can i have the samples?
Ok edit, i found an old samples of this, cis 3.14 block it. ( antioverflow ) windows xp 32.
I did some more tests.
GPCode:
Defense + : FAIL
Sandbox:
partially limited : FAIL
limited : FAIL
restricted : PASS
untrusted : PASS
Another reason to change default setting to Restricted at least.
Can we get some confirmation that the devs are looking into this? Please. ;D
What is it meant to mean: Defense+ with Sandbox permanently disabled?
Yep, Sandbox disabled
Defense + - Paranoid mode, ProActive Configuration.
Ok, now it’s clear. Have you tried:
Just to check if this works (= protects documents).
[With Sandbox disabled]
Bump
If I’m going to change my advice here I would also like to be able to tell everyone that the problem is currently being investigated and will be solved soon. Is this what’s happening?
+1
Bump. >.> Anything happening? 88)
I Tested the AK version against a default CIS install.
The executable is responsible for the encryption, the vbs is only started to show the annoying “your files have been encrypted never ending message box”.
If I put D+ to Paranoid then you get like 4 alerts, exe start, spawn .vbs, start wscript, kill exe.
Default install is unable to prevent the encryption, only the AV alerts cause it recognizes the file.
[attachment deleted by admin]
Easiest way to handle this one is to put *_CRYPT on the blocked files list for D+
Then this whole encryption trick won’t work. This is the first thing I do when I read some new ransomware is detected figure out the extension it uses and put that on the blocked files list.
Other thing is you can protect your favorite files by adding them to the protected files and folders list.
e.g.
*.txt|
*.chm|
*.jpg|
*.7z|
Be sure to add the | sign behind it so that sandboxed apps can’t modify these extensions.
Those where the extensions that where encrypted on my test VM, but as there are more this isn’t watertight. And it does prevent the malware from modifying your original files but doesn’t prevent it from writing the encrypted files to disk to it messes up the system.
[attachment deleted by admin]
Thanks for this review, Ronny.
Maybe devs get your tips to mind and do something (for example by deafult add .crypt files to blocked).
I think it would be better to protect the functions/API’s it uses to crypt the files.
So that all sandboxed apps are blocked from using those functions.
So I think most of us can agree that something needs to be done to protect from this attack (under default settings). 88)
absolutely definitely yes.
killing peoples files by encrypting them is criminal and CIS should protect against it specially when it’s zero-day and AV doesn’t have a sig for it yet.
avg. Joe isn’t going to tweak his system to be protected, so this is a Fail in Default Deny (not specific to this sample, but in regards to the methods used, only AV is the single thing that helps you out).
!! WARNING !! this only works for this specific version !!
To block this version I tested (If someone has more ransomware samples please PM me) you need to add the following to Computer Security Policy. Tested on Default install malware sandboxed.
[attachment deleted by admin]
Undoubtedly yes.
Whilst these type of threats are fairly easy to deal with for technical users and “settings tweakers”,the huge majority of ordinary,default config. users need protection also.
After testing 6 different versions of this stuff I only found one setup that would kill all
\Device\KsecDD
Needs to be added to protected files & folders to block them all.
!! WARNING !! Adding this key may break other apps that are run inside the sandox.
[attachment deleted by admin]
BTW about weakness and issues i have found that apps which go into full screen mode cannot be prevented by cis 
I found fresh one today.
Thanks ronny, for all those researchers.