which is pretty terrible has a better, effective behavioral blocker than ESET.

Edit: Norton is implementing their Data Protector module. It's already available in some of their product and tested it against unknown binaries and it successfully detected. For both Norton and Kaspersky let that binary encrypt 3 files before stopping it. But none of the originals files were lost. Both were smart enough to detect massive unwanted encryption while ESET did nothing.  

Edited December 9, 2019 by SeriousHoax

[itman 1,659]

Eset Enterprise Endpoint ver. 7.2 implemented "aggressive setting" option: https://help.eset.com/ees/7/en-US/idh_config_scanner.html .

There are rumors this might be also introduced to the consumer versions. This is debatable since Eset EES policy for this mode is to scan the device with aggressive mode enabled and create exclusions for any FPs detected. Then set aggressive mode for real-time settings.

[SeriousHoax 83]

10 minutes ago, itman said:

Eset Enterprise Endpoint ver. 7.2 implemented "aggressive setting" option: https://help.eset.com/ees/7/en-US/idh_config_scanner.html .

There are rumors this might be also introduced to the consumer versions. This is debatable since Eset EES policy for this mode is to scan the device with aggressive mode enabled and create exclusions for any FPs detected. Then set aggressive mode for real-time settings.

This is interesting and very good to see. It would be nice if it's implemented in the beta version of consumer products so that beta testers can provide feedback.

[itman 1,659]

I have long argued that what is need is a "professional" version of Eset consumer products. For example, the above mentioned EES 7.2 aggressive option could be one feature provided. Another I would like to see is more aggressive reputational scanning options such as the ability to alert/block unknown non-system processes and the like. Etc., etc..

To date, this has fallen "on deaf" Eset ears.

Edited December 9, 2019 by itman

[local 0]

5 hours ago, itman said:

I have seen multiple examples of WD ATP not triggering until 5 instances or so of the ransomware being detected by WD ATP installations; usually within country.

With all due respect, if I may ask: how did you get access to this kind of info?? ("WD ATP not triggering until 5 instances or so of the ransomware being detected by WD ATP installations; usually within country")

[itman 1,659]

On 12/9/2019 at 4:49 PM, local said:

With all due respect, if I may ask: how did you get access to this kind of info?? ("WD ATP not triggering until 5 instances or so of the ransomware being detected by WD ATP installations; usually within country"

From a Microsoft follow-up technical detail blog article on a ransomware infection targeting concerns in St. Petersburg, Russia.

The original blog article which MS got a lot of free press was how WD ATP was the only one to detect it. Note that in that article there was no mention of the 5 9 WD ATP sites being infected by this ransomware.

I checked out the date and time MS stated that they had detected the ransomware. The funny and interesting part is when I checked Eset's VirusRadar database and found Eset had a sig. for this ransomware a day earlier.

-EDIT- I was in a rush last night when I posted this so didn't have time to search for the detailed MS blog article. Here it is: https://www.microsoft.com/security/blog/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/ .

Actually it was 9 WD ATP users who got nailed prior to WD ATP cloud scanning confirming this was actual ransomware. Also noted in the article was these folks were running WD ATP w/default 90% confidence level. Lowering it to the max. 80% level might have detected it. Of course, FPs at the 80% level reach stratospheric levels ......

Edited December 10, 2019 by itman

[Nightowl 202]

12 hours ago, itman said:

Eset Enterprise Endpoint ver. 7.2 implemented "aggressive setting" option: https://help.eset.com/ees/7/en-US/idh_config_scanner.html .

There are rumors this might be also introduced to the consumer versions. This is debatable since Eset EES policy for this mode is to scan the device with aggressive mode enabled and create exclusions for any FPs detected. Then set aggressive mode for real-time settings.

This is very interesting and I like this , and I do believe also that this will come to consumer product also.

It's also good for RDS servers(file server) where you can put the setting to aggressive mode , because many people who just use RDP , don't know what they are doing actually.

Edited December 10, 2019 by Rami

[SeriousHoax 83]

ESET's protection modules didn't react to this ransomware as well.

VT: https://www.virustotal.com/gui/file/b6e9eb3a56f495a13892859e3de26109cbc7950b1e8bd57d374e87c94c99c7e5/detection

 

[itman 1,659]

2 hours ago, SeriousHoax said:

ESET's protection modules didn't react to this ransomware as well.

