- Apr 13, 2013
- 3,148
Webroot Secure Anywhere vs WTF ransomware
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- May 26, 2014
- 1,057
Webroot has really taken it on the chin these days,Is it still PC magazine"s pick of the year?
- May 26, 2014
- 1,057
Webroot is really taken it on the chin these days,is it still PC magazines" pick" of the year?Thanks for the video,sorry for the repeated comment{I didn"t see first one post}
Last edited:
A Webroot employee advised somewhere to wait at least 4 hours for rollback of malicious system changes; if the system is not rolled-back within 4 hours it is probably not going to happen.
I cannot say "Webroot advises" since the above is to be found nowhere in official Webroot documentation.
Webroot does rollback some encryption.
It appears that rollback of encryption is dependent upon whether or not Webroot has a rollback routine for the specific ransomware.
Someone posted somewhere here on MT that they waited 96 hours and there was no rollback of encryption.
To find out more go searching for these infos on Webroot's Reddit and elsewhere online. The "4 hour" advice is straight out of the mouth of (was posted by) a Webroot employee. I can't remember where I read it.
Anyway... this sort of thing can be avoided by setting heuristics to "Block any file that is not specifically whitelisted." With that setting you will probably be surprised to discover that System32 and SysWOW64 files are not in the Webroot database and will be monitored\blocked (dependent upon settings).
Try it for yourself... anyone can confirm this fact.
I cannot say "Webroot advises" since the above is to be found nowhere in official Webroot documentation.
Webroot does rollback some encryption.
It appears that rollback of encryption is dependent upon whether or not Webroot has a rollback routine for the specific ransomware.
Someone posted somewhere here on MT that they waited 96 hours and there was no rollback of encryption.
To find out more go searching for these infos on Webroot's Reddit and elsewhere online. The "4 hour" advice is straight out of the mouth of (was posted by) a Webroot employee. I can't remember where I read it.
Anyway... this sort of thing can be avoided by setting heuristics to "Block any file that is not specifically whitelisted." With that setting you will probably be surprised to discover that System32 and SysWOW64 files are not in the Webroot database and will be monitored\blocked (dependent upon settings).
Try it for yourself... anyone can confirm this fact.
Last edited by a moderator:
The uploader @ Hybrid Analysis tagged it SmartRansom, maybe it's the name of the family? I found that one by chance there yesterday, but nothing more on that new ransomware family. However, I had a feeling it might be the one you were talking about these days as you said you'll be demonstrating WSA against some Asia ransomware.
https://www.reverse.it/sample/941e5...b5bed52d7a5fba6533a3efacea5?environmentId=100
(see Malware Vault also).
Thank you for another great vid @cruelsister
BTW any idea for what reason the
RW drops a picture of an Asian beauty (the one used as icon)?
- Apr 22, 2015
- 637
@cruelsister did your system was connected to net at the time of testing.i find webroot some sort of handicapped without internet that's why I never use it
- Aug 2, 2015
- 4,286
- Apr 28, 2017
- 326
It would be nice if somebody ever tested the manual rollback options. (Don't know if it would work or not.)
Control active processes, stop all untrusted, re-scan.
Control active processes, stop all untrusted, re-scan.
- Apr 13, 2013
- 3,148
Ravi- Yes, there was Inet access. But it didn't matter at the time I produced the video (on 5-26) anyway as the definitions against this were just coming out. Actually although Webroot detects this one now, as of about 12 hours ago it still did not.
D.R- I also have no clue as to why that Pic was dropped, unless it is some sort of arcane Asian BlackHat mating ritual. I was going to open the Picture up but as her hair is more lustrous than mine I decided not to.
Also, the coders used WTF in the file description, so I gave credit where it was due.
D.R- I also have no clue as to why that Pic was dropped, unless it is some sort of arcane Asian BlackHat mating ritual. I was going to open the Picture up but as her hair is more lustrous than mine I decided not to.
Also, the coders used WTF in the file description, so I gave credit where it was due.
- Aug 2, 2015
- 4,286
- Jun 5, 2014
- 220
I don't think the malware should have a routine in webroot to have a rollback, i was a webroot fan in my younger ages, every app in monitoring mode gets all of its actions recorded, many times some samples use some unique things that webroot rollback can not do anything. After all i believe webroot is now one of the weakest av's. Their way in confronting the malwares is not logical. So many false positive(the one you said i had that plus some ip services of Windows!). Even their cloud responses really late to the threat, other products are much faster.A Webroot employee advised somewhere to wait at least 4 hours for rollback of malicious system changes; if the system is not rolled-back within 4 hours it is probably not going to happen.
I cannot say "Webroot advises" since the above is to be found nowhere in official Webroot documentation.
Webroot does rollback some encryption.
It appears that rollback of encryption is dependent upon whether or not Webroot has a rollback routine for the specific ransomware.
Someone posted somewhere here on MT that they waited 96 hours and there was no rollback of encryption.
To find out more go searching for these infos on Webroot's Reddit and elsewhere online. The "4 hour" advice is straight out of the mouth of (was posted by) a Webroot employee. I can't remember where I read it.
Anyway... this sort of thing can be avoided by setting heuristics to "Block any file that is not specifically whitelisted." With that setting you will probably be surprised to discover that System32 and SysWOW64 files are not in the Webroot database and will be monitored\blocked (dependent upon settings).
