Undected Ransomware - System Watcher to slow to Respond

[ZeroX]

❤️ Hello Dear Kaspersky Team,

As part of my Freetime Malware Analysis i found these Four Ransomware Samples (3 Normal Ransomware and one File Deleter/Mouse Stealer) wich are not Detected trough Heuristics nor Signature.

I already uploaded them to the Threat Intelligence and some of them got flagged as Malware (Not Every Sample!).
So now im Wondering, if the Threat Intelligence detects some of the Ransomware, why isnt it Detected trough Scanning then in Kaspersky?
Is it because of the Dynamic Analysis in the Sandbox wich doesnt happen when Scanning Files trough Kaspersky AntiVirus? I guess so.

I dont really Trust the Threat Intelligence Portal because its not as reliable as it should be, so im creating this Post so the Samples can be forwarded directly.
Please forward these to the Development Team as fast as possible because all of them were able to evade System Watcher and Destroy the Virtual Test System, with every Setting in every Module on Extreme.

Here are the Sample Links

Virustotal:
https://www.virustotal.com/gