Suspicious Activity not being detected: renaming extensions

[kemuda]

There is a software on Github which simulates a ransomware but only changes the extension instead of encrypting.

https://github.com/leeberg/CashCatRansomwareSimulator

 

I have KS and KS for WS and none of them could detect the activity of changing the file extensions. Which taks do I need to run so Kaspersky can stop this process?

[MilanBortel]

Hi @kemuda,

this is very tricky.. AV product needs to decide whether the process responsible for renaming is legitimate or malicious. I’ve tried it also with my own programmed “ransomware” and Kaspersky didn’t block it. My ransomware was using standard aescrypt binary for encrypting the files.. so I guess Kaspersky took it as a legitimate action 🤔

From admin perspective, I’d harden the policies:

1. change basic settings of Host Intrusion Prevention:

   

   KES policy → Host Intrusion Prevention

   I’d disable to automatically trust apps with digital signature and move unknown apps to Untrusted category

2. then you can protect your resources with updated Host Intrusion Prevention settings (follow article https://support.kaspersky.com/10905#block3). It is described on KES version 10, but it is the same in 11 :) Only the Application Privilege Control has been renamed into Host Intrusion Prevention 🤓

 

Let us know of result!

Cheers,
Milan