PDA

View Full Version : Ransomware questions



Tony
02-04-2017, 05:09 PM
Hi All,
The elderly father of a friend of mine has been hit with ransomware. Of course he has no backups, so is panicking somewhat at the thought of a $1000 payout. As I understand it his options are:

Pay up. He is worried that the money will go but he won't get a fix, but my understanding is that that doesn't happen as it is not in the interests of the scammers to not perform as then everyone will just not pay.
Go to a specialist to decrypt the files. I don't know what the likelihood is of success, or how much that would cost - but I'm guessing it is likely to be less than $1000.
Format the drive and start all over again - but as I said he has no backups to recover his data - lots of family pics, family tree - all the usual stuff.
Do nothing and chuck the PC in the skip - which I think he is inclined to do.


I don't know how he got infected or what brand of ransomware it is, but all suggestions will be gratefully received.

wainuitech
02-04-2017, 05:39 PM
Depends on what type of ransomware it is.

To try and recover data, you can try running http://www.shadowexplorer.com/downloads.html The portable version works fine from a USB drive. You open a system restore point from the list and copy out the data.

AGAIN though, depends on what the ransomeware actually is, that may be encrypted as well. It can also encrypt the USB drive so dont go using any hat have important stuff as they may need to be reformatted as well.

If it were the scam lockout, that's easy to bypass, several ways.

7986

Tony
02-04-2017, 05:49 PM
I really know nothing more than what I wrote. The old guy lives down country somewhere so I can't help him directly. His daughter (my friend) is more knowledgeable than he is, but I suspect she wouldn't want to be doing stuff by herself. My own opinion is that his best bet would be to find someone locally that he can pay to fix it.
I'll ask her to get more info about what he is infected with.

Greg
02-04-2017, 06:42 PM
Please please please don't suggest that he pay the ransom! :eek:

Tony
02-04-2017, 06:55 PM
Please please please don't suggest that he pay the ransom! :eek:I certainly won't be pushing that solution and it would definitely be the last resort, but if he can't get the PC fixed and he wants all his files...

tweak'e
02-04-2017, 10:27 PM
there is a few ransomware crowds that take the money and don't unlock it, or ask for more etc. so no longer worth paying it.
theres a few decrypt programs out now for some of them.

Tony
02-04-2017, 10:35 PM
there is a few ransomware crowds that take the money and don't unlock it, or ask for more etc. so no longer worth paying it.
theres a few decrypt programs out now for some of them.Not delivering seems totally counterproductive to me. Asking for more on the other hand...
Here's hoping what he is infected with is one of the solvable ones. I've asked my friend for more info.

zqwerty
02-04-2017, 11:06 PM
If I had this problem I would make, say, 10 clones of the encrypted HDD, leaving the original machine as it is then try the various decryption programs offered by Kaspersky , ie Rakhni Decryptor, there are many others, to try and get the desired info off the affected machine, via 'cracking' the clones.

That way all the original options are still available.

Tony
02-04-2017, 11:13 PM
If I had this problem I would make, say, 10 clones of the encrypted HDD, leaving the original machine as it is then try the various decryption programs offered by Kaspersky , ie Rakhni Decryptor, there are many others, to try and get the desired info off the affected machine, via 'cracking' the clones.

That way all the original options are still available.I could maybe do that too, but remember this is an old technologically-challenged man who is going to be totally dependent on others to solve this for him. If he goes to a specialist that is what could possibly happen anyway.

Lawrence
03-04-2017, 07:30 AM
Always get the comp posted to you (About $20/25)

This place might be the best bet to ascertain whats going on https://www.nomoreransom.org/index.html

1101
03-04-2017, 11:16 AM
The chances of decrypting any of the newer ransomware attacks is zero.

