Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has ransomware become uncatchable with today's A/V?


  • Please log in to reply
17 replies to this topic

#1 tlsk

tlsk

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 13 April 2016 - 06:02 PM

Maybe it's just because we just got hit with a round of ransomware but it seems like there's been an explosion of this in the last month or so.  Perhaps my brain is just primed to spot the cases in the news and wasn't before but I'm reading about a lot of cases lately.  Has it gotten to the point that it's not detectable with today's A/V or are we all using the wrong A/V?

 

I know that the signatures are changing rapidly but maybe they're changing so rapidly that a signature based product simply won't keep up.  I've learned that the most common form of delivery is an email attachment that downloads an executable - is there any chance that the executable changes its MD5 every time it's downloaded? 

 

For the folks that have gotten hit with ransomware recently, what A/V were you using?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 13 April 2016 - 06:38 PM

The best defensive strategy to protect yourself from ransomware (crypto malware infections) is a comprehensive approach...make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, disable VSSAdmin.exe, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage and routinely backup your data...then disconnect the external drive when the backup is completed.You should also rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

...Prevention before the fact is the only guaranteed peace of mind on this one.

How do I decrypt files encrypted by ransomware?

Some anti-virus and anti-malware programs include built-in anti-exploitation protection. For example, Emsisoft Anti-Malware uses advanced behavior blocking analysis which is extremely difficult to penetrate...it continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. Emsisoft has the ability to detect unknown zero-day attacks and file-encrypting malware (ransomware) attacks.

ESET Antivirus and Smart Security uses a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET Antivirus (and Smart Security) includes Exploit Blocker which is designed to fortify applications that are often exploited, such as web browsers, PDF readers, email clients or MS Office components. This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java.

As with most ransomware...your best defense is back up, back up, back up and the best solution for dealing with encrypted data is to restore from backups. Backing up data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

Ransomware Prevention Tools:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:03 PM

Posted 13 April 2016 - 06:38 PM

Yeah, AV is pretty much useless against new threats that are being released daily. Such is the nature of signature based detection. Heuristic detection can be useless also as the function is a normal computer function, just used in a malicious way.

 

There are preventative solutions though. Here's some examples...

 

Malwarebytes Anti-Ransomware runs on your system and will terminate encryption threats as they appear.

 

Cryptoprevent creates execution restriction policies on your system, which will stop unknown software from running in temporary locations. This also blocks %99 of other malware.

 

Also, you can also create policy objects on your system to prevent the execution of malware manually, this is popular on larger networks as it can be administrated from a single server and applied to many machines without installing additional software.

 

The only other step we can take is not clicking and installing things we can't verify the origin of. Malware writers play on ignorance and social engineering to push their junk via email and dodgy download sites.

 

:busy:


Edited by TsVk!, 13 April 2016 - 06:40 PM.


#4 tlsk

tlsk
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 13 April 2016 - 06:45 PM

 

The only other step we can take is not clicking and installing things we can't verify the origin of. Malware writers play on ignorance and social engineering to push their junk via email and dodgy download sites.

 

:busy:

 

Exactly - the keyboard-chair interface is the weakest link of all and, unfortunately, the hardest to fix.  No matter how much you might preach to folks, some folks just aren't ready to hear the message.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 13 April 2016 - 07:00 PM

The user is the first and last line of defense and security is a constant effort to stay one step ahead of the bad guys. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed.

Security is all about layers, and not depending on any one technology or approach to detect or save you from the latest threats. The most important layer in that security defense? You! Most threats succeed because they take advantage of human weaknesses (laziness, apathy, ignorance, etc.), and less because of their sophistication.

Krebs on Security

Unfortunately, it as been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 AM

Posted 16 April 2016 - 12:24 PM

Yeah, AV is pretty much useless against new threats that are being released daily. Such is the nature of signature based detection. Heuristic detection can be useless also as the function is a normal computer function, just used in a malicious way.

 

Err, no. That would be true if signature based detection was the only thing that antivirus suites do, but that's not the case. All antivirus suites are composed of several programmes (or modules). The scanner with signatures and a blacklist is only one of them. The actual modules in the product depend on the AV and version (business vs user, premium vs normal, ...) that you use. Typical modules in an AV suite are:

  • Software Updater/Patcher (to keep the programmes up-to-date)
  • Exploit protection
  • Behaviour blocker (potentially a very good module to prevent any kind of ransomware)
  • Browser/Internet guard
  • Email client protection
  • Parental control
  • Anti-Banker module
  • Anti-Rootkit module
  • Emulator
  • Signature scanner
  • Malware cleaning

 

Depending on the actual product there can be many more.

