Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 8438 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

might be a variety of TeslaCrypt, ransomeware

yurikokuroki

Hello,

I am Yuriko, I would like to ask a virus / malware issue that has not detected with Sophos Endpoint Software.

There is a pc that might be infected with a new variety of TeslaCrypt, ransomeware and all files were encrypted with filename.xxx, Trend virus baster installed on that pc but not detected anything.

I tired to download Sophos Endpoint Software and installed it onto the affected pc, scanned all but nothing detected.

According to the information of this ransomeware, it will be vanished away of itsefl after the virus behavior was taken.

I am not a corporate user of Sophos but a trial user. In this case, I am wondering whether or not Sophos could investigate to release new identities if I provide some files to your lab. 

If this is not appropriate community, please let me know where i find it. 
Thank you,

Yuriko



This thread was automatically locked due to age.
  • 0

    Hello Yuriko,

    might be infected
    what is - might? The purpose of this type of ransomware is to make money from the "decryption service" and therefore it clearly states that it has done its dirty deed. It's not really an infection, rather a one-off act an as you say it takes care in removing itself afterwards (and therefore the tools do not detected anything).
    if I provide some files - you might or might not find traces of the "early stages" of the attack (in the usual %temp%, download, or cache locations and a creation timestamp from around the start of the encryption) and you can submit suspicious files here. There's no use though in sending one or more of the encrypted files.

    Christian

  • 0
    Good morning, Christian.

    Thank you for your reply. The reason that I said "might be a variety of ransomware" is 3 of anti-virus software with the latest identities does not detect any virus/malware/trojan on an affected PC although, there are lots of encrypted files left with filename.xxx. As you mentioned, it asked me to pay money for decryption.
    Once completed all the files encrypted, this ransomware will remove itself from the computer.
    This is why I cannot submit suspicious files but only damaged files were left...
    Trend Micro also said unless there is files of early stages, they cannot investigate for further...
    In order to detect new variants that is not detected with the current identities, what could I provide that you create a new definition file...
    Thanks,
    Yuriko
  • 0 in reply to yurikokuroki

    Hello Yuriko,

    that you create
    I'm not Sophos [:)].

    In order to detect new variants
    unless it's forcibly interrupted (notice it, cut the power, then slave the disk) you'll rarely find a trace of the actual malware. It has to get downloaded and started by some means though and, as said, if you can find parts of the stuff which took part in preparing the threat it might help to improve detection of the early stages.
    Please note that there are not only specific definitions and static scanning. Generic definitions as well as - to some extent - monitoring running processes can flag (and block) "early stage" components. Submitting samples of these files and the subsequent analysis can also lead to improved detection.

    Christian       

  • 0 in reply to QC
    Hello Christian,

    Thank you for your reply with info.
    I thought that you were sophos! (I used to be... for yeas ago).
    As you said, unless it's forcibly interrupted, i won't get the actual malware..
    Also I understand there are not specific definitions but it will extend to improve detection :-)
    Will wait for the definition improved before long.

    Thanks,
    Yuriko
Unfiltered HTML