Long gone are the days when you could download the encryption key. Things have moved on , the hackers have learnt are are well past that
now.
There is ZERO chance of someone just being able to magically fix this for you, unless it was one of the very early types of ransomware (thats unlikely)

If the data is that important, pay the ransom & hope you get the unlock key .(I wouldnt)

Speedy Gonzales
03-04-2017, 11:24 AM
Get one of the bootable AV ISO's from Kaspersky, or AVG. It may do something

Tony
03-04-2017, 01:53 PM
If the data is that important, pay the ransom & hope you get the unlock key .(I wouldnt)Well I wouldn't either, but I have good backups. This man apparently has nothing so stands to lose a whole bunch of important/sentimental stuff.

I guess it is going to come down to whether he thinks it is worth paying $1000 to get it all back.

1101
03-04-2017, 03:01 PM
Well I wouldn't either, but I have good backups. This man apparently has nothing so stands to lose a whole bunch of important/sentimental stuff.
I guess it is going to come down to whether he thinks it is worth paying $1000 to get it all back.

..and dealing with hackers/crims , who wont be accepting a cheque :)
possibly have to pay in bitcoins , or some ru payment method.
Cant imagine they will take CC , as thats too easy to get reversed

Sometimes the longer you wait, the more the price goes up. Wait too long & could even be too late , if the crim goes into hiding, gets caught/shut down or moves onto new
scams .
Also , allways the chance that trying to clean up(AV program) could remove the means the hacker uses to decrypt ?

Tony
03-04-2017, 03:12 PM
..and dealing with hackers/crims , who wont be accepting a cheque :)
possibly have to pay in bitcoins , or some ru payment method.
Cant imagine they will take CC , as thats too easy to get reversed

Sometimes the longer you wait, the more the price goes up. Wait too long & could even be too late , if the crim goes into hiding, gets caught/shut down or moves onto new
scams .
Also , always the chance that trying to clean up(AV program) could remove the means the hacker uses to decrypt ?Bitcoin is what they want, and apparently they supply detailed instructions on how to do it - clearly they recognise the importance of making it easy to do business with them. :annoyed: I've also been concerned about there being a time limit on how long he can put it off before the whole disk just gets trashed, but unfortunately I'm two degrees removed from it all and can only offer advice from the sidelines.

Speedy Gonzales
03-04-2017, 03:14 PM
Did you try what I posted??

Tony
03-04-2017, 03:29 PM
Did you try what I posted??I haven't tried anything. As I've said I'm not directly involved (and am also nowhere near the victim) and can only pass the advice here onto my friend. I have no knowledge of what exactly the form of the threat is. I have only been told it is "ransomware". I've sent her a link to the thread and told her to keep checking back.

1101
03-04-2017, 04:51 PM
I haven't tried anything. As I've said I'm not directly involved (and am also nowhere near the victim) and can only pass the advice here onto my friend. I have no knowledge of what exactly the form of the threat is. I have only been told it is "ransomware". I've sent her a link to the thread and told her to keep checking back.

The best advice for now is
turn off the PC & leave it turned off.
Make a plan of attack, decide what they are going to do , dont keep using the PC .

If they have used CC online or online banking since infection , contact the bank . Consider resetting any online passwords (just in case)
If they have dropbox, then they have some options.

more info here
https://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
https://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/

Tony
03-04-2017, 07:19 PM
I've just spoken to my friend and it sounds like there is some good news. Our victim has found someone in Morrinsville to tackle the problem and at the time of writing a bunch of files have been recovered and it looks likely that most if not all of them will be recovered.

I've asked her to find out what the "brand" of ransomware is and whether it all gets sucessfully resolved.

Speedy Gonzales
03-04-2017, 08:30 PM
Used to live not far from there going towards Te Aroha a few yrs ago now

Lawrence
03-04-2017, 09:16 PM
Used to live not far from there going towards Te Aroha a few yrs ago now

Also from the same area 67-87:)

Kame
03-04-2017, 09:50 PM
A bitcoin is nz$1600 at the moment, its up $200 from last month and worth investing in, but definitely makes you think long and hard about paying the ransom though.

Tony
03-04-2017, 10:13 PM
A bitcoin is nz$1600 at the moment, its up $200 from last month and worth investing in, but definitely makes you think long and hard about paying the ransom though.Well it's looking like he won't have to, so that's good news. Of course we don't don't know what the techo will charge him...

linw
03-04-2017, 10:31 PM
If he gets his files back he is very very lucky. As 1101 said above, the latest versions are not crackable.