Not surprised. Appears to be classic PowerShell .Net based malware: https://www.vmray.com/analyses/b6e9eb3a56f4/report/overview.html

Only 3 at VT currently detect it. Would think by now most would have HIPS rules to monitor PowerShell execution. Or, have PowerShell set to Constrained Language mode by various means available. I do both.

-EDIT- For reference, here are Eset's recommended HIPS anti-ransomware rules: https://support.eset.com/en/configure-hips-rules-for-eset-business-products-to-protect-against-ransomware  . Note that there a a few "typos" in the article. Use process names shown in the HIPS rule examples versus those shown in the article text. Finally for Win script users that use scripts to spawn any of the child processes shown, rule adjustments would have to be made.

Also since Qihoo was one of the 3 VT vendors to originally detect this ransomware, suspect this sample is being used for in-country Chinese attacks. Hence the various malware feeds used by out-of-country AV vendors didn't have the sample available.

Edited January 6, 2020 by itman

[peteyt 393]

14 hours ago, itman said:

Not surprised. Appears to be classic PowerShell .Net based malware: https://www.vmray.com/analyses/b6e9eb3a56f4/report/overview.html

Only 3 at VT currently detect it. Would think by now most would have HIPS rules to monitor PowerShell execution. Or, have PowerShell set to Constrained Language mode by various means available. I do both.

-EDIT- For reference, here are Eset's recommended HIPS anti-ransomware rules: https://support.eset.com/en/configure-hips-rules-for-eset-business-products-to-protect-against-ransomware  . Note that there a a few "typos" in the article. Use process names shown in the HIPS rule examples versus those shown in the article text. Finally for Win script users that use scripts to spawn any of the child processes shown, rule adjustments would have to be made.

I've never understood hips recommended rules. My hips is either set to automatic or smart (can't remember right now as I'm on my mobile) as I'm not experienced enough to use. However if there are recommended rules why aren't they built in by default or if there could be some issues as an option. It just seems odd to have something recommended which makes it sound important yet if it's that important you'd expect it to be built In.

Maybe due to the fact I don't use hips so have no experience in it I'm missing something

Edited January 7, 2020 by peteyt

[Marcos 5,074]

The extra antiransomware HIPS rules may cause issues in environments where scripting is used. We already received some complaints from users where HIPS blocked some legitimate operations. They are not for everyone and one must understand what they do and how to fix possible issues.

As for the above ransomware, it wasn't much successful on Windows 10. A trojan was detected upon execution, it managed to encrypt just one file.

1/6/2020 11:42:03 PM;AMSI scanner;file;script;PowerShell/DelShadowCopy.A trojan;blocked;95786A4DE23FFB5935973D801BEF42A92B2DC6E0;

 

[itman 1,659]

3 minutes ago, peteyt said:

However if there are recommended rules why aren't they built in my default or if there could be some issues as an option.

Because the HIPS log would have to be monitored for any adverse impact of the rules. I for one have my rules set to "Ask" versus block since I have the knowledge to know what to block or allow. There is a slight risk in this however. If an ask rule is not responded to prior to timing out, the HIPS will default to allowing it; something I really feel should be changed.

[itman 1,659]

8 minutes ago, Marcos said:

1/6/2020 11:42:03 PM;AMSI scanner;file;script;PowerShell/DelShadowCopy.A trojan;blocked;95786A4DE23FFB5935973D801BEF42A92B2DC6E0;

One thing to check for with this bugger is if a consumer event, etc. was set up in WMI. It is running wmic.exe.

[itman 1,659]

Krebs just published an article today on that attackers no longer content with ransom money; they want everything: https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale-password-theft/

[local 0]

36 minutes ago, peteyt said:

I've never understood hips recommended rules.

Point is ESET is the last one to protect you against ransomware in spite of having a dedicated anti-ransomware module , HIPS, machine learning and all kind of fluffy stuff.

For Win 10, Defender offers comparable better protection for free.

[Marcos 5,074]

1 minute ago, local said:

Point is ESET is the last one to protect you against ransomware in spite of having a dedicated anti-ransomware module , HIPS, machine learning and all kind of fluffy stuff.

For Win 10, Defender offers comparable better protection for free.

I will try it with ESET not installed and Defender active but I have a hunch that files will get encrypted in this case.