 

Also more and more AV vendors are building anti-ransomware specific modules into their products. That means the things that the free programmes like CryptoMonitor already provide have been or are being incorporated into the AV suites as well.

 

 

@tlsk

 

Ransomware is due to its nature so visible to everyone that it may seem like a threat no one can prevent. Malware has always been a problem, but often users did not notice them being on the system, because the malware tried to hide that it is there. And now you have that popular malware type that will knock on your door and shout you in the face that they are there. For the same reason they make a lot of publicity as well.

 

No, your antivirus suite is not useless, but it cannot protect a system from everything. As it is the nature, the professionals who create malware test and modify their programmes against the antivirus suites until they can evade detection. Antivirus vendors respond to that as fast as they can. It is always and has always been an arms race of technologies and techniques between the antivirus vendors and the bad guys and gals. As a result, the AVs prevent a lot, but not everything. Those cases where the AV or the users fail go public. But you will never see someone telling in the news that a malware incident could be prevented.

 

And just to be fair, although most infection vectors can be prevented by the user, sometimes it is not the user's fault. Sometimes the malware will use vulnerabilities that are yet not known to anyone to infect systems. That means the user had no chance to patch their software yet. Sometimes the emails used to spread malware are so well-done that you cannot distinguish them from legitimate ones. That is especially the case with ransomware-delivery emails that target companies via fake-applications. These are specifically written to match the job advertisment and the people working at HR often use automated systems for the mass of applications they get. They cannot even see that there is an attachment with .js extension.
 

 

I've learned that the most common form of delivery is an email attachment that downloads an executable - is there any chance that the executable changes its MD5 every time it's downloaded?

 

 

Not for every download, but this is often changed daily. Some malware delivery sites will even check first where the request is coming from just to bring you the right kind of malware that will work for your system.

Note that you just need to change one bit to change the MD5 of a file. Often they change their whole protection scheme to look different from the outside. You can compare that to changing your clothing style and haircut from day to another.


Edited by Curie, 16 April 2016 - 01:38 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 16 April 2016 - 04:44 PM

:step2: in this topic explains the most common methods Crypto malware and other forms of ransomware is typically delivered and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 tlsk

tlsk
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 18 April 2016 - 12:16 PM

I'm just curious - for those that weren't kept safe by their preferred solutions, what were you using?  We had just switched to McAfee from Kaspersky (and I mean just switched - a few days) and hadn't yet put the ransomware rules in place because we didn't know what it would break.  We also didn't buy the HIPS product. 



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,028 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:03 AM

Posted 18 April 2016 - 12:32 PM

I'm just curious - for those that weren't kept safe by their preferred solutions, what were you using?  We had just switched to McAfee from Kaspersky (and I mean just switched - a few days) and hadn't yet put the ransomware rules in place because we didn't know what it would break.  We also didn't buy the HIPS product.

I have seen pretty much every popular antivirus get bypassed by ransomware at some point and managed to encrypt data. Perhaps except one due to the way the heuristics are implemented and the one responsible being involved with ransomware way back even before cryptolocker, though I am sure there has been the occasional case where ransomware has managed to encrypt.
 
Unfortunately, the AV industry tends to be rather slow moving when it comes to new developments for various reasons. It is only now that they are working on methods to better hone heuristics for ransomware or releasing separate products.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 ChaiGirl

ChaiGirl

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 18 April 2016 - 04:43 PM

For those who believe the only way to receive malware is to click on or execute something you shouldn't, I've got news for you - the latest mode of transmission appears to be autoplaying ads on reputable sites.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 18 April 2016 - 04:47 PM

Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 ChaiGirl

ChaiGirl

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 18 April 2016 - 05:17 PM

For those of us who don't click, how do the autoplay ads deliver it?

I don't click on anything, yet I got nailed.

#13 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:03 PM

Posted 18 April 2016 - 05:32 PM

For those of us who don't click, how do the autoplay ads deliver it?

I don't click on anything, yet I got nailed.

Insecure plugin and browser vulnerabilities normally.

 

You don't need to do anything if there is an identified vulnerability, malicious code can just execute if it finds a way. The best way to combat this is to keep your software up to date and use flash, java and ad blocking plugins in your browser.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 18 April 2016 - 05:37 PM

Although Java is commonly used in business, banking, educational environments and many VPN providers still use it, the average user does not need to install Java software. While there are business applications that run on servers and some websites that will not work unless Java is installed, most folks will never encounter them during their daily use of computing.I recommend just uninstalling Java if you don't use it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 tlsk

tlsk
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 18 April 2016 - 05:39 PM

Unfortunately, we do use it with some of the banks - is there a way to tell it "you're okay on these sites, but not on any others"?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users