Maybe he will keep some offline backups after this. Or, then again, maybe not.

Tony
03-04-2017, 10:47 PM
If he gets his files back he is very very lucky. As 1101 said above, the latest versions are not crackable. I agree, but I'm only going by what I've been told.


Maybe he will keep some offline backups after this. Or, then again, maybe not. One would hope so, but I'm not optimistic.

Lawrence
03-04-2017, 10:59 PM
Does not sound like Cryptolocker as newer variants offer near nil remedy ,a earlier variant chance there might be a fix

May be just Ransomware of some sort that needed targeted systematic cleaning

Speedy Gonzales
03-04-2017, 11:19 PM
Also from the same area 67-87:)

I went to that college in 1981-82

Digby
07-04-2017, 07:03 AM
As someone who was hit with Crytolocker a few years ago I would say this to the guy.
I had off site backups and just threw away the infected drive(s) and put backup hard drive in - I lost two weeks work/data.
I spend a lot of my time doing backups - and it paid off then.

First - He should have made backups - he shodul kick himself and apologise to his family for losing their photos etc
Second - He should make a Youtube Video saying "I stupid for not having backups"
(What if someone had stolen his computer?)
Third - He should not pay the ransom - if people do that, it only encourages them.
Fourth - He should report it to Netsafe - or whoever - so that they know the scale of the problem
Fifth - He should buy a new C drive and reload his OS and programs

Don't bother trying to find a program to unlock the file - its probably an excercie in futility

People who say they will honour the deal if you pay them may be a bit deluded when they say the would not honour their side of the deal.
What if they come back for me?
Don't say its not in their interest - they are low life scum with no principals at all.

Digby
07-04-2017, 07:05 AM
The poor guy has lost his data and all you are worried about is the town where he lives!!??

Digby
07-04-2017, 07:06 AM
As I have said before on these threads.

The people that make this stuff should be found and SHOT.
The isp's and email servers that host them should remove them right away or be banned from the internet.

Lawrence
07-04-2017, 07:25 AM
Would have good to have a few more details but realize you did not have them

Have told people I know about backing up but it's like talking to a brick wall,they just think it's all to hard

Tony
07-04-2017, 07:45 AM
As someone who was hit with Crytolocker a few years ago I would say this to the guy.
I had off site backups and just threw away the infected drive(s) and put backup hard drive in - I lost two weeks work/data.
I spend a lot of my time doing backups - and it paid off then.

First - He should have made backups - he shodul kick himself and apologise to his family for losing their photos etc
Second - He should make a Youtube Video saying "I stupid for not having backups"
(What if someone had stolen his computer?)
Third - He should not pay the ransom - if people do that, it only encourages them.
Fourth - He should report it to Netsafe - or whoever - so that they know the scale of the problem
Fifth - He should buy a new C drive and reload his OS and programs

Don't bother trying to find a program to unlock the file - its probably an excercie in futility

People who say they will honour the deal if you pay them may be a bit deluded when they say the would not honour their side of the deal.
What if they come back for me?
Don't say its not in their interest - they are low life scum with no principals at all.

It is very easy to pontificate about what a person should have done and what they should do from the comfort of your armchair. If you had read the thread you would have seen:


This is an old man who has probably never had any training in how to use a PC, PC security etc., expects the PC to "just work", like a toaster, and (admittedly naively) never considered that he was doing anything that might be harmful.
Of course he should have had backups - and if he recovers from this (and it looks like he will, at least in part) and does not have backups in the future he will get no support from me if he has problems.
All your proposed actions are do-able - but see my first point. The scammers may be lowlifes - but if they want continued "business" then it is in their interest to keep their side of the bargain, or people will know there is no point in paying the ransom because nothing will be fixed.
It is possible to recover from at least some ransomware. By coincidence this (http://www.zdnet.com/article/tell-bart-and-other-ransomware-families-to-eat-my-shorts-with-new-free-decryption-tools/?loc=newsletter_missed_content&ftag=TRE3e6936e&bhid=20593232764080823862615497602951) appeared in my inbox this morning.


