I received the email and downloaded and ran the malware. Fortunately I realised that something was amiss right away and was able to terminate and remove the malware before any damage was done. It's a definite reminder of the need to always be very careful about what files you open. While I am always careful, in this case I was not careful enough. At least no damage was done and my system is clean now.
@roger_m Good to hear that your system is clean now. As you say, it's a definite reminder to always be on your guard no matter what you level of computer experience you have.
Hope the victims can get their files back. Also this is a good reason why having a good antivirus/computer security is important.
Referring to the bleepingcomputer.com article, I wonder if the IObit forum was hacked or possibility a server hosting IObit user e-mail addresses. I am assuming that everyone that received this malicious e-mail was an IObit user? In other words, this was a targeted phishing attack making it all the more dangerous. Also a bit of common security sense goes a long way in this regard. I know of no security vendor that would attach an executable to an e-mail if this was the case. Also, many third party e-mail providers will not deliver e-mail with such an attachment.
I would like to know what actor was behind this. It seems a bit sophisticated for a "regular" type of hack. It was engineered so well that even those with a good sense of security practices fell for it. The Bleeping Computer thread is still active, still some posts being made. There are still some reports of the IOBit site "acting a little funny." This is pretty interesting, but of course, probably not for those who got stung by it.
Elise (the malware admin over at BleepingComputer has said this about it so far. https://www.bleepingcomputer.com/fo...one-year-free-license-key-promo/#entry5115308
IObit forums hacked in widespread DeroHE ransomware attack January 18, 2021 https://www.bleepingcomputer.com/ne...acked-in-widespread-derohe-ransomware-attack/
you think it would make any difference had the user had hard_configurator/configuredefender on their system? i believe it would.
I added this rule in OSArmor just now. Hopefully, it's enough. This is about as perfect an example you can get of how a third party software or two like OSA and/or H_C can seriously augment Defender.
This wouldn't have stopped this attack. Attacker used WMIC to add the WD exclusions. I don't believe any process was spawned from WMIC to accomplish this. Direct monitoring of WMIC execution via a HIPS for example, would have alerted to the nefarious WMIC activity. However, one would have to examine what was shown in the WMIC alert to determine this. Ref.: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus. Appears Group Policy can lockdown which WD settings can be modified via WMI.
Apparently one of the people who experienced this used Kaspersky, which also said nothing. Of course at that time it wasn't listed on Virus Total.
Virustotal only says about signature protection. This experience says more about its zero-day protections
The file IObitUnlocker.dll is currently identified by 19 scanners when scanned at VirusTotal. However, it's worth noting that this ransomware is using a legitimate copy of IObit Unlocker to launch the attack. The IObit License Manager.exe file is the actual IObit Unlocker exe file. The file IObitUnlocker.dll has been replace with malware, meaning that malware runs when you open IObit License Manager, rather than IObit Unlocker. There's two other files, IObitUnlocker.sys and IObitUnlockerExtension.dll, which are also the original ones.
Does Kaspersky have a roll-back function? If so, shouldn't Kaspersky have protected despite no signature ??
@stapp Is this what you are referring to? https://www.bleepingcomputer.com/fo...ior-persists-after-multiple-malware-cleaners/
No I was referring to this post regarding the ransomware mentioned in the thread we are in now. https://malwaretips.com/threads/iobit-forum-hacked.106312/#post-925784 and here https://www.bleepingcomputer.com/fo...one-year-free-license-key-promo/#entry5115021
It really is weird, all of these big name AV's claim to offer zero day protection, but why couldn't they block this? Would be interesting to know if Win Def could have blocked it. And that's why I always keep saying it's best to combine AV's with specialized tools like HMPA, AppCheck or SpyShelter. This is a quite clever attack that could have fooled anyone. I'm also not sure if it would have helped, I do see that in the last freeware version of OSArmor there is a rule called "prevent WMIC from using process call create via cmdline''. But the real question should be: is it really this easy to add files to the Win Defender exclusions list, what the hell? But even if it wasn't scanned, shouldn't the behavior blocker step in? Probably not since it's cloud based and that's a serious weakness.
It's still unclear how WMIC was used to set WD scanning exclusions for rundll32, temp directory, etc.. I don't beleive cmd.exe was deployed in this. If you enable OSA Advanced profile, it will detect rundll32.exe attempting to run a user space .dll. In most cases, like .dll execution is nefarious but there could be also valid reasons to do so. For example, nVidia graphics driver installers are famous for this. In this case however, I assume rundll32.exe was running the .dll containing the ransomware from a runonce registry key. Again, this type of run activity is usually malicious but not always. Also assume we don't have all the details in this attack. Once the hacked IOBit installer completed execution, it could have displayed an alert to reboot to complete the installation; common in security software installations. An OSA alert of rundll32.exe running an IOBit related .dll at subsequent reboot would then be viewed OK and related to the installation process.
A couple of other web comments I saw related to this attack. A Kaspersky user stated he was nailed by it. Another user stated he was able to stop the ransomware activity w/o serious damage because the ransomware started encrypting files first on his non-OS installation hard drives. Makes one believe that Kaspersky's ransomware "behavior detection" is conditioned to non-LOLbins process activity. And/or LOLbin ransomware activity that immediately starts encryption on boot drive default protected files.
It's because no antivirus, no matter how good it is claimed to be, provides 100% protection. Any of the better antiviruses provide zero day protection via behaviour blocking and other techniques, but this is never foolproof. In my case, although I didn't realise it right away, a lot of my files were encrypted. It's a shame my antivirus failed to detect this. But as always, I don't depend on antivirus software to protect me. My main line of defence is keeping my system updated and being careful about what files I open. In this case, I should have taken more care. However, in order to be better protected, I have now installed the excellent WiseVector StopX, alongside 360. 360 Total Security has a performance mode, which lets you use it alongside another antivirus, so I have enabled that.
I'm running HitmanPro.Alert, which looks to me like it might have a decent chance against this ransomware threat. https://www.hitmanpro.com/en-us/alert.aspx