Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
TEMASOFT Ranstop handles over-the-network ransomware attack
Message
<blockquote data-quote="CalinGhibu" data-source="post: 611033" data-attributes="member: 60200"><p>In this scenario, the ransomware attack comes over the network via mapped drives. There are two computers involved: </p><p>- one running the Satana variant, without any protection installed and having a mapped drive to the second computer; </p><p>- the second computer has TEMASOFT Ranstop installed, with protection enabled.</p><p></p><p>The ransomware sample is a Satana variant (similar to Petya). Virustotal details here: <a href="https://virustotal.com/en/file/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96/analysis/" target="_blank">Antivirus scan for 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96 at 2017-03-22 04:54:55 UTC - VirusTotal</a></p><p>Os of both machines is Windows 10. </p><p></p><p>This use case is important because ransomware loves mapped drives. Most start to encrypt those along with the local drive because they know they are reaching beyond the infected machine. Here are the challenges for the security products in this case:</p><ul> <li data-xf-list-type="ul">There is no malicious code running on the machine having the anti-ransomware solution installed (on the protected computer);</li> <li data-xf-list-type="ul">The remote encryption started on the infected machine, is carried out on the protected machine by system processes through file operations similar to the ones that are used by employees;</li> <li data-xf-list-type="ul">The infected computer has no protection, meaning that the ransomware attack over the network is persistent and takes place for as long as the ransomware finds files to encrypt and a network connection is available.</li> </ul><p>TEMASOFT Ranstop detects the over-the-network attack carried out from the infected machine. It alerts the user and logs an incident in the central console. Even though it cannot stop the system process, which does the actual encryption, it still recovers the affected files automatically. Most ransomware will not attempt a second encryption. If it happens, recovery will take place again. In order to stop the attack completely, TEMASOFT Ranstop needs to be configured to disable the network interface when an incident is detected. Like that, the network connection is cut and the remote encryption stops. </p><p></p><p>[MEDIA=youtube]E-6WcmsYkUM[/MEDIA]</p></blockquote><p></p>
[QUOTE="CalinGhibu, post: 611033, member: 60200"] In this scenario, the ransomware attack comes over the network via mapped drives. There are two computers involved: - one running the Satana variant, without any protection installed and having a mapped drive to the second computer; - the second computer has TEMASOFT Ranstop installed, with protection enabled. The ransomware sample is a Satana variant (similar to Petya). Virustotal details here: [URL="https://virustotal.com/en/file/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96/analysis/"]Antivirus scan for 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96 at 2017-03-22 04:54:55 UTC - VirusTotal[/URL] Os of both machines is Windows 10. This use case is important because ransomware loves mapped drives. Most start to encrypt those along with the local drive because they know they are reaching beyond the infected machine. Here are the challenges for the security products in this case: [LIST] [*]There is no malicious code running on the machine having the anti-ransomware solution installed (on the protected computer); [*]The remote encryption started on the infected machine, is carried out on the protected machine by system processes through file operations similar to the ones that are used by employees; [*]The infected computer has no protection, meaning that the ransomware attack over the network is persistent and takes place for as long as the ransomware finds files to encrypt and a network connection is available. [/LIST] TEMASOFT Ranstop detects the over-the-network attack carried out from the infected machine. It alerts the user and logs an incident in the central console. Even though it cannot stop the system process, which does the actual encryption, it still recovers the affected files automatically. Most ransomware will not attempt a second encryption. If it happens, recovery will take place again. In order to stop the attack completely, TEMASOFT Ranstop needs to be configured to disable the network interface when an incident is detected. Like that, the network connection is cut and the remote encryption stops. [MEDIA=youtube]E-6WcmsYkUM[/MEDIA] [/QUOTE]
Insert quotes…
Verification
Post reply
Top