A bit more "there but for the grace of god go I" and a bit less "nyah, nyah, stupid person" wouldn't go amiss.

Tony
07-04-2017, 08:00 AM
Would have good to have a few more details but realize you did not have them

Have told people I know about backing up but it's like talking to a brick wall,they just think it's all to hard
I haven't heard how the recovery (if any) is going. I've been thinking about next steps for the victim and I'm thinking that setting him up with something like OneDrive might be the answer, so all his stuff is automatically backed up/synced.
Any other suggestions welcome - remembering it has to be dead simple and require minimal effort.

Digby
07-04-2017, 08:18 AM
I sold computers years ago in the 1980 and 90's.

One of the first things I told them was they must do backups.

I gave them a backup log (a sheet of paper) and I made them do a backup any time they did some work.

Its still the same today.

How many people don't back up the pics on their phones?

So we should all tell our friends and relatives about the necessity of doing backups up.

Its probably much easier now with things like the cloud and portable hard drives (1TB)

Digby
07-04-2017, 08:21 AM
Years ago in the days of film cameras and negatives it was easy to loos all your precious famuily photos in a fire or theft!

Nowadays with digital you can make a copy (backup) easily

Of course you should have at least two copies one in your house, and one off site - at a friends house etc.

Tony
07-04-2017, 08:38 AM
And the relevance of these rants to the issue in the thread title? We have already established that the victim is old and non-techie. He may have been badly or not advised about security in the past, but that doesn't help with his problem today.

CliveM
07-04-2017, 10:24 AM
And the relevance of these rants to the issue in the thread title? We have already established that the victim is old and non-techie. He may have been badly or not advised about security in the past, but that doesn't help with his problem today.

Your points are certainly valid Tony however a lot of people read through these threads in the hope of learning something new and if even one newby has picked up the fact that backups are a good idea it is certainly worth mentioning.

dugimodo
07-04-2017, 10:30 AM
The trouble with using real time sync as a backup is it potentially backs up your problems as well, I don't know if onedrive can be hit by ransomware but I suspect it would simply copy the encrypted files.
The same is potentially true of any always connected backup device with write access. The best backup is the least user friendly, regular scheduled backups on external media stored separately.

I hope the free tools you linked include the ransomware in question, and it boggles my mind that these people are not tracked down and dealt with. If you can pay them you can find them.
I don't really advocate such things, but it seems like paying the ransom to someone else who would then track them down and beat the repairs out of them would be a more satisfying use of the money.

Tony
07-04-2017, 11:05 AM
The trouble with using real time sync as a backup is it potentially backs up your problems as well, I don't know if onedrive can be hit by ransomware but I suspect it would simply copy the encrypted files.
The same is potentially true of any always connected backup device with write access. The best backup is the least user friendly, regular scheduled backups on external media stored separately.

I hope the free tools you linked include the ransomware in question, and it boggles my mind that these people are not tracked down and dealt with. If you can pay them you can find them.
I don't really advocate such things, but it seems like paying the ransom to someone else who would then track them down and beat the repairs out of them would be a more satisfying use of the money.Good point - I hadn't thought about the encrypted stuff being synced as well. Though of course the original files should still be on the OneDrive - shouldn't they? I guess it depends on how you have set it up as to whether it deletes files from the OneDrive storage if it finds they have gone from the local storage. I fear you are right though - the most reliable way will be the least user-friendly.

I think all the ransomware thugs expect payment in bitcoin - which is untraceable, isn't it?

Tony
07-04-2017, 11:08 AM
Your points are certainly valid Tony however a lot of people read through these threads in the hope of learning something new and if even one newby has picked up the fact that backups are a good idea it is certainly worth mentioning.
You are right as far as it goes - I just don't see the need for a dismissive patronising rant.

1101
07-04-2017, 12:06 PM
Even the FBI recommended just paying for those who desperately needed data back. :badpc:

One option is to try a full data recovery of deleted files. Theory being that each original file will be deleted after the encrypted version is made.
Again, dont expect much via data recovery , but worth a try if willing to put in the time.

