Probably, but that doesn’t mean Defense+ can’t prevent disaster (encoding of docs by virus) like U said:
Yes, but in ‘normal terms’ can’t.
When you add all your system files.
You can also disconnect from the Internet 
if the unknown sample is been identified as suspicious and sandboxed automatically, then in this particular scenario it should block that sample from getting directory/files list and write access to the disk irrespective of what level it is sandboxed. This way i believe we can get protection against unknown file infectors by design…
If I understand correctly it uses the built in Windows encryption to encrypt users files.
Isn’t a possible solution for CIS to detect the source of the request, just like they added in V5 for scripts? Is there a reason this wouldn’t work?
The simplest way to mitigate this type of malware is to employ a disk imaging strategy.
You can also utilize full sandboxing (SandboxIE) for web-facing applications to contain any such threats.
thanks!
You’re welcome 
Actually I’m surprised that this form of ransomware hasn’t become far more prevailant given it’s potential yield.
But CIS should still be able to stop it with default configuration.
someone send me a copy, I want to test it out.
Yes it should,but since nothing is perfect system imaging should be a part of any threat protection strategy.
Is it difficult for the devlopers to harden D+/Sandox to tackle this type of attacks? All i wanted is to either block the attack or show an how OA is doing…
If someone has a POC, then please send it to me.
Yes, this hole must be fixed IMO.
I did some testing on it. The sandbox does stop it with any settings restricted and above. My recommended settings for novice users stops this no problem. It seems to use a script to do it’s dirty business. It seems to want access to the ApiPort.
Remember when doing testing with different sandbox levels you have to remove the file from the unrecognized files window before trying a new sandbox test becasue if you don’t it will apply the sandbox level it originally had even if you changed it to a higher setting.
So why isn’t it stopped?
I thought that V5 was supposed to detect the script that called for the action.
from what I can tell because it is using the ApiPort to access the system with the script. And from what I can tell in partially limited and limited the apiport is not being controlled by the sandbox.
Well I think that’s a problem that needs to be solved, in default configuration, since this malware is in the wild.
Of course I am well aware that you agree with me, but it still needs to be said.
@languy99, So, you mean that Sandbox at levels restricted,untrusted would block this virus from infecting the other files.
It did in my testing.
thanks languy99.
then I have good protection settings:) Thanks for you input Languy!