Ransomware and WSA in general.

I remember last year we had a thread here regarding ransomware, I think it was Biozfear who did a test.
The question was if you are locked out of safe mode and what WSA would do with the monitor/rollback feature.
How is this working today?
Even if I cant reach my desktop and are locked out from the system, will WSA still monitor and clean the computer after the "cloud" reaches its verdict that this file is malicious?
Or does these kind of malware and others break WSA:s connection to the cloud preventing it from making a decision?
With the new variants of crypto ransomware, were your computer and mapped drives becomes encrypted and no other way to fix it but to pay up, I find this scary to say the least.
I think WSA would block outgoing traffic generated by a malware like this (preventing it from communicating with it "mother server" so to speak) but I would like to hear Joes opinion on this?

/E

 

WSA will reverse any changes from malware which encrypts your data. There have been infections which have tried to block us from connecting to the cloud, but WSA has numerous methods of finding its way out beneath them and I actually haven't seen any instance of something blocking WSA in several years. If for some reason we aren't detecting a threat, just marking it as bad locally will allow it to be undone automatically.

One of the more recent ransomware infections deviated from the normal method and instead of encrypting data, it just locked you out of your PC. We released a generic update for this - rather than rely on any detection or blocking, we're just locking down the system to prevent anything from taking over.

Let me know if you have any questions!

 

I have found that having Hitmanpro Kickstart on USB is good at dealing with ransomware infected machine. I have been infected a handful of times whilst running different AVs eg Norton, McAfee etc.

Interested to hear how WSA deals, but IME not many AVs are capable of neutralising these threats (maybe KIS and BD are exceptions).

 

Thanks Joe!

Regarding your comment above, I understand that I locally can deem a file bad and it will reverse.
But if I cant get in and do that manual (my desktop is locked), will WSA automatically do this by itself if I just leave the computer on and online as soon as the threat is detected in the cloud database?

/E

 

Hi silverfox99, do you know where or how you were infected ?

 

Yes exactly (and, in any event, the latest builds of WSA will prevent your computer from being locked, so you wouldn't run into this scenario).

 

The effectiveness of Webroot against ransomware seems to be a popular topic both here and at the Webroot forum.

PrevxHelp....How about creating and posting an instructional video that shows Webroot in action against some of the recent ransomware variants that are causing so much concern?

 

I agree - I think that would be a very good idea. I'll pass it on to our marketing team

 

If they actually make a video, I surely look forward to it. Since as we know it's not always easy to explain this and that with words and letters only, and WSA is no exception

 

Yup action speaks louder than words.

 

Great idea!

/E

 

Great news!

Thanks Joe

/E

 

Not that this issue have to do with ransomware in general but I am to lazy starting a new thread

When I get infected by a unknown file I was under the impression that this file were monitored and NOT allowed to connect to internet?

If you take a look at the attached popup windows from WSA you will see what I have to call a double message.
It basically tells me to block the request, but in the same time it is allowing the connection in xxx seconds?
What is up with this?
A user might not be in place in front of the computer when this happens, resulting in an "auto allow".



/E

 

Regarding ransomware, I have a WM running WSA, that now is under the influence of a locked screen of some kind, I cannot do anything.
Lets see how long it will take for WSA to deal with this problem.

/E

 

Defaulting to allow exists only within the firewall, and only for that one connection. If we defaulted to block, we'd end up breaking a lot of software which updates in the background.

 

Could you PM me with your keycode and let me know what version of WSA you're using?

 

I am using a trial version Joe, and I do not know the key code (if there were any to the trial version? And the malware wont let me in) I think it is the Internet Security version.
Maybe I can try to find the malware file in question if that could help?

/E

 

Any reason as to why this Ransomware had such an adverse impact ? I thought WSA blocked this type of malware from locking the computer, or at the very least after a relatively short time would automatically roll back the machine to a clean state.

 

Yes, it does, we just added in the logic to block it proactively so that the wait time for detection be added wouldn't be required.

 

It is great to hear that WSA would have reversed the problem in due course anyway.

 

When will this logic be available? I had the FBI virus today. Easily removed by task manager but would be better if proactive detection was available.

 

It should already be active. If you still ran into it and it wasn't blocked, could you please send a sample to my username at gmail.com so that I can take a look? We haven't found any samples that get through the current measures.

Thanks!

 

I had something similar happen to me yesterday. In my case, the ransomware warning message popped up in my browser window (Google Chrome), and it locked just the browser: I could not close the the tab containing the message, and when I tried closing the browser, it would not close either. So, my screen had the ransomware warning, but it was being displayed just in a locked browser window.

I had to start Task Manager, go to the Applications tab and manually shut down Chrome. That got rid of the ransomware warning message and my computer ran perfectly afterward with no apparent damage being done.

I don't believe this is the same type of ransomware being discussed in this thread. Webroot is guarding against the type which locks you out of your entire computer and not just your browser.

 

Your Gmail should have the files from me now also Joe.

Still locked out here and just 5 days to go on the Trial

/E

 

Ransomware has locked out Esse's computer for sometime now (5 days since oeiginally posted on the forum).

Two questions -
1(why did the ransomware get through in the first place ?
and
2) Why has the journaling feature not worked to automatically reverse it.