Of the 6 or so ramsonware encrypted PCs Ive looked at in the last year, none were recoverable.
Worth a try for sure, but dont expect too much.

Yes, Onedrive & Dropbox also get encrypted (seen it) , but was just a matter of rolling back to previous version
Also USB HD's, NAS, any network shares or mapped drives can & do also get encrypted.
If your backup drive is connected (often is) , that can get encrypted as well.

Most people dont have backups , and dont TEST their backups. Thats just the way things are .
Even some companies take a very lax attitude to backups , all you can do is recommend proper backup regimes. If they arnt interested, thats as far as it goes .

Thats the world we live in
most people dont backup, criminals dont get caught, countries look the other way or do the absolute min to stop cyber-criminals.
Arrest them and another will pop up anyway .

Tony
07-04-2017, 12:21 PM
Yes, Onedrive & Dropbox also get encrypted (seen it) , but was just a matter of rolling back to previous version
Also USB HD's, NAS, any network shares or mapped drives can & do also get encrypted.
If your backup drive is connected (often is) , that can get encrypted as well.Thanks for that - that's useful info. I suspect his daughter will end up getting him an external hard drive with some easy-to-use backup software - any recommendations?

Of course he is still going to have to (a) remember to do it and (b) remember to disconnect it when not in use, but there is only so much one can do. I guess for the photos just copying them to DVD may well be sufficient.

pctek
07-04-2017, 12:26 PM
I did 2 things for a not very comp literate person I know.
Imaged her c: onto the external.
Set up a profile in Syncback for her.

She does get it out and run it every now and then.

Easy as, free and no hassle.

Lawrence
07-04-2017, 12:47 PM
With Window 10 I use it's Backup File History along with backing up every folder as well just to have another copy

Also keep a recent Windows 10 ISO for a clean start and sometimes take a image but more inclined to go with a new build if ever presented being totally locked out

https://www.howtogeek.com/220986/how-to-use-all-of-windows-10’s-backup-and-recovery-tools/

dugimodo
07-04-2017, 02:12 PM
File history is useful but will not help against ransomware, and an ISO is awesome but only if it's stored somewhere the ransomware can't get to it. I store everything on my NAS and keep a daily backup on another PC that has file sharing disabled and is dedicated to that one use. More effort than most would go to I suppose.

Lawrence
07-04-2017, 07:09 PM
Any backup is kept totally disconnected from comp on another Drive after backup

zqwerty
08-04-2017, 12:55 AM
Maybe one of these could be useful:

Emsisoft offers many decrypter tools for download. Most techs will need one or more of these so rather than have numerous listings we here at MajorGeeks took the time and zipped all the Emsisoft Decrypter Tools into one convenient zip package for you.
To date, there are over 25 decrypters included with this package - almost everything you to combat some of the common ransomware variants.
The one you need can be found by looking at the word after decrypt_. In other words, if you needed the decrypter for Autolocky, then you would use “decrypt_autolocky.exe" see below for what's included.
Decrypter for AutoLocky
Decrypter for Nemucod
Decrypter for DMALocker2
Decrypter for HydraCrypt
Decrypter for DMALocker
Decrypter for CrypBoss
Decrypter for Gomasom
Decrypter for LeChiffre
Decrypter for KeyBTC
Decrypter for Radamant
Decrypter for CryptInfinite
Decrypter for PClock
Decrypter for CryptoDefense
Decrypter for Harasom
Decrypter for FenixLocker
Decrypter for MRCR
Decrypter for Marlboro
Decrypter for OpenToYou
Decrypter for OzozaLocker
Decrypter for Philadelphia
Decrypter for Apocalypse
Decrypter for Al-Namrood
Decrypter for Globe, Globe2, Globe3
Decrypter for Fabiansomware
Decrypter for 777
Decrypter for Xorist
Decrypter for Stampado
Decrypter for CryptON
Decrypter for Damage
Emsisoft Decrypter for Cry9

http://www.majorgeeks.com/files/details/emsisoft_decrypter_tools.html

Tony
08-04-2017, 02:57 PM
Thanks for that.I still don't know what flavour of ransomware is involved, but I'll pass this on to my friend.

