We have a client whom seems has been infected on 3 seperate occasions with ransomeware that webroot simply does not see or protect against. No alerts, using recommended default policy plus marking potential apps as threats, with not one alert or peep. My client has to call me and tell me when it happens..
Do I need a different antivirus protection or should I be turning on a setting. So far, recomending webroot has been embarrassing, but who knows if any other packages would pick it up
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Unfortunately this means that new variants are able to infect a number of customers before our researchers can create detection rules for them.
These infections are extremely difficult to remediate due to the NSA-level encryption that is used. This makes it virtually impossible to restore the files without a decryption key. If a new variant is given enough time to run, there is nothing that our support team can do to restore them. This is currently the case for our competitors as well.
If the damage has already been done, the best advice we can give is to suggest certain third party tools which can sometimes restore the encrypted files, but even so, there is a small chance of success. However, if you would like for us to remote in and see if there is anything else we can do, that can certainly be arranged.
We are continually working on developing new ways of detecting crypto infections and we have several promising methods currently in testing. We are hopeful that this will improve our ability to detect this type of malware heuristically in the future, but sadly I cannot provide an accurate timetable for when these new methods will be implemented in the WSA agent.
It is also important to note that the only way to get this infection, is for an end user to open and execute a loaded email attachment. It is integral to discuss and educate end users in regards to this. There are policies that can be put into place that do not allow this to happen.
I certainly hope this helps and if there is anything we can do to assist you further, please do not hesitate to let us know.
Also, what time period were they hit by the ransomware? There was a period a while back where we were seeing a lot of new ransomware variants popping up that were designed to bypass our defenses. It was a cat and mouse game back and forth during that time.
Anyway, bottom line is that we are sorry that you got hit by ransomware, and we're glad to hear that you've locked down their environment so that it can only hit their local files and that you have good backups. We are always improving our software to make sure we catch the latest threats, but the success of ransomware and the fact that many people pay the ransom means that there's lots of resources on the crook's side to keep them finding new ways to get into your systems.
Just a tad bit of information as to how a Crytolocker gets involved in the first place and why Webroot and virtually every other Antivirus on the planet is battling this menace.
This is no way the only way this is spread but normally it is spread via email with an attachment. If I'm not mistaken it is normally a UPS or Fedex notice about a package available. Once the attachment is opened it morphs and attaches silently to files and eventually it encrypts them. The problem Antivirus companies are having is not the Virus itself but how it cloaks itself by using odd file extensions. Instead of a file called Andy.pdf they will make a file called Andy.pdf.exe. Antiviruses attempt to scan all known files that are flagged as nuisances. Here is the problem, since they change name to something familiar they mask this bug from both the Antivirus and the end user.
There is software available that prevents any double extension file from running on a computer and like virtually all Antivirus companies they are incorporating this technology but it is taking time because adding these data tables changes alot of different methods of detection.
In closing let me say that Webroot has been diligent on this and any other virus in the wild but it takes time for the end result to show itself. Also feel lucky that Webroot doesn't take a more aggressive stance of detection like some that actually open each file when scanning. Imagine the end results if it did that. With the spread of this and the million and one ways to mask them, if Webroot were to open these files then it would slow down alot and would actually spread the virus. GData and TrendMicro are having this issue and many customers are not happy.
"some stuff gets through, nothing we can do etc because they go around our defenses" You can see how this might be frustrating, since the main job for this software is to stop this kind of thing.
There are crypto-ransomeware detectors out there, have you guys looked into ecorporating those or at least the techniques it uses to detect these things?
Check with your continuum partner, there are others with the same findings.
What im dissatisfied with is the excuses and the lack of a plan moving forward. Yes, I can do all these things so that webroot does not have to be relied on, but even a goalkeeper has to block some shots once in the while, right?
Instead of telling me all the ways to avoid relying on the antivirus, tell me ways that you are improving the product so this isnt a problem in the future. "We are sorry, we dropped the ball" goes a long way, especially if you have a plan to fix the issue.
We have locked down the network, it only hit the users personal files and of course we have a backup to restore from.
We are trying to educate the user, but as you can see, they have managed to get toasted each time.
Thanks for the replies, I'm sure you understand where I'm coming from. I wouldnt advertise that you can cure cryptolocker, from an end users perspective, everything that encrypts your data is cryptolocker. You and I know its a variant technology, but that doesnt help the user feel cheated when they were sold on this feature.
We are looking at other ways to lock things down, thanks for the help.