Deleting Ransomware Notes

[BALTAGY 32]

Hi,

Why ESET is deleting Ransomware notes ? it contain important info like ID that can be used to decrypt the encrypted files !

Thanks

[Marcos 5,074]

Any file that is cleaned is also quarantined so that users can restore it if necessary. Moreover, ransomware notes are not cleaned automatically in default cleaning mode.

[BALTAGY 32]

10 minutes ago, Marcos said:

Any file that is cleaned is also quarantined so that users can restore it if necessary. Moreover, ransomware notes are not cleaned automatically in default cleaning mode.

You mean this option ?

Also i know it can be restored but i must disable the protection to restore it

What the point of deleting it ?

Here's an example, it's being deleted via database, and here's virus total
https://www.virustotal.com/gui/file/c65b7b3734f8f42687487c69c50da5ba31915d092ae8bca3ae4d1670300f652c/detection

_readme.rar

Edited September 5, 2020 by BALTAGY

[Marcos 5,074]

The user is asked for an action upon detection. While the best would be to detect and log the detection with no cleaning or promting at all, such behavior is not supported. Adding detection without cleaning just for the sake of ransomware notes would be quite expensive in terms of resources.

[BALTAGY 32]

Just now, Marcos said:

The user is asked for an action upon detection. While the best would be to detect and log the detection with no cleaning or promting at all, such behavior is not supported. Adding detection without cleaning just for the sake of ransomware notes would be quite expensive in terms of resources.

Not sure i get what you mean ? Yes the user is asked but if you choose ignore it will keep come up many times until you exclude it or delete it

I just want to know what the point of delete the ransom note ? it's harmless also if ESET can't detect the ransomware it self and only delete the ransom note after sometime while ransom is running and downloading other viruses etc, the user may not be able to recover the note from quarantine

[Marcos 5,074]

It must be detected. Unfortunately, that also means that an action has to be selected. The user can exclude a particular file from derection in order to be able to read the notes.

[BALTAGY 32]

Just now, Marcos said:

It must be detected. Unfortunately, that also means that an action has to be selected. The user can exclude a particular file from derection in order to be able to read the notes.

Why it must be detected if it harmless ? i'm just curios

[Marcos 5,074]

For forensic analysis for instace when trying to find out how encryption occurred.

[BALTAGY 32]

4 minutes ago, Marcos said:

For forensic analysis for instace when trying to find out how encryption occurred.

how encryption occurred is not in ransom note, ransom note only contain info how to pay and emails and the important part is the id

Even if anyone removed the ransomware it self from the system and didn't delete the ransom note it won't do anything but it will help the user to determine the ransom name and version by uploading it to some sites like id ransomware

I hope you consider leaving the note as it contain an important info and if something wrong happen to the system the user may not be able to recover the files without it like GandCrab it's ransom note is important to recover the files

[Marcos 5,074]

Making the ransomware note undetected was already considered and pros substantially outweighted cons.

[itman 1,659]

It's not unusual for security products to use the presence of a ransomware note as one criteria in their ransomware behavior evaluation. Therefore, just the presence of a note would be enough to trigger their anti-ransomware detection processing.

Appears in Eset's case, the presence of a note is enough to capture it, upload it for analysis, and then delete it. My concern here is what happens if Eset missed the ransomware, your files are encrypted, and it later detects the ransomware note? Appears the recovery procedure is create a real-time exclusion for the note detection and then remove the note from quarantine to be able to view the note. A bit of a stretch for the average user.

Edited September 5, 2020 by itman

[BALTAGY 32]

5 hours ago, itman said:

Appears the recovery procedure is create a real-time exclusion for the note detection and then remove the note from quarantine to be able to view the note. A bit of a stretch for the average user.

That's what i'm talking about, also many users won't even know it's a ransomware and could be waiting online for sometime then the ransom will keep downloading other viruses etc until the system freeze and you can't open it and for sure the ransom note also will be gone and you can't use it if the Decryptor require it

This scenario can easily happen, if the anti-ransomware need to read the ransom note to be triggered then it also can read it and leave it 

[itman 1,659]

I forgot about a legit reason for Eset removing ransomware note files - fake ransomware: https://threatsketch.com/six-ways-spot-ransomware-demand/ .