HitmanPro.ALERT Support and Discussion Thread

Appears to me to be a PE. Installer to be more precise.

The ransomware is "bound" to the uTorrent installer.

The ransom screen states all files have been encrypted, but encrypted files are not shown in the video.

At first I thought it was a screenlock ransomware...

 

I have never installed/ran the HMP, only HMP.A

 

Not that I want the link to be removed in any way. But I have question, why wasn't the link posted by @hjlbx removed since it linked to Youtube test video? And the rules apparently state that such thing aren't allowed on this site.

 

It doesn't matter to me, but this is an official HMP.A support forum - and I would think that the developers - @erikloman and @markloman - would want to see the video.

 

You could PM Erik about a trial.

 

Once a victim enables the macros, the macros will download an executable from a remote server and execute it.

http://www.bleepstatic.com/images/news/ransomware/locky/word-macro.png

Malicious Macro
The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer.

Ref.: http://www.bleepingcomputer.com/new...ypts-local-files-and-unmapped-network-shares/

 

OK thanks, that's what I thought. The point is that it doesn't matter which type of code injection method is used, HMPA should always alert about API hooking. And I assume HMPA always tries to figure out which process is responsible for the hooks, if it's not signed or white-listed, it will be blocked.

About the other link, certain members claim that a new tool called "MemProtect" will protect against exploits, apparently it's protects processes with the "protected services" feature in Win 8, do you know anything about this? Can this be used to block exploits?

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx

 

This isn't Locky. This one has no need to connect out, it has nothing to do with macros, and doesn't drop an autorun entry into the registry (a Service is instead created). Group Policy does seem to protect Documents.

 

I don't get why the fanboys of HPMA are so obsessed with sophisticated features. It does not matter whether someone removes the sparks, the distributor cap, the battery or the starter, in all cases your car won't start. With ransomeware and exploits you also need to block only one of the gates malware has to pass to succeed in the intrusion

Cruel sister's video cleary shows that HPMA fails miserably. So my suggestion is to ask Cruel Sister for the sample and develop a counter measure to deliver the promised immediate protection.

 

This was indeed no Locky.

This one most likely doesnt overwrite the existing file but creates a new one and deletes the original. This means that you can get most files back via undelete.

Prevalent ransomware overwrite the existing file (= not deleting original). So there is no way to get files back.

Can you post the hash of the sample used in the video?

 

The world's most comprehensive real-time signature-less security software?

 

To be honest, I don't get why you're so obsessed with Windows Internal Security, to be fair.

Also, HMPA and MBARW are monitoring specific file system operations, and clearly this isn't always foolproof. I wonder what makes WinAntiRansom so special, what does it detect, suspicious file system operations or something else?

 

We need the hash so that we can get the sample!

 

As I didn't code this one myself I'll be more than happy to share. Erik- as soon as I get back to my hotel tonight I'll shoot you an email with a link (that is, as long as you give me an address).

 

We never claim 100% protection.
We do mention that we have the most anti-exploit features, including hardware assistance. All in a 5MB footprint. We try hard with just a handful of developers to provide what others don't.

Home user, businesses, hospitals and police become ransomware victims on a daily basis. Spam filters, web filters and AV solutions aren't enough. The headlines mentioning hospitals and police paying the ransom is proof of that.

You can't fight modern attacks using signatures. That is why we focus on the sparks, distributer cap and starter. Its all about multi layer approach. Features!

But everybody has a right to his/her opinion.

 

Me too! Keep up the great work guys.

 

LOL You earned more than a handfull with 31.8 million cash acquisition by Sophos. WinAntiRansomPlus is developed by a smaller team and with less features it does provide effective protection.

I am not arguing against a multi layer approach, I am disagreeing with your claim that the number of features matters: the effectiveness of the package is what really matters.

 

You're right, a typewriter is a more secure solution.

 

Is cruelsisters trojan really a file cryptor, or just a screen locker?

 

So you are labeling WinAntiRansom plus a typewriter just because it has less features also a HPMA fanboy I suppose

 

Despite being acquired by Sophos, isn't it possible that a "handful of developers" only work on the product? Small teams have been known to work on particular software in other large companies so I suspect it is no different here. They just have more money for research and development.

 

Yes you are quite right, only the text "We try hard with just a handful of developers to provide what others don't", sounds like they are the last warriors protecting the world. With 31.8 million to spare you could afford a larger development team.

WinAntiRansomWare has a much smaller development team (as far as I know) and they were able to protect against the ransomware sample, so "what others don't" sounds silly when you just failed to provide protection.

"We try hard ... to provide what others don't" also implies that other security vendors are not trying hard to provide protection against ransomware, exploits and keyloggers. Really

 

So am I. Keep up the good job.