It seems that malware authors imagination works extra-hours when it comes to creating new ransomware strains. In the saturated underground market of this specific malware type they constantly try to improve and “”brand”” their product in various creative ways. They invent new unique “”business models”” and change the classic ransomware encrypt-alert-pay-decrypt scheme.
Jigsaw for example, deletes your files slowly if you don’t pay the ransom while other new variants are hiding all of the encrypted files. We will surely witness even more creative “”features”” in the near future.
This ransomware is yet another example for branding – who can avoid discussing the latest food-related malware? We at Minerva couldn’t resist the temptation as well and tested how Minerva Anti-Evasion Platform faces this mouthwatering malware strain.
Many samples we found were obfuscated to improve their performance against traditional AV products – e.g.: Malware Traffic Analysis’s sample:
Commercial and underground obfuscators not only change the malware but also add “”evasion techniques””, assisting it to evade detection. This is a classic case where our product shines – we don’t mind how it was packed and how it behaves. Our Anti-Evasion Platform creates an impression that the targeted machine is a VM, a sandbox and protected by many security products. The very same techniques which allowed the aforementioned Pizzacrypts sample to bypass traditional defenses enable us to halt its execution almost immediately, “”convincing”” it to believe that it is executed in a hostile environment.
However, not all of the Pizzacrypts samples we tracked down were evasive – e.g.:
As stated in our previous entry, we developed a module designed to remediate the damages of non-evasive ransomware, understanding the potential damage of successful attacks of this kind.
Minerva’s Ransomware Protection restored the files encrypted by Pizzacrypts in seconds without any prior knowledge about the malware, signatures, big-data analysis or relying on third parties like the Volume Shadow Copy Service.
Interested in a demo? Just click here