Cerber virus/ransomware making the rounds...
-
We had a user today receive an email with "See enclosed report" in the message body, and a random name as the email subject. Attached was a .dot file which presumably was macro-enabled. One of our users (I have been pushing for removing admin rights and setting application whitelisting for months, but hey, I'm the new guy, so...) clicked into the .dot and got herself infected. Trend Micro caught the residual breadcrumbs but only after being infected.
The next thing it did was it found another machine on the network which had a USB-drive attached and shared and began to encrypt THOSE files as well.
We didn't get a chance to thoroughly analyze what was going on, but it definitely dropped a .VBS in the user's appdata folder and executed that. The interesting thing about the file was that all the variables, objects, functions, etc. were named with a random set of alphanumeric characters, so it LOOKED encrypted, but it wasn't. Presumably to circumnavigate pattern-based detection.
In any case, this rolled right on through our Barracuda Spam Filter - they didn't have the definitions for the infection yet until an hour after we had cleaned up the mess.
The mail content:
Please find latest report attached. Sharon Blackwell Attached file: 263_2567rh.dotObviously, the names and filenames are different per each email, but this was the format of the incoming infection this AM.
Just a head's up for everyone - keep any eye out.
Also, guess what I got approved to do starting tomorrow? Application whitelisting and removing admin rights...FINALLY.
-
Nothing like a disaster to prove a point, eh?
-
I started seeing these messages in our spam filter this week. Glad we didn't have any sneak through (yet).
-
Ransomware is so annoying. It doesn't matter how much I train my users they ultimately don't care.
-
@wirestyle22 said in Cerber virus/ransomware making the rounds...:
Ransomware is so annoying. It doesn't matter how much I train my users they ultimately don't care.
Which means that ultimately, you should not either.
-
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
-
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
I have Cylance it works very well.
-
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
-
@Kelly said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
Mostly that it's not conventional scanning, but instead it analyzes what the files do rather than just signatures or patterns. The closest comparison I can come up with is the way Android app permissions are broken down in the app store - - it can identify if a file's threat by the characteristics contained therein. Here's an analysis of the FreeConferenceCall.com installer:
Anomalies (1 of 20)
This PE is hiding something in its "relocations" area, and we're not sure what. The relocations area in a PE file is generally used for relocating particular symbols, but this particular object contains something else.Collection (3 of 21)
This object imports functions that are used to list files. Malware uses this to look for sensitive data, or to find further points of attack. This object imports functions that can capture and log keystrokes from the keyboard. Malware uses this to capture and save keystrokes to find sensitive information such as passwords. This object imports functions that are used to gather information about the current operating system. Malware uses this to determine how to better tailor further attacks and to report information back to a controller.DataLoss (0 of 12)
Deception (1 of 22)
This object seems to be looking for common protection systems. Malware does this to initiate an anti-protection action tailored to what is installed on the system.Destruction (2 of 13)
This PE imports functions that can be used to delete Files or Directories. Malware uses this to break systems and cover its tracks. This PE imports functions that can be used to spawn another process. Malware uses this to launch subsequent phases of an infection, typically downloaded from the Internet
The nice thing about it is we can run it alongside existing AV with no discernible hit to system performance; makes it that much easier to evaluate!
-
@dafyre said in Cerber virus/ransomware making the rounds...:
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
Granted, I've worked in IT for at least 2 large businesses (Flexsteel and Rockwell Automation [formerly Allen Bradley]), and one college.... So I've always had a clear chain of command and HR department to deal with those types of things.What's that like?
-
@scottalanmiller said in Cerber virus/ransomware making the rounds...:
@wirestyle22 said in Cerber virus/ransomware making the rounds...:
@dafyre said in Cerber virus/ransomware making the rounds...:
@wirestyle22 said in Cerber virus/ransomware making the rounds...:
I am in negotiations currently for a sizable raise or I walk. The issue is my fiance doesn't enjoy the risk/reward of it.
What? She doesn't want you to make more money? ... or she doesn't want you to be out of a job?
The risk of losing my job. She is a worrier though and doesn't understand the market for IT professionals. It's very much in favor of the employee not the company trying to fill the position.
But doesn't she worry that staying will cripple your career? A true worrier should be more worried for you staying, as that is the riskier move, right? It's not that she is a worrier that is the problem, that's proximate. Look for the root. Why is she worried about the potential for being out of a job today and not worried about the future of a dramatically hampered career and long term earnings and long term job stability?
From her perspective I have an unbelievable amount of job security, which is true. I could be here for the rest of my life if I wanted to. Between the two of us we will be making around $140k a year. From her standpoint that is more than enough for us. From my standpoint I'm making ob the bottom 20% of my peers. That isn't okay regardless of the situation.
-
@wirestyle22 Thread was forked already.
-
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
@Kelly said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
Mostly that it's not conventional scanning, but instead it analyzes what the files do rather than just signatures or patterns. The closest comparison I can come up with is the way Android app permissions are broken down in the app store - - it can identify if a file's threat by the characteristics contained therein. Here's an analysis of the FreeConferenceCall.com installer:
I really want to see a good comparison of Webroot and Cylance from someone not related to either company.
My problem with Cylance was that there was no small business pricing. they started at something like 1000 licenses at their SpiceWorld 2015 demo. Only knocking it down to 500 during the show.
