Test ransomware tyrik.exe

[JfB]

I had the opportunity to test a ramsomware on a Windows 10 computer where MBARW Beta 0.9.16.484 was running.

- tyrik.exe (I can provide you with a zip encrypted archive) on a USB key
- Windows 10 Enterprise up-to-date
- running as a standard user, not admin

Windows Defender already knew the signature of tyrik.exe and quarantined it at once
I had to login as admin, disable Windows Defender, then switch back to std user to perform the test

I executed tyrik.exe, was prompted by Windows to execute the program (the usual warning where you must enter the admin password to continue)

But this prompt screen quickly disappeared, without me having the chance to enter the admin password (maybe a bug in Windows because Defender was off?) Not good!

MBARW catched the virus almost immediately after it started to run and quarantined it, along with one registry entry. That's better!

Still, there were about 1,800 user files encrypted before tyrik was stopped.

[David H. Lipman]

The ransomware we are seeing Today are not viruses.  They are trojans.

Ransomware samples can be uploaded to;  Newest Rogue-Ransomware Threats

After reviewing the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) ( or MBARW ) can detect targeted but presently undetected threats.

Malware hunters please read
Purpose of this forum
Malware Hunters group
 

 

[1PW]

Hello JfB:

In addition to Dave's most relevant advice, please post the following MBARW Beta archived logs here to supplement data for the developers.

Using the Windows built-in zip utility, please create the following 2, separate, zipped archives for MBARW developer team analysis:

1. Create a .zip archive of the directory C:\ProgramData\Malwarebytes\Malwarebytes Anti-Ransomware\
2. Create a separate .zip archive of the directory C:\ProgramData\Malwarebytes\MBAMService\logs\

Please attach the 2 zipped archives to your next reply.  Thank you again for your beta testing contribution to the MBARW project and your valued feedback.

[JfB]

Hi 1PW, I'm afraid I don't have access to the infected computer anymore.

I read about how to report a threat. I can't achieve the very first step, i.e.running the trojan against MBAM: Windows deletes the file immediately after unzipping. This is not a test computer and I won't go any further. Let me know if you want the zip file as is.

I've got a follow-up question: On the infected PC 1,800 files were lost before MBARW killed the trojan. Apart from having backups, are there guidelines on how to organize folders and / or facilitate MBARW detection process?

[1PW]

Hello JfB:

Quote

I've got a follow-up question: On the infected PC 1,800 files were lost before MBARW killed the trojan. Apart from having backups, are there guidelines on how to organize folders and / or facilitate MBARW detection process?

The MBARW Beta development team monitors this sub-forum, and they may respond to your inquiry.

Thank you.

 

[bdubrow]

Hi JfB--

Thanks for your testing out the Malwarebytes Anti-Ransomware beta.  We appreciate your report!

If you still have it, it would be very helpful if you could upload the ZIP file to the forum David referenced earlier:

Ransomware samples can be uploaded to:  Newest Rogue-Ransomware Threats

Just mention that you can't perform the first step and it should be fine.

The Development team would like to investigate why so many files were encrypted.  That's definitely not desired behavior, obviously.

Thanks for your help!

Edited August 12, 2016 by bdubrow

[JfB]

Thank you Becky, it's done!