1101
10-04-2017, 10:46 AM
Maybe one of these could be useful:

Emsisoft offers many decrypter tools for download.

Looking through their tools, as I wondered how they managed to crack them (given the keys dont allways stay constant, even on the same type of ransomware)
"To use the decrypter, you will require an encrypted file of at least 128 KB in size as well as its unencrypted version"
"Due to a bug in the malware's code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes"
"To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version"
"To use the decrypter, you will require an encrypted file of at least 128 KB in size as well as its unencrypted version"

I see a pattern emerging here . Better than nothing but somehow I doubt they will be of much help to most of us
The chances of recovering data with a downloadable tool are minimal.

More interesting..
at least one of these ransomware's gets in through RDP, it just brute forces to find a user/password for RDP access.
Might be a good idea to make sure RDP ports are closed on you routers. If you need RDP, use a non standard port and dont use a guessable Win login name .
Disable Remote Access if you dont need it
use an adblocker,popup blocker,scriptblocker .
"Malicious code is hidden in the page’s code, often in an advertisement (malvertisement), which redirects you to the exploit kit landing page, unnoticed by the victim. This was the case when the New York Times and the BBC were hacked and thousands of readers were redirected to an injecting site."
http://blog.emsisoft.com/2017/03/30/spotlight-on-ransomware-common-infection-methods/

Tony
10-04-2017, 10:57 AM
Looking through their tools, as I wondered how they managed to crack them (given the keys dont allways stay constant, even on the same type of ransomware)
"To use the decrypter, you will require an encrypted file of at least 128 KB in size as well as its unencrypted version"
"Due to a bug in the malware's code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes"
"To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version"
"To use the decrypter, you will require an encrypted file of at least 128 KB in size as well as its unencrypted version"


I don't understand that. If you need an encrypted file plus the same file unencrypted, why do you need the decrypter?

1101
10-04-2017, 11:15 AM
I don't understand that. If you need an encrypted file plus the same file unencrypted, why do you need the decrypter?

exactly the point. Thats why I initially said zero chance (actually a very small chance of recovery)
- might have a copy of a single file on a USB stick, or emailed it to someone at some time .

And now things are changing again.
Some newer types make no attempt to make files recoverable even if you pay. Its now easier to just scam you & give no unencryption
https://blog.kaspersky.com/ranscam-ransomware/12583/
"The ransomware states that it has moved the user’s files into a “hidden, encrypted partition,” but in reality, it deleted them before even showing the ransom message. So there is no way to retrieve them.
simply destroying the files means that the criminals don’t need to learn the fine points of cryptoblocking and locking.
Whenever a user clicks the button, a message appears, saying the payment was not verified and that one file will be deleted each time the button is pressed without the criminals behind Ranscam having been paid. That is probably supposed to make users nervous and persuade them to pay several times."

Tony
10-04-2017, 02:07 PM
It's all very scary. I'll chase up my friend and see how her stepdad is doing.

dugimodo
10-04-2017, 02:29 PM
Makes sense actually, my assumption is if you can find at least 1 file that is unecrypted and the same as an encrypted one the tool can use it to figure out what key was used and then apply that to all the rest of the files.
What I'm wondering is if there's a standard system file that meets the size requirements that you could copy off another machine with the same OS version? might be worth looking into.

Tony
10-04-2017, 02:34 PM
Makes sense actually, my assumption is if you can find at least 1 file that is unecrypted and the same as an encrypted one the tool can use it to figure out what key was used and then apply that to all the rest of the files.
What I'm wondering is if there's a standard system file that meets the size requirements that you could copy off another machine with the same OS version? might be worth looking into.

Riiight. You only need one unencrypted/encrypted pair to be able to sort out the rest. Your suggestion about the possibility of a system file from another PC is worth looking into.

dugimodo
10-04-2017, 04:16 PM
Except the flaw in my theory is I don't think the system files get encrypted.