Try it for yourself... anyone can confirm this fact.
Webroot marketing materials state something to the effect "Webroot will rollback the system perfectly - every time."
Check it. It's on the web somewhere - a video and\or other materials.
- Mar 10, 2017
- 227
The " WTF " ransomware message was write by Chinese , so i can understand it .
It's say :
--------------------------
Hello ~ You must want to know who am i ,
that me tell you , i am your father !
Your personal files had be encryption ,
you must pretty want to hit me , right ?
Scan the QR-Code on screen , and pay for me ,
after that , i will give you a decrypt key .
Remember to record the key ,
after all , this is the only way to help you decrypt .
--------------------------
Note : This ransomware wasn't using Bitcoin , it's using the digital wallet name call " Alipay " ,
and Alipay is a very famous and popular digital wallet in China . you can easy to use your phone to pay online to anyone .
But i think this should be a joke , not a real ransomware ,
because the digital wallet " Alipay " in China , it must use your real name and ID number to register ,
also you have to add a real bank account into Alipay ,
so , if the police want to find you , that will be super easy ...
It's say :
--------------------------
Hello ~ You must want to know who am i ,
that me tell you , i am your father !
Your personal files had be encryption ,
you must pretty want to hit me , right ?
Scan the QR-Code on screen , and pay for me ,
after that , i will give you a decrypt key .
Remember to record the key ,
after all , this is the only way to help you decrypt .
--------------------------
Note : This ransomware wasn't using Bitcoin , it's using the digital wallet name call " Alipay " ,
and Alipay is a very famous and popular digital wallet in China . you can easy to use your phone to pay online to anyone .
But i think this should be a joke , not a real ransomware ,
because the digital wallet " Alipay " in China , it must use your real name and ID number to register ,
also you have to add a real bank account into Alipay ,
so , if the police want to find you , that will be super easy ...
- Mar 10, 2017
- 227
Hello guys , i am pretty sure for now , this " WTF " ransomware is from China ,
it's from a popular forum name " Kafan " in China , this forum are also same like MalwareTips ,
Is the forum to discuss the Virus and Malware .
I believe Kafan is the biggest forum for discuss Virus、Malware in China now
The WTF ransomware creator are aslo a member in Kafan forum ,
he just make this ransomware and public to every member in Kafan can easy to download it ,
and this ransomware just for fun , try to testing different security software can defend or not .
Of course he had already suggest everyone , make sure to play in virtual system ,
But if there really someone so unlucky , the host system files had be encryption ,
I had just contact him few min ago , and he say he will release the decryption tool right now
And also i am right , the QR-Code for asking payment , actually just asking for donations ,
just a other joke , lol
By the way , the real name for this ransomware , actually is write by Chinese ,
so that is why some system can't correctly displayed the file name
Translate the original name to English , it's " Press me to look the photo "
if you don't mind to see Chinese , or using Google translate to take a look ,
(even we know translate by the machine , those post will terrible hard to understand)
and here is the link in Kafan forum :
智能勒索第3.5版来袭,测试主防/建议虚拟机运行,真正勒索,加了解密工具_病毒样本区_安全区 卡饭论坛 - 互助分享 - 大气谦和!
P.S : The attach file is the decryption tool , but i do not test it by myself
After download the attach file , please change name from XXX.log to XXX.zip
it's from a popular forum name " Kafan " in China , this forum are also same like MalwareTips ,
Is the forum to discuss the Virus and Malware .
I believe Kafan is the biggest forum for discuss Virus、Malware in China now
The WTF ransomware creator are aslo a member in Kafan forum ,
he just make this ransomware and public to every member in Kafan can easy to download it ,
and this ransomware just for fun , try to testing different security software can defend or not .
Of course he had already suggest everyone , make sure to play in virtual system ,
But if there really someone so unlucky , the host system files had be encryption ,
I had just contact him few min ago , and he say he will release the decryption tool right now
And also i am right , the QR-Code for asking payment , actually just asking for donations ,
just a other joke , lol
By the way , the real name for this ransomware , actually is write by Chinese ,
so that is why some system can't correctly displayed the file name
Translate the original name to English , it's " Press me to look the photo "
if you don't mind to see Chinese , or using Google translate to take a look ,
(even we know translate by the machine , those post will terrible hard to understand)
and here is the link in Kafan forum :
智能勒索第3.5版来袭,测试主防/建议虚拟机运行,真正勒索,加了解密工具_病毒样本区_安全区 卡饭论坛 - 互助分享 - 大气谦和!
P.S : The attach file is the decryption tool , but i do not test it by myself
After download the attach file , please change name from XXX.log to XXX.zip
Last edited:
CS's tests is rather the better accurate tests when it comes to unknown malware testing on AV's.Since her tests usually test the whole infection chain.Usually for ransomware:
Malicious JS>>Malicious Docm>>Malicious Binary.
I have seen this chain tested in her previous test against AV's and I would consider some value of her tests.
Best,
True Indian
Malicious JS>>Malicious Docm>>Malicious Binary.
I have seen this chain tested in her previous test against AV's and I would consider some value of her tests.
Best,
True Indian
- Nov 17, 2016
- 1,242
Why would CS stop at that when she doesn't stop at breaking security software just because someone had hair with more metallic properties?
- Dec 24, 2011
- 480
Similar threads