-
@JaredBusch said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
@Kelly said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
Mostly that it's not conventional scanning, but instead it analyzes what the files do rather than just signatures or patterns. The closest comparison I can come up with is the way Android app permissions are broken down in the app store - - it can identify if a file's threat by the characteristics contained therein. Here's an analysis of the FreeConferenceCall.com installer:
I really want to see a good comparison of Webroot and Cylance from someone not related to either company.
My problem with Cylance was that there was no small business pricing. they started at something like 1000 licenses at their SpiceWorld 2015 demo. Only knocking it down to 500 during the show.
I can't +1 this enough. Some of the schools in our system are demoing Cylance but I haven't heard one way or another about them yet.
-
Shouldn't this be in the IT Discussions sub?
Why is it in water-cooler?
-
@DustinB3403 said in Cerber virus/ransomware making the rounds...:
Shouldn't this be in the IT Discussions sub?
Why is it in water-cooler?
Topic Moved to IT Discussions.
-
@JaredBusch said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
@Kelly said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
Mostly that it's not conventional scanning, but instead it analyzes what the files do rather than just signatures or patterns. The closest comparison I can come up with is the way Android app permissions are broken down in the app store - - it can identify if a file's threat by the characteristics contained therein. Here's an analysis of the FreeConferenceCall.com installer:
I really want to see a good comparison of Webroot and Cylance from someone not related to either company.
My problem with Cylance was that there was no small business pricing. they started at something like 1000 licenses at their SpiceWorld 2015 demo. Only knocking it down to 500 during the show.
Hopefully the testing companies will get there eventually. They're all so geared towards signature detections and it's hard to get them to change. That's why we don't show up in some of them, as they won't come up with a methodology that better reflects what we do.
-
@Nic said in Cerber virus/ransomware making the rounds...:
@JaredBusch said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
@Kelly said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
Mostly that it's not conventional scanning, but instead it analyzes what the files do rather than just signatures or patterns. The closest comparison I can come up with is the way Android app permissions are broken down in the app store - - it can identify if a file's threat by the characteristics contained therein. Here's an analysis of the FreeConferenceCall.com installer:
I really want to see a good comparison of Webroot and Cylance from someone not related to either company.
My problem with Cylance was that there was no small business pricing. they started at something like 1000 licenses at their SpiceWorld 2015 demo. Only knocking it down to 500 during the show.
Hopefully the testing companies will get there eventually. They're all so geared towards signature detections and it's hard to get them to change. That's why we don't show up in some of them, as they won't come up with a methodology that better reflects what we do.
I liked Cylance's demo - go to totalvirus, download the last 100 uploaded viruii, and run them.
-
@Dashrender said in Cerber virus/ransomware making the rounds...:
@Nic said in Cerber virus/ransomware making the rounds...:
@JaredBusch said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
@Kelly said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
Mostly that it's not conventional scanning, but instead it analyzes what the files do rather than just signatures or patterns. The closest comparison I can come up with is the way Android app permissions are broken down in the app store - - it can identify if a file's threat by the characteristics contained therein. Here's an analysis of the FreeConferenceCall.com installer:
I really want to see a good comparison of Webroot and Cylance from someone not related to either company.
My problem with Cylance was that there was no small business pricing. they started at something like 1000 licenses at their SpiceWorld 2015 demo. Only knocking it down to 500 during the show.
Hopefully the testing companies will get there eventually. They're all so geared towards signature detections and it's hard to get them to change. That's why we don't show up in some of them, as they won't come up with a methodology that better reflects what we do.
I liked Cylance's demo - go to totalvirus, download the last 100 uploaded viruii, and run them.
That's a good start, but it's tough to truly get a zero day virus that hasn't been seen yet, for a real world test. If it's on virustotal then it's already been identified as a virus by most of the AV companies.
-
@Nic said in Cerber virus/ransomware making the rounds...:
@Dashrender said in Cerber virus/ransomware making the rounds...:
@Nic said in Cerber virus/ransomware making the rounds...:
@JaredBusch said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
@Kelly said in Cerber virus/ransomware making the rounds...:
@Rob-Dunn said in Cerber virus/ransomware making the rounds...:
Another cool thing that we're going to be doing, but not as a result of this infection, is evaluating and maybe implementing Cylance in lieu of Trend on our systems.
I'm not sure if it's appropriate to say, but their engine seems revolutionary.
What makes you say that Rob?
Mostly that it's not conventional scanning, but instead it analyzes what the files do rather than just signatures or patterns. The closest comparison I can come up with is the way Android app permissions are broken down in the app store - - it can identify if a file's threat by the characteristics contained therein. Here's an analysis of the FreeConferenceCall.com installer:
I really want to see a good comparison of Webroot and Cylance from someone not related to either company.
My problem with Cylance was that there was no small business pricing. they started at something like 1000 licenses at their SpiceWorld 2015 demo. Only knocking it down to 500 during the show.
Hopefully the testing companies will get there eventually. They're all so geared towards signature detections and it's hard to get them to change. That's why we don't show up in some of them, as they won't come up with a methodology that better reflects what we do.
I liked Cylance's demo - go to totalvirus, download the last 100 uploaded viruii, and run them.
That's a good start, but it's tough to truly get a zero day virus that hasn't been seen yet, for a real world test. If it's on virustotal then it's already been identified as a virus by most of the AV companies.
No way to get around it entirely
