Jump to content

Ramsonware detected


Recommended Posts

Hey guys, I was encryrted by a ransomware with the extension URR.exe ☠️, ESET Antivirus version did not detecte it at all 😒, so I installed Premiun version and ESET removed it complety from my system, please check why the Antivirus version did not detect it? thx!

Link to comment
Share on other sites

  • Administrators

Please provide:
1, Log collected with ESET Log Collector
2, The ransowmare note with payment instructions
3, A couple of encrypted Office documents.

Basically there should not be any difference in ransomware detection unless it was detected by ESSP during a LiveGuard sandbox analysis.

Link to comment
Share on other sites

5 hours ago, Steward said:

Hey guys, I was encryrted by a ransomware with the extension URR.exe

I assume your files are still encrypted?

Link to comment
Share on other sites

  • Most Valued Members

Please also tell us the version of nod32 you had. If it was a very old version it may not have had the ransomware protection 

Link to comment
Share on other sites

I also test in Virtual Machine ransomware but few files renamed and cant use... ESSP full scan after that and found nothing. This is only Virtual Machine but in real - my files will be lost... 

Eset doesnt create backup of files like other av and if i am infected virus will be removed and files restored. 

Link to comment
Share on other sites

1 hour ago, nexon said:

I also test in Virtual Machine ransomware but few files renamed and cant use.

If only a few files were encrypted, then Eset Ransomware Shield protection performed as expected.

Link to comment
Share on other sites

6 minutes ago, itman said:

If only a few files were encrypted, then Eset Ransomware Shield protection performed as expected.

Expected? 🙂 One folder complete... 

Nothing is expected... Expected is that restore my files. 

What if i have one most important file and will encrypted? It is expected no problem? Every file encrypted is a big problem. 

If antivirus really working fine then none of the file will be not encrypted! 

Link to comment
Share on other sites

1 minute ago, nexon said:

If antivirus really working fine then none of the file will be not encrypted! 

In a perfect "anti-ransomware" solution, this would be the case. Unfortunately, few to none such solutions exist.

The same behavior happens using Kaspersky. In most cases, the encrypted files can be recovered due to Kaspersky's System Watcher; i.e. system shapshoting, feature.

Link to comment
Share on other sites

Marcos - dont know... I dow loaded folder most popular samples of ransomware trojans etc.. For example there is petya or wannacry... Virlock or something like that. 

 

Itman- yes system watcher is a genial feature it saves my as$ 2 or 3 Times when i saw that changes rolled back (files restored) but this was happen on real Machine.. 

Link to comment
Share on other sites

17 minutes ago, nexon said:

Expected? 🙂 One folder complete... 

Are you referring to one of the folders associated with logged on C:\Users directory such as Documents, Pictures, etc.? If so, which folder was it?

Or, are you referring to a sub-folder stored in one of the above noted folders?

Link to comment
Share on other sites

Posted (edited)
1 hour ago, nexon said:

Created folder on desktop. 

My best guess here is desktop folders are not being actively being monitored for ransomware activity.

For example in Microsoft Defender, the desktop is not a folder set up for protected access:

Quote

Windows system folders are protected by default

Windows system folders are protected by default, along with several other folders:

The protected folders include common system folders (including boot sectors), and you can add additional folders. You can also allow apps to give them access to the protected folders. The Windows systems folders that are protected by default are:

  • c:\Users\<username>\Documents
  • c:\Users\Public\Documents
  • c:\Users\<username>\Pictures
  • c:\Users\Public\Pictures
  • c:\Users\Public\Videos
  • c:\Users\<username>\Videos
  • c:\Users\<username>\Music
  • c:\Users\Public\Music
  • c:\Users\<username>\Favorites

 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide

Edited by itman
Link to comment
Share on other sites

Hmm interesting..

I ran everything from desktop or downloads.. and no problem with kaspersky for example but with eset....

Link to comment
Share on other sites

Posted (edited)
6 hours ago, nexon said:

Marcos - dont know... I dow loaded folder most popular samples of ransomware trojans etc.

Check your Eset Detections log. Eset obviously detected the ransomware, or all your user directory folders would have been encrypted. Post the log entry associated with the ransomware detection.

Edited by itman
Link to comment
Share on other sites

19 hours ago, nexon said:

Expected? 🙂 One folder complete... 

Nothing is expected... Expected is that restore my files. 

What if i have one most important file and will encrypted? It is expected no problem? Every file encrypted is a big problem. 

If antivirus really working fine then none of the file will be not encrypted! 

For important files never rely on others to protect your only copy. That includes multi-billion dollar companies like Microsoft and Google. Keep multiple backups in multiple locations. Then when something like this happens you simply delete those corrupted files and restore them from a backup. This gets you back up and running in minutes and renders these ransomware attacks an inconvenience at most. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...