Gandcrab ransomware
Hi,
Can you help me understand the reasons why, despite having the active protection system activated, get infected by the gandcrab 5.2 ransomware?
I open an curruculum vitae that seemed real whith a word document in attachment; I opened it trusting in active protection.
The attachment was a word document with an image of the word logo.
This to understand how tu protect my lan for the future .
Then, if it is possible , how to remove and how to improve protection.
Thanks, Max
Comments
-
Hello,
Sorry for my reply.
I am only an F-Secure user (their home solutions).
So, it is only my own unofficial feelings.
By the way, there is also a place for getting official support and certified advice:
- https://www.f-secure.com/en/web/home_global/contact-support (for example, chat).
I will try to explain some meanings or to suggest further steps.
Can you help me understand the reasons why, despite having the active protection system activated, get infected by the gandcrab 5.2 ransomware?
This does not concerned a particular example (I am not sure about its design) and potential tricks against security software. But just like generic feelings.
It is possible if malicious item (executable or other file with malicious possibility) is unknown by any visible triggers for static analysis and there is unknown pattern for dynamic analysis.
So, item is not detected by "signatures"-based engine. Then, malicious item was not marked as "suspicious" by further analysis and advanced engines. For example, just because item with usage common system abilities (safe to use, usually) and it is tricky to figure out that it is wrong.
Although, it is a little be strange (in fact).
Another explanation (or addition) if security solution is not configured properly. Or specific feature against Ransomware is not used. But, most likely, that even if all is configured properly - such layer can be bypassed.
I open an curruculum vitae that seemed real whith a word document in attachment; I opened it trusting in active protection.
Thus, it is not recommended to open suspicious attachments from unknown people(?!). Or to doublecheck anything before further steps with that!
But "doublecheck anything" depends on certain situation and background.
Then, if it is possible , how to remove and how to improve protection.
In general, I am not sure about "how to remove". Because sounds that it is a ransomware. And it is means that files are encrypted already and there is a request for ransom. I am not sure if there is any other malicious payloads. So, good to scan system by security solution (full scan).
What about encrypted items. If your experience is about "backup" daily / weekly / monthly - then to restore impacted files from its backup.
If "backup" is not available. Maybe good to "backup" impacted items and to find whether any decryption tools for this ransomware is known. To pay ransom, usually, is not recommended and is not guarantee for recovery.
Should be possible to contact, for example, F-Secure official support (chat as example);
and / or to transfer "word document" to F-Secure Labs for analysis:
There is, also, page about Ransomware:
with some common information about.
Good if F-Secure Team will suggest more nice and good tips! Also, perhaps, more experienced users will suggest something else.
Thanks!