Speedy Gonzales
10-04-2017, 04:20 PM
It's not Rensenware ransomware is it? (https://www.neowin.net/news/new-ransomware-invites-you-to-play-a-game-and-unlock-your-data-with-a-high-score)

Because the guy who made / released this later apolgised for making it, and released a tool to decrypt the files.

This ransomware is different. You don't have to pay, you have to play a game and get a high score and it'll decrypt the files.

Tony
10-04-2017, 04:32 PM
Except the flaw in my theory is I don't think the system files get encrypted.

Never let facts get in the way of a good theory, that's my motto...

And there are a few in this forum for whom that is not a joke, it's a way of life :)

Tony
17-05-2017, 06:41 PM
Apparently the old guy got his photos recovered but lost an autobiographical manuscript he was working on and maybe some genealogical stuff. I still don't know what flavour of ransomware it was or how much it cost him for the recovery.

Lawrence
18-05-2017, 09:07 AM
Interesting,Eset fails to protect you from WannaCry also Microsoft Security Essentials fails

https://malwaretips.com/threads/av-comparatives-proactive-protection-against-the-wannacry-ransomware.71564/

Edit- In the wrong thread but similar

wainuitech
18-05-2017, 09:40 AM
Interesting,Eset fails to protect you from WannaCry also Microsoft Security Essentials fails

https://malwaretips.com/threads/av-comparatives-proactive-protection-against-the-wannacry-ransomware.71564/

Edit- In the wrong thread but similar Take those "lab" results with a grain of salt ( look how many lab tests say Norton, Avast etc are the best, yet see systems all the time riddled with infections). If you read the comments, Eset does protect, and in one of the posts is a link to esets site stating they have added protection. https://www.eset.com/us/about/newsroom (https://www.eset.com/us/about/newsroom/corporate-blog/what-you-need-to-know-about-wannacry/?elq_mid=3059&intcmp=emc-wc-trl-051517&elqTrackId=65b8c8376dcc4a84b6fbc4b04a4031e8&elq=66b238e3a54245ca97dfc62ccf03dc2f&elqaid=3059&elqat=1&elqCampaignId=1383)

Bit like the result -- "Microsoft Security Essentials Not protected" Considering as they point out at the beginning, "we used vulnerable Windows 7 systems " it boils down to if you have the patches Via Windows updates, then it cant attack. W10 was patched months ago. The Microsoft Security Essentials is the old version and is useless, where as the Windows Defender now in W10 is far better than its predecessor.

Lawrence
18-05-2017, 10:06 AM
More from Eset here https://forum.eset.com/topic/11948-massive-ransomware-attack/

Seem they block it but I would not run the WannaCry exe just to test it

1101
18-05-2017, 10:36 AM
Interesting,Eset fails to protect you from WannaCry also Microsoft Security Essentials fails

https://malwaretips.com/threads/av-comparatives-proactive-protection-against-the-wannacry-ransomware.71564/

Edit- In the wrong thread but similar

yes, and no.
They ran the test , deliberately with OLD AV definitions .
This tests how well AV programs block as yet unkown malware . That is more of a real world test .
One possible issue in the testing is that some AV is cloud based, so even using old AV sig's , would the tested AV just go on the cloud & detect via update sigs on the cloud making the test worthless ?

The results dont mean ESET wont now block wanacrypt. It means that ESET failed to block it before wanacry was known & sig's written to detect it.
Signature based AV is becoming more & more useless. By the time new sigs are written, the malware has spread across the world & is often too late.
Eset failed to block via behaviour analasys/heuristics .
From experience , ESET is not good at blocking as yet unkown malware. Cant comment too much on the other brands .
Also,in general, when you need to use freeware programs to clean up malware that paid AV cant clean, then we have an issue .

But whats the alternative.
Nod is reliable,wont bog down the system, has good support, and doesnt act as bad as malware like the freeware AV does (freeware AV popups, scareware, scams etc)

At the end of the day, its just one test.
Cant go by 1 batch of testing alone, needs to be confirmed by other companies testing , as there may be errors & bias in the testing methods.