Jump to content

Questions on EAM regarding Crypto and Email


Recommended Posts

Good day,

 

We as a company have sold the Emsisoft EAM to many of our customers. As you know, customers for the most part are difficult to teach about the importance of computer security - they assume so much.They often shrug off anything you tell them.

 

Recently, an increasing amount of our customers have been infected with CryptoWall 3.0. I've been assuming they get this via email attachments - but do see some recent fact on website ad-servers pushing down.

 

This brings me to the question:

 

How does EAM (or in our cases), Why is EAM not detecting and stopping the executable/batch/cmd/or script before it causes damage?

 

Is there any plans of EAM scanning email'? Most of our clients are still traditional email servers that have little to no filtering that catches virus/malware before delivery. 

 

Thanks

Link to comment
Share on other sites

Hello,

Thank you for reporting this issue. In order to investigate this we would need a sample of the malicious file that drops this infection. without it unfortunately there is nothing I can tell you about this. As far as I know cryptowall 3 is blocked by the behavior blocker, but if there is a variant that bypasses this somehow we'd like to know about it ASAP so we can work on a fix.

Link to comment
Share on other sites

Thanks Elise.

 

I am not sure what the payload file is, they usually have ran Emsisoft after the damage is done and clean it before I get to them. If it came from an email attachment, does the software scan the attachment as it sits in their Outlook and display a message?

Link to comment
Share on other sites

No, the attachment is not scanned, however the attachment contains an executable file, which will be blocked by the behavior blocker. It does not matter if the dropper is downloaded or installed via an attachment. These types of malicious attachments are very common and in our tests all are blocked.

 

It would be helpful if you could give a bit more information about the infection, how does the ransom notice looks, what extension do encrypted files have, what is the name of the ransom decrypt notice and so on.

Link to comment
Share on other sites

Is it this?

Has/have you heard about Crypt0L0cker, thread on:

http://www.bleepingcomputer.com/forums/t/574608/crypt0l0cker-support-topic/

There is a new ransomware out called Crypt0L0cker (the OHs are replaced with ZEROs). This ransomware appears to be a direct descendant of TorrentLocker, with the only known difference at this point being how it targets files for encryption. It is currently being distributed via email campaigns claiming to be government notices such as speeding violations. Once a user is infected the ransom will be set at approximately 2 bitcoins. This infection is targeting almost all countries other than the United States. Computers using an United States IP address will not become infected at this time.

In the past TorrentLocker would target only certain file types for encryption. Crypt0L0cker on the hand uses an exclude list that contains only a few file types. This exclude list is:

avi,wav,mp3,gif,ico,png,bmp,txt,html,inf,manifest,chm,ini,tmp,log,url,lnk,cmd,bat,scr,msi,sys,dll,exe

Known Command & Control Servers and associated IP addresses:

62.173.145.212 tidisow . ru

62.173.145.212 lepodick . ru

Link to comment
Share on other sites

Yes, we're familiar with that topic. :) It can be difficult to determine which ransomware family a computer is infected with if the dropper is not known. In such cases it is important to know details like the ones I outlined in post #4.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...