But when you’re making compromises between legit apps working and ransomware ireversably encrypting all your data, i’d always go with the protection over usability…
Completely agree. My BB is set to Untrusted. In my view the way to implement security is to close all the doors and only open those you know to be safe.
Am I right that if something autosandboxed other than “fully virtualized” then it’s really just restricted (according to the set level from “Partially limited” to “Blocked”) but not sandboxed? So “reset sandbox” won’t clean the system from the activity of the autosandboxed app.
There is a new Ransomlock strain that is making its way to the rest of the world from China. It is basically just a script trojan that is backdoored to legitimate programs resulting in the Windows password being changed. One can read about it here:
Upon analysis of the sample I was able to reproduce the malware and run it against CIS. The default CIS settings will allow the malicious behavior, as well as the Full V auto-sandbox setting. Limited, Restricted, and Untrusted settings will protect the user.
Please note that this trojan strain is FUD, so will only be stopped by the most annoying HIPS settings or tightly restricted sandboxes.
Can you please explain exactly what happens when you run it as fully virtualized? Is it able to make the changes on the real computer, or only in the virtualized environment?
CIS set at default. Auto-0Sandbox changed to Full V:
1). sample run (application installer + backdoor)
2). CIS alert that file is Unknown, Default “Run Isolated” selected.
3). Application finished installing
4). Script then runs
5). Shutdown.exe is called up by script
6). On startup Windows passwords Changed.
I will not be able to test this on my computer, as I do not have a VM set up at the moment.
In order to get this looked at as quickly as possible, can you please create a properly formatted bug report for this in this section of the forum? The format can be found in this post. The fact that it’s able to change the password when sandboxed as FV definitely constitutes a bug.
Once you have done that I can forward this directly to the devs and hopefully have it fixed quickly. Can you also PM me a download link for the sample?