In the last several weeks, the Locky malware sped its way around the world at an alarming rate, infecting hundreds of thousands of endpoints. This emerging threat "is spreading like the clap", as The Register stated, and online forums are full of complaints about machines that were encrypted despite the fact that they were supposedly protected by up-to-date security products.
In contrast to traditional anti-malware products, Minerva Anti-Evasion Platform prevents malware without having to chase down the latest policy updates, which as we see in this case sometimes fail to protect you.
Minerva Anti-Evasion Platform simulates an environment that the malware sees as inhospitable, making it feel as though security products and forensic analysis tools are present. This causes it to halt as it tries to avoid detection. In this way Minerva has been able to prevent a wide range of threats before the malicious activity has even started.
Locky’s authors are aware that it can be detected by a small set of conventional AV vendors, which is why they’ve decided to halt the infection procedure entirely if any of them is present. Below, you will find a trace of Locky execution in a machine protected by Minerva, simulating the presence of an AV product:
As you can see, immediately after Locky thinks an Avast product is installed – the ransomware terminates itself in order to avoid detection. The same result occurs when the malware thinks it encounters the ESET AV solution. If, however if it finds traces of the Kaspersky Lab product – it alters its execution flow a bit but doesn't terminate.
In comparison, in a machine not protected by Minerva Anti-Evasion Platform, Locky feels comfortable and safe. It starts loading its "dangerous" modules which enable it to execute shell commands, communicate over the internet with its C2 servers, and encrypt files:
TeslaCrypt 3.0 – Cut from the Same Cloth?
It is unclear at the moment if it is only a coincidence, but some TeslaCrypt samples are attempting to detect the presence of AV products in the exact same way. In this case too, if TeslaCrypt senses ESETproducts are installed – the files won't be encrypted and the ransomware will terminate:
DIY Locky and TeslaCrypt Prevention
Minerva Anti-Evasion Platform is suitable for large enterprises. It has its own management server, it integrates with enterprise-scale products and is manageable, stable and flexible.
Locky and TeslaCrypt are wide-spread among SMBs and home users as well, prompting us to release this information as a service to the community. We hope that it will be successfully used to prevent some of these ransomware incidents.
Note that the DIY solution suggested below will require registry modifications – incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
That being said, follow the steps bellow, carefully –
1. Open the registry editor:
2. Create a new registry key under "HKEY_LOCAL_MACINE\SOFTWARE":
3. Name the new registry Key "ESET":
Again, these instructions are provided as a service to the community:
- Not all of the samples we checked will halt in the presence of this registry key.
- Editing the registry may harm your computer, if you are unsure of what you're doing – don't do it.
Want to hear more?
Come and meet the Minerva Labs team at the RSA Conference 2016.
San Francisco, Feb 29th - Mar 4th, 2016
We’ll be glad to see you at South Hall, Booth #2638.