Re: Ransomware Protection

hje
Scholar

Re: Ransomware Protection

We have a computer that has all the documents encrypted - they all have got the extension .zepto. If I scan the computer with F-Secure PSB, it does not find any virus or trojan on the computer, and the computer is reported clean. But if I instead scan it with Spyhunter 4, it can find an infected file + it finds the bitmap on the desktop with the ransome text. It is being reported as Locky Ransomeware.

 

Is F-Secure a little slow on this variant of the virus, or is Spyhunter giving me a false positive?

Image 1.jpg

1 ACCEPTED SOLUTION

Accepted Solutions
Superuser

Re: Ransomware Protection

Hello,

 

Modern ransomware codes delete themselves (the malicious binary executable) from the infected computer, after the task of encrypting all document and media files has been completed. That trick makes it difficult to analyze the infection. The only thing left behind are the textual and bitmap versions of the bitcoin ransom payment collection instructions.

 

Therefore, if your computer is already full of .zepto files, it is no wonder antivirus won't find any malicious binaries in the system, since there aren't any left!

 

As for how your computer got infected in the first place, despite active F-Secure protection, who knows? Official F-Secure Lab stance is that active DeepGuard protection running with full effort should stop all ransomware infection attempts. (The corresponding default settings are "DeepGuard Advanced Mode" checked in the corporate and institutional purpose F-Secure products and "DeepGuard use basic mode" UNchecked in home-consumer products.)

 

On the other hand, some competing vendors already include dedicated anti-ransomware / anti-cryptor protection technology in their antivirus suites, while Deepguard is a general purpose protection module that is also supposed to stop ransomware. That is not an ideal situation and partners have been asking F-Secure Corp. to include a dedicated anti-cryptor protection asset in their products.

 

Best Regards: Tamas Feher, Hungary.

11 REPLIES 11
Community Manager

Re: Ransomware Protection

Hi @hje,

 

I have moved your post to the most relevant board as you are using our Business product. Thanks.

Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
F-Secure
F-Secure

Re: Ransomware Protection

Hello hje,

 

Please, check your scanning settings. By default the checkbox "Scan only known file types" is selected. If you uncheck the checkbox, all files will be scanned, and the infections which can't harm your machine directly by execution/opening will be found as well.

 

Best regards,

Vad

hje
Scholar

Re: Ransomware Protection

I have tried to uncheck the checkbox "Scan only known file types" and made a new scan, but it still does not find the  ransomeware. According Spyhunter there are two type of infections on the computer, Locky Ransomware and Zepto Ransomeware. All the datafiles on the computer have been renamed a cryptical name and the extension.zepto.

 

Highlighted
F-Secure
F-Secure

Re: Ransomware Protection

Please, contact support. We'll need more detailed information from your machine to find out, what could be wrong in this case.

 

Best regards,

Vad

Regular Member

Re: Ransomware Protection

Hello Vad,

 

Can you just confirm whether F-Secure PSB is expected to protect clients from Ransomware infections such as Locky with the "Scan only known file types" check-box enabled?

 

Surely the executables/office documents/javascript files that drop and execute the ransomware should be detected with that checkbox enabled, hopefully before they have even been executed?

 

Thanks,

 

Nick

 

F-Secure
F-Secure

Re: Ransomware Protection

Hello NickJ,

 

You can find the list of threats detected by F-Secure products on our website:

https://www.f-secure.com/en/web/labs_global/threat-descriptions

And yes, Locky Ransomware is a known infection, which is detected with default settings for Real Time scan and Manual scan.

Link to the information about Locky Ransomware:

https://www.f-secure.com/v-descs/trojan-downloader_w97m_locky.shtml

 

But please, don't mix real infection with already encrypted files or bitmaps with the ransome text.

 

Best regards,

Vad

Superuser

Re: Ransomware Protection

Hello,

 

Modern ransomware codes delete themselves (the malicious binary executable) from the infected computer, after the task of encrypting all document and media files has been completed. That trick makes it difficult to analyze the infection. The only thing left behind are the textual and bitmap versions of the bitcoin ransom payment collection instructions.

 

Therefore, if your computer is already full of .zepto files, it is no wonder antivirus won't find any malicious binaries in the system, since there aren't any left!

 

As for how your computer got infected in the first place, despite active F-Secure protection, who knows? Official F-Secure Lab stance is that active DeepGuard protection running with full effort should stop all ransomware infection attempts. (The corresponding default settings are "DeepGuard Advanced Mode" checked in the corporate and institutional purpose F-Secure products and "DeepGuard use basic mode" UNchecked in home-consumer products.)

 

On the other hand, some competing vendors already include dedicated anti-ransomware / anti-cryptor protection technology in their antivirus suites, while Deepguard is a general purpose protection module that is also supposed to stop ransomware. That is not an ideal situation and partners have been asking F-Secure Corp. to include a dedicated anti-cryptor protection asset in their products.

 

Best Regards: Tamas Feher, Hungary.

hje
Scholar

Re: Ransomware Protection

Hi.

Thanks for info.

 

Yes it looks like the ransomeware is not active on the computer anymore, but what bothers me is that Spyhunter can find som leftovers of the virus, while F-Secure can not find anything. One of the files Spyhunter can reckognize is the bitmap on the desktop with the ransomeware text, but I can not see what the other two files are, that Spyhunter finds.

 

When I got to the infected computer the antivirus was somehow disabled, and thereby the computer was not protected as it should be. So nothing to blame F-Secure for there!  

Regular Member

Re: Ransomware Protection

I think it is acceptable that F-Secure does not mark the bitmap as malicious. That file is not active, and is not doing any harm to your system. The only time I can think that detecting this file would be useful would be in an IPS product, where if you see this file you could disconnect the system from the network so it is not able to encrypt connected fileshares etc.

 

I am sure that this infection has caused you a lot of trouble today but as a fellow PSB customer I am glad to hear that your user had disabled their protections, and that Vad has confirmed that there are protections for this malware in the PSB product.