App Review Emsisoft vs cmdRansomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Petrovic

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,356
Content source
https://support.emsisoft.com/topic/30216-emsisoft-vs-cmdransomware/


Emsisoft vs cmdRansomware

cmdRansomware Discovered

Petrovic found a new ransomware called cmdRansomware that utilizes a batch files and GPG to encrypt a computer. When encrypting it will append the .ransomware extension to encrypted files and drop a ransom note named cmdRansomware.txt.
DtPhgsxWoAEG8wf[1].jpg
Click to expand...

The Week in Ransomware - November 30th 2018 - Indictments, Sanctions, & More
 
  • Like
Reactions: Solarquest, upnorth, oldschool and 14 others
SumTingWong

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,782
spaceoctopus said:
Emsisoft's BB showing some fatigue these days. It's not what it was a few years back. Although it is still a great product. On the other side malwares have become more sophisticated too.Thanx for sharing.
Click to expand...

Same thing with Qihoo 360 QVME engine. In the past, it is the best against unknown threats. Nowadays, it is a let down.
 
  • Like
Reactions: Andrew999, show-Zi, spaceoctopus and 2 others
F

ForgottenSeer 72227

spaceoctopus said:
Emsisoft's BB showing some fatigue these days. It's not what it was a few years back. Although it is still a great product. On the other side malwares have become more sophisticated too.Thanx for sharing.
Click to expand...

I think it just goes to show that any product can miss malware, regardless of what features it may have (ie BB, Ai, etc..). There's no magical silver bullet that will protect you from every single piece of malware. It's still very much a cat and mouse game. Secuirty products get an edge for a while, hackers develop malware to get around them. Its a never ending cycle that will always continue.
 
  • Like
Reactions: DDE_Server, BoraMurdar, upnorth and 9 others
Fabian Wosar

Fabian Wosar

From Emsisoft
Verified
Developer
Well-known
Jun 29, 2014
260
The behaviour blocker did actually notice the encryption taking place, however: It decided to let the encryption continue since GPG is a legit tool.

It's more an issue with the way EAM trusts processes. Currently, trust is given on a per-process basis. So GPG for example is either trusted or not, no matter the circumstances. We are currently reworking the way trust works in EAM, so it assigns trust based on a trust-chain. That means, GPG may be trusted when it is started by a trusted process, but not if it is started by an unknown or untrusted process.

So you running GPG in your command line window will be okay, as your command line window was started by Explorer, which was started by UserInit, which was started by WinLogon, which was started by the OS during initialisation, all of which are considered trustworthy. However, a batch script running GPG, would result in GPG not being trusted, as the batch script isn't trusted.

There is no ETA yet for when this change will roll out, but it won't be this year ;)
 
  • Like
Reactions: DDE_Server, bayasdev, Andy Ful and 17 others
SHvFl

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Fabian Wosar said:
The behaviour blocker did actually notice the encryption taking place, however: It decided to let the encryption continue since GPG is a legit tool.

It's more an issue with the way EAM trusts processes. Currently, trust is given on a per-process basis. So GPG for example is either trusted or not, no matter the circumstances. We are currently reworking the way trust works in EAM, so it assigns trust based on a trust-chain. That means, GPG may be trusted when it is started by a trusted process, but not if it is started by an unknown or untrusted process.

So you running GPG in your command line window will be okay, as your command line window was started by Explorer, which was started by UserInit, which was started by WinLogon, which was started by the OS during initialisation, all of which are considered trustworthy. However, a batch script running GPG, would result in GPG not being trusted, as the batch script isn't trusted.

There is no ETA yet for when this change will roll out, but it won't be this year ;)
Click to expand...
Lol, i really hope this year means 2018 and not 2019 :p
 
Last edited:
  • Like
Reactions: DDE_Server

Similar threads

Shadowra
    • +Reputation
    • Like
    • Thanks
App Review Trend Micro Worry-Free XDR Endpoint Security 2024
Replies
14
Views
1,085
Video Reviews - Security and Privacy
Khushal
Khushal
Trident
    • Like
    • Applause
    • +Reputation
  • Poll
Serious Discussion Pre-execution vs post-execution protections explained
Replies
6
Views
1,070
General Security Discussions
Trident
Trident
upnorth
    • +Reputation
    • Like
    • Wow
HelloXD Ransomware Bulked Up with Better Encryption, Nastier Payload
Replies
0
Views
595
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top