Webroot is completely ineffective for ransomeware?


Userlevel 1
Badge +7
We have a client whom seems has been infected on 3 seperate occasions with ransomeware that webroot simply does not see or protect against. No alerts, using recommended default policy plus marking potential apps as threats, with not one alert or peep. My client has to call me and tell me when it happens..



Do I need a different antivirus protection or should I be turning on a setting. So far, recomending webroot has been embarrassing, but who knows if any other packages would pick it up

10 replies

Userlevel 1
Badge +7
Sorry this was for the business client. 
Userlevel 7
Badge +56
Well ransomware does evolve and continually try to bypass our defenses, but three separate times seems a bit strange.  Have you worked with our support on this one yet?
Userlevel 1
Badge +7
Our tech called and basically the files are encrypted and the virus destroys itself, all that you have is some traces left and the text files with the ransom instructions. Malwarebytes detects those and clears those out. Same line from the tech,

 

"some stuff gets through, nothing we can do etc because they go around our defenses" You can see how this might be frustrating, since the main job for this software is to stop this kind of thing.

 

There are crypto-ransomeware detectors out there, have you guys looked into ecorporating those or at least the techniques it uses to detect these things?

 

Check with your continuum partner, there are others with the same findings. 

 

Any tips?
Userlevel 7
Badge +56
It is true that the are new variants that come out all the time, it's just unusual for one person to be hit by those several times in a row.  Also, we have this article here that helps you lock down your network to protect against ransomware should it get by the other defenses:

 

https://community.webroot.com/t5/Webroot-Education/Best-practices-for-securing-your-environment-against/ta-p/191172
Userlevel 7
In most cases we are able to detect and effectively block crypto-malware before it is able to encrypt files.However, it is important to understand that new variants are released on a constant basis. The authors of these variants can actively test them against all major security vendors so they can ensure their variant is not detected yet.



Unfortunately this means that new variants are able to infect a number of customers before our researchers can create detection rules for them.



These infections are extremely difficult to remediate due to the NSA-level encryption that is used. This makes it virtually impossible to restore the files without a decryption key. If a new variant is given enough time to run, there is nothing that our support team can do to restore them. This is currently the case for our competitors as well. 



If the damage has already been done, the best advice we can give is to suggest certain third party tools which can sometimes restore the encrypted files, but even so, there is a small chance of success. However, if you would like for us to remote in and see if there is anything else we can do, that can certainly be arranged.



We are continually working on developing new ways of detecting crypto infections and we have several promising methods currently in testing. We are hopeful that this will improve our ability to detect this type of malware heuristically in the future, but sadly I cannot provide an accurate timetable for when these new methods will be implemented in the WSA agent.



 

It is also important to note that the only way to get this infection, is for an end user to open and execute a loaded email attachment. It is integral to discuss and educate end users in regards to this. There are policies that can be put into place that do not allow this to happen.



I certainly hope this helps and if there is anything we can do to assist you further, please do not hesitate to let us know.



Best Regards,
Userlevel 1
Badge +7
Guys, im in the business, I understand all that. It does not look like it was a loaded attachment this time. The tech sounded like it was a hijacked website.

 

What im dissatisfied with is the excuses and the lack of a plan moving forward. Yes, I can do all these things so that webroot does not have to be relied on, but even a goalkeeper has to block some shots once in the while, right?

 

Instead of telling me all the ways to avoid relying on the antivirus, tell me ways that you are improving the product so this isnt a problem in the future. "We are sorry, we dropped the ball" goes a long way, especially if you have a plan to fix the issue.

 

We have locked down the network, it only hit the users personal files and of course we have a backup to restore from.

 

We are trying to educate the user, but as you can see, they have managed to get toasted each time.

 

Thanks for the replies, I'm sure you understand where I'm coming from. I wouldnt advertise that you can cure cryptolocker, from an end users perspective, everything that encrypts your data is cryptolocker. You and I know its a variant technology, but that doesnt help the user feel cheated when they were sold on this feature.

 

 
Userlevel 7
Badge +56
That's why I was asking if you'd worked with our support, so we could find out why in these particular cases why it wasn't caught.  It seems unlikely that you'd be hit with three completely new variants, so I wanted to make sure there wasn't something else going on.
Userlevel 1
Badge +7
Yes, they had, the second time around and we were told the same thing you had said. "Just a variant, these things happen that get past webroot, custom written to get by us, etc."  I'm sure shes on a list of successful hits somewhere.

 

We are looking at other ways to lock things down, thanks for the help.
Userlevel 7
Badge +56
I looked up the email you used to register on the community but didn't see the tickets related to this issue - would they perhaps be under the email address of the particular client?  I wanted to dig a bit deeper and see what was going on and to make sure that whichever variants your client had been hit by had been taken care of for the future.

 

Also, what time period were they hit by the ransomware?  There was a period a while back where we were seeing a lot of new ransomware variants popping up that were designed to bypass our defenses.  It was a cat and mouse game back and forth during that time.

 

Anyway, bottom line is that we are sorry that you got hit by ransomware, and we're glad to hear that you've locked down their environment so that it can only hit their local files and that you have good backups.  We are always improving our software to make sure we catch the latest threats, but the success of ransomware and the fact that many people pay the ransom means that there's lots of resources on the crook's side to keep them finding new ways to get into your systems.
If I may add my two cents here.

 

Just a tad bit of information as to how a Crytolocker gets involved in the first place and why Webroot and virtually every other Antivirus on the planet is battling this menace.

 

This is no way the only way this is spread but normally it is spread via email with an attachment. If I'm not mistaken it is normally a UPS or Fedex notice about a package available. Once the attachment is opened it morphs and attaches silently to files and eventually it encrypts them. The problem Antivirus companies are having is not the Virus itself but how it cloaks itself by using odd file extensions. Instead of a file called Andy.pdf they will make a file called Andy.pdf.exe. Antiviruses attempt to scan all known files that are flagged as nuisances. Here is the problem, since they change name to something familiar they mask this bug from both the Antivirus and the end user.

 

There is software available that prevents any double extension file from running on a computer and like virtually all Antivirus companies they are incorporating this technology but it is taking time because adding these data tables changes alot of different methods of detection.

 

In closing let me say that Webroot has been diligent on this and any other virus in the wild but it takes time for the end result to show itself. Also feel lucky that Webroot doesn't take a more aggressive stance of detection like some that actually open each file when scanning. Imagine the end results if it did that. With the spread of this and the million and one ways to mask them, if Webroot were to open these files then it would slow down alot and would actually spread the virus. GData and TrendMicro are having this issue and many customers are not happy.

 

 

 

 

Reply