Python Ransomware

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,948
KTS2020beta:
1536159823528.png
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
My doubt is how different AV handle and differentiate between:
- valid signatures
- Extended Validation certificate
and which use a TVL and "double check" a "valid" certificate with a TVL .

In other words, how does a AV behave when a malware with valid signature is executed? Does it blindly trust the certificate or does it e.g still monitor it/check the TVL?
For Emsisoft:
file digitally signed
 
E

Eddie Morra

In other words, how does a AV behave when a malware with valid signature is executed? Does it blindly trust the certificate or does it e.g still monitor it/check the TVL?
It depends on how the vendor implemented it so there will be bound to be differences between different AV vendors.

Some vendors do have a setting which can be enabled to automatically trust digitally signed software though. I know that Kaspersky and a few other vendors used to have an option for this.

For example, Kasperky's Application Control will trust software which is digitally signed:
If this check box is selected, Application Control classifies digitally signed applications as trusted. Application Control moves these applications to the Trusted group and does not scan their activity.

If this check box is cleared, Application Control does not classify digitally signed applications as trusted, and scans their activities.

Application Control settings
 
Last edited by a moderator:

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
That's my doubt, how different AV handle it...
Emsi gave some (kind of) information
Kaspersky has this option (that I disable)...does it also have a TVL?

What about the other AV? I think it would be interesting to get o good overview...
 
Last edited:

AriDfoix

Level 3
Verified
Sep 2, 2018
125
This one is pretty old, I compiled it at the beginning of the year, source is available here, burningion/10-print-python-pygame

when I submitted to hybrid-analysis I was amazed to find it was identified like something called lazagne, seems a tool for password retrieval, anyway there is a huge difference between 32 bit and 64 bit ransomwares?

https://www.hybrid-analysis.com/sam...b268fbddf0157c7facf4c336125?environmentId=120

For more infos about what this program means, see this: A Universe in One Line of Code with 10 PRINT
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Webroot and Microsoft now detect this ransomware on VT. Kaspersky, Trend Micro, and Cylance still do not. So it may be that for Kaspersky and Cylance, the ransomware detection on VT can be really different from their desktop software, as compared to test results posted on this thread.
 
F

ForgottenSeer 69673

Webroot and Microsoft now detect this ransomware on VT. Kaspersky, Trend Micro, and Cylance still do not. So it may be that for Kaspersky and Cylance, the ransomware detection on VT can be really different from their desktop software, as compared to test results posted on this thread.
Andy where did you find a sample of this Ransomware? I could try it against Cylance but not sure where to get this sample.
 
  • Like
Reactions: oldschool

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Andy where did you find a sample of this Ransomware? I could try it against Cylance but not sure where to get this sample.
Try the malware hub in the malware sample section. I assume you know how to deal with malware and anyone that do so is responsible for what happens, right?
 
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Andy where did you find a sample of this Ransomware? I could try it against Cylance but not sure where to get this sample.
It was checked by @ForgottenSeer 58943 :
Discuss - Python Ransomware
The link to sample can be found if you follow the information included on VT. Unfortunately, MalwareTips members cannot share the malware links, except when they are members of Malware Hub (I am not).
 
F

ForgottenSeer 58943

It was checked by @ForgottenSeer 58943 :
Discuss - Python Ransomware
The link to sample can be found if you follow the information included on VT. Unfortunately, MalwareTips members cannot share the malware links, except when they are members of Malware Hub (I am not).

Correct. I used my corporate account for Hybrid Analysis and grabbed a copy. Cylance detected it immediately upon unarchiving of it so you are safe with Cylance in respect to this threat. But in all fairness it bypasses A LOT of solutions from what I can see so far.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I tested this sample. It uses the legal InnoSetup installer as a wrapper, and drops malicious installation files to the temp folder. There is a lockyfud.exe malware file + some legal DLLs and some Python files. The malware lockyfud.exe is detected by Kaspersky , Cylance, and Trend Micro.
Kaspersky , Cylance, and Trend Micro do not detect the wrapper installer, because it does not do anything malicious. Anyway, they are block unwrapped malware installation.
The lesson - sometimes the AV can protect against the malware, even if it is not detected by that AV version on VT.

Edit
The above situation may follow for some reasons. It can be done intentionally or it can follow from dynamic detection. Anyway, the proper signature detection should include also the wrapped installer.
 
Last edited:

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,585
A superb question and a point I've been trying to make for a few years. You have 2 types of security Software- those that have an Enterprise presence (like Symantec, Mcafee) and those that do not. For those that have an Enterprise presence they are reticent to detect unknown Scriptors as malware; mainly this is due to many IP folks that utilize Scripts (macros, vb, python) to automate things like internal updating over the network. This has a downside as many of the major breaches you have heard of (like Target, Home Depot) and many that have been suppressed and you will NEVER hear of were caused by relatively trivial scripts getting by multi-million dollar security solutions (my favorite was when someone from Symantec called the malware that bypassed their product "something that could be coded by a 14 year old").

As to those products that do not have any significant Enterprise presence and still ignore scriptors (as an example seen a video I published on April 13th), I have no idea. I was always hoping that folks would get outraged, but apparently not...

In short, many products cannot distinguish a good Script from a Bad one. This is a pity.
Yeah , it's actually the IT job to harden the system via SRP/application control.
But anyway do the big companies getting hacked by maze and such have a decent IT department ?
Is it pure laziness ?
If so maybe being a small business and using basic pishing knowledge+ default deny like hard configurator / Cruel comodo is enough to stop most of the Cyber attacks that compromised the big Enterprise.
 
Last edited:
  • Like
Reactions: Dhruv2193

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top