App Review More Fun with Ransomware Part 6

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
cruelsister

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 13, 2013
3,275
25,135
4,188
NYC
Jack posted an article earlier today about the CrySIS ransomware. Although the original form has been around for a couple of months, a new variant is now seen.

Just wanted to show how UAC will deal with this threat.

 
  • Like
Reactions: starsfighter, Xtwillight, DardiM and 19 others
I might be missing something so i will write what i believe and you correct me if you can.
Can't it be that the ransomware is coded to just encode stuff, not in locations protected from UAC, when you click no?
UAC did what is designed to do. Block elevation. No?
Did they actually get elevation?
 
  • Like
Reactions: Xtwillight, DardiM, _CyberGhosT_ and 3 others
My original intent for this video was to run it against my normal stable of AntiRansomware apps, but just as I finished a beta of HMPA came out, so as including a fresh beta would have been extreme poor form I scrapped it and did this one.

The reason for the UAC topic is to attempt to dispel false impressions regarding UAC that many hold (I've received a number of comments privately about this). Actually it isn't really a big deal to totally bypass UAC once a few coding methods are known (curiously enough, TrendMicro products will also change the UAC level to what they deem appropriate- which is default- without a user prompt).
 
Last edited:
  • Like
Reactions: Xtwillight, DardiM, _CyberGhosT_ and 6 others
hjlbx said:
UAC can be bypassed. There is a lot of mis-information about UAC. Plus, M$ has a wishy-washy history of fixing UAC bugs and vulnerabilities.
Click to expand...
Agreed hjlbx, that's where VooDooShield shines as a UAC surrogate.
Thanks CruelSis, Awesome Vid as usual.
Now maybe some will be less critical of those who use VooDoo & other UAC alternatives and disable the lacking and unimpressive UAC.
PeAcE
 
Last edited:
  • Like
Reactions: Andytay70, Xtwillight, DardiM and 3 others
UACMe v2.3 should bypass UAC from Windows 7 up to Windows 10 RS1 14367 build, am I wrong ?
=> Builds 14361, 14366, 14367 seem to have zero UAC related changes
hjlbx said:
UAC can be bypassed. There is a lot of mis-information about UAC. Plus, M$ has a wishy-washy history of fixing UAC bugs and vulnerabilities.
Click to expand...
jamescv7 said:
Honestly Microsoft must improve and revise the functionality of UAC, considering that the flow of concept is already expose hence its an easy bypass.
3rd party programs goes here.
Click to expand...
I fully agree :) (but we might let UAC at max)
marzametal said:
Can ransomware encrypt raw unallocated space? eg: a 2gb chunk sitting between C drive and D drive.
Click to expand...
I Never read about a ransomware that does this.
They often only encrypt files that can have some sort of value or importance (with predefined extension), or all data on a drive (C: , D: , etc) , on cloud (if accessible) - without take care of file extension - to ask a ransom after the encyption.
But this is almost any time the same thing : loop on drives/files/folders and encrypt them (write on MBR for some ransomware).
On a "raw unloccated space", no name of drives/files/folders to put as parameter to their encrypting procedure.
That's only my point of view, I can be Wrong :)
 
Last edited:
  • Like
Reactions: Xtwillight, marzametal and jamescv7
Hmmmm, I wonder if there is a way to implement a block on sector level that uses raw unallocated space as a "cement" firewall... eg: trying to cross a creek that contains 3 large stones, but the gap between 2nd and 3rd stone is too large for a leap/jump... can't cross, so it stalls.

EDIT: maybe I am clutching at straws...
 
Just because UAC can be bypassed by malware is no excuse for having it disabled. It works at kernal level and if think before clicking "yes" or "accept" (for anything in general) there would be a lot less tears and sweat trying to clean a computer from someone who fell victim.
 
  • Like
Reactions: Andytay70, XhenEd, Xtwillight and 1 other person
marzametal said:
Hmmmm, I wonder if there is a way to implement a block on sector level that uses raw unallocated space as a "cement" firewall... eg: trying to cross a creek that contains 3 large stones, but the gap between 2nd and 3rd stone is too large for a leap/jump... can't cross, so it stalls.
EDIT: maybe I am clutching at straws...
Click to expand...
It doesn't work this way. A ransomware just can encrypt all files on a partition after "asking" to your OS the list, and making a loop in a procedure with each name to encrypt them (if these files are not protected). As soon as you OS has access to a file (folder) / knows a file (folder), the ransomware can have the list.
Why don't you use Bitlocker to protect the most Drive you can ? Or another similar tool ?
That's only my point of view, I can be Wrong :)
 
Last edited:
  • Like
Reactions: XhenEd and AlphaBeta
Well it wasn't given administrator permissions so the system folders should be safe. As a regular program, I think it can encrypt the files in user folder and other partitions.
 
  • Like
Reactions: XhenEd
DardiM said:
UACMe v2.3 should bypass UAC from Windows 7 up to Windows 10 RS1 14367 build, am I wrong ?
=> Builds 14361, 14366, 14367 seem to have zero UAC related changes
Click to expand...

Windows 14371 unexpectedly bring another fixes to UAC (against several UACMe methods) . Some tweaking in 14376 build seems fixed dll search order for InetMgr.exe when it was possible to load your own mscoree.dll from inetsrv directory. Now InetMgr.exe executed via ShellExecute(Ex) API lookups dlls in the system32 folder. So to make it load malicious dll it is now required launch it from already admin process, which makes it nonsense. Nice work. Why this wasn't here since beginning ? :rolleyes:
 
Last edited:
  • Like
Reactions: Andytay70 and Der.Reisende

You may also like...