RSKK

Questions on EAM regarding Crypto and Email

Recommended Posts

Good day,

 

We as a company have sold the Emsisoft EAM to many of our customers. As you know, customers for the most part are difficult to teach about the importance of computer security - they assume so much.They often shrug off anything you tell them.

 

Recently, an increasing amount of our customers have been infected with CryptoWall 3.0. I've been assuming they get this via email attachments - but do see some recent fact on website ad-servers pushing down.

 

This brings me to the question:

 

How does EAM (or in our cases), Why is EAM not detecting and stopping the executable/batch/cmd/or script before it causes damage?

 

Is there any plans of EAM scanning email'? Most of our clients are still traditional email servers that have little to no filtering that catches virus/malware before delivery. 

 

Thanks

Share this post


Link to post
Share on other sites

Hello,

Thank you for reporting this issue. In order to investigate this we would need a sample of the malicious file that drops this infection. without it unfortunately there is nothing I can tell you about this. As far as I know cryptowall 3 is blocked by the behavior blocker, but if there is a variant that bypasses this somehow we'd like to know about it ASAP so we can work on a fix.

Share this post


Link to post
Share on other sites

Thanks Elise.

 

I am not sure what the payload file is, they usually have ran Emsisoft after the damage is done and clean it before I get to them. If it came from an email attachment, does the software scan the attachment as it sits in their Outlook and display a message?

Share this post


Link to post
Share on other sites

No, the attachment is not scanned, however the attachment contains an executable file, which will be blocked by the behavior blocker. It does not matter if the dropper is downloaded or installed via an attachment. These types of malicious attachments are very common and in our tests all are blocked.

 

It would be helpful if you could give a bit more information about the infection, how does the ransom notice looks, what extension do encrypted files have, what is the name of the ransom decrypt notice and so on.

Share this post


Link to post
Share on other sites

Will gather more details on next victim; most have the HELP_DECRYPT files; hopefully I can gather more details on next one.

Share this post


Link to post
Share on other sites

Is it this?

Has/have you heard about Crypt0L0cker, thread on:

http://www.bleepingcomputer.com/forums/t/574608/crypt0l0cker-support-topic/

There is a new ransomware out called Crypt0L0cker (the OHs are replaced with ZEROs). This ransomware appears to be a direct descendant of TorrentLocker, with the only known difference at this point being how it targets files for encryption. It is currently being distributed via email campaigns claiming to be government notices such as speeding violations. Once a user is infected the ransom will be set at approximately 2 bitcoins. This infection is targeting almost all countries other than the United States. Computers using an United States IP address will not become infected at this time.

In the past TorrentLocker would target only certain file types for encryption. Crypt0L0cker on the hand uses an exclude list that contains only a few file types. This exclude list is:

avi,wav,mp3,gif,ico,png,bmp,txt,html,inf,manifest,chm,ini,tmp,log,url,lnk,cmd,bat,scr,msi,sys,dll,exe

Known Command & Control Servers and associated IP addresses:

62.173.145.212 tidisow . ru

62.173.145.212 lepodick . ru

Share this post


Link to post
Share on other sites

Yes, we're familiar with that topic. :) It can be difficult to determine which ransomware family a computer is infected with if the dropper is not known. In such cases it is important to know details like the ones I outlined in post #4.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.