App Review Emsisoft vs cmdRansomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354


Emsisoft vs cmdRansomware

cmdRansomware Discovered

Petrovic found a new ransomware called cmdRansomware that utilizes a batch files and GPG to encrypt a computer. When encrypting it will append the .ransomware extension to encrypted files and drop a ransom note named cmdRansomware.txt.
DtPhgsxWoAEG8wf[1].jpg

The Week in Ransomware - November 30th 2018 - Indictments, Sanctions, & More
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
Emsisoft's BB showing some fatigue these days. It's not what it was a few years back. Although it is still a great product. On the other side malwares have become more sophisticated too.Thanx for sharing.

Same thing with Qihoo 360 QVME engine. In the past, it is the best against unknown threats. Nowadays, it is a let down.
 
F

ForgottenSeer 72227

Emsisoft's BB showing some fatigue these days. It's not what it was a few years back. Although it is still a great product. On the other side malwares have become more sophisticated too.Thanx for sharing.

I think it just goes to show that any product can miss malware, regardless of what features it may have (ie BB, Ai, etc..). There's no magical silver bullet that will protect you from every single piece of malware. It's still very much a cat and mouse game. Secuirty products get an edge for a while, hackers develop malware to get around them. Its a never ending cycle that will always continue.
 

Fabian Wosar

From Emsisoft
Verified
Developer
Well-known
Jun 29, 2014
260
The behaviour blocker did actually notice the encryption taking place, however: It decided to let the encryption continue since GPG is a legit tool.

It's more an issue with the way EAM trusts processes. Currently, trust is given on a per-process basis. So GPG for example is either trusted or not, no matter the circumstances. We are currently reworking the way trust works in EAM, so it assigns trust based on a trust-chain. That means, GPG may be trusted when it is started by a trusted process, but not if it is started by an unknown or untrusted process.

So you running GPG in your command line window will be okay, as your command line window was started by Explorer, which was started by UserInit, which was started by WinLogon, which was started by the OS during initialisation, all of which are considered trustworthy. However, a batch script running GPG, would result in GPG not being trusted, as the batch script isn't trusted.

There is no ETA yet for when this change will roll out, but it won't be this year ;)
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
The behaviour blocker did actually notice the encryption taking place, however: It decided to let the encryption continue since GPG is a legit tool.

It's more an issue with the way EAM trusts processes. Currently, trust is given on a per-process basis. So GPG for example is either trusted or not, no matter the circumstances. We are currently reworking the way trust works in EAM, so it assigns trust based on a trust-chain. That means, GPG may be trusted when it is started by a trusted process, but not if it is started by an unknown or untrusted process.

So you running GPG in your command line window will be okay, as your command line window was started by Explorer, which was started by UserInit, which was started by WinLogon, which was started by the OS during initialisation, all of which are considered trustworthy. However, a batch script running GPG, would result in GPG not being trusted, as the batch script isn't trusted.

There is no ETA yet for when this change will roll out, but it won't be this year ;)
Lol, i really hope this year means 2018 and not 2019 :p
 
Last edited:
  • Like
Reactions: DDE_Server

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top