A couple of things that should raise a red flag: 1 It tries to create a service, only trusted (security) tools should get permission to do this. Of course a HIPS would notify you of it. 2 It fires up vssadmin.exe, a HIPS or anti-exe should be able to stop this.
And to this day is why some have always been a forceful proponant for classical or automated style HIPS and always will. One day that wish will be realized to it's absolute fullest. Better late than never.
Not really. Take a look at how many apps on your system that have services associated with them. I have one running right now that isn't even signed; dirmngr.exe which is part of the Pretty Good Privacy encryption bundle. Now driver installation is a different issue.
Found this article by Sophos on ransomware: https://www.sophos.com/en-us/support/knowledgebase/119006.aspx. Of the three infection vectors mentioned, the one that caught my eye was botnet. I bet my booties that the folks that got infected had a backdoor installed that made them part of the botnet and this is how this puppy was trigger on 5/25. It also means that unless they can find that backdoor, these poor folks are going to get re-infected again.
I know what you mean, but most regular apps don't need to install a service. On my system almost all "non MS services" are security related except for the Nvidia ones. Some system and back up tools also install services.
Locker Ransomware Author Allegedly Releases Database Dump of Private Keys http://securityaffairs.co/wordpress/37346/cyber-crime/locker-ransomware-db-dump.html
Very interesting. We'll see if this is legit. Also the user DecrypterFixer at the bleeping forum has developed a tool called "Locker Unlocker" http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/page-32 Edit - new thread at bleeping about the announcement: http://www.bleepingcomputer.com/for...-allegedly-releases-database-of-private-keys/
Yeah, I read this. A bit hard to believe; a remorseful hacker? Sounds to me that he's "feeling the heat" and trying to buy some time to crawl under a rock on some unknown remote island.
I would also stay away from anything to do with what this person is offering. Notice how he signed his supposed apology - Poka Brightminds. Japanese - poka (inadvertent errors). The turkey is playing with everyone. Police - start rounding up all known hackers in Japan.
It's worth noting that the keys that were released are working. There is no need to try to interact with this individual directly.
BTW, with Quick Startup, it's quite easy to see which Application Services are active on your system. Normally, most of them should be security tool related. And don't forget, apps running as services have the highest system rights, and also auto-start, that's why HIPS will always monitor installation of services (and drivers). http://www.glarysoft.com/quick-startup/
In your experience is this utility more comprehensive than the CCleaner startup manager? I often use CCleaner, but it's not sufficient for malware hunting.
I don't know, but Quick Startup seems to cover the most used auto-start methods. The only reason why I mentioned it, is because it can distinguish between "application services" and "Windows (system) services". This is a quite handy feature.
Author behind ransomware tox calls it quits, sells platform https://threatpost.com/author-behind-ransomware-tox-calls-it-quits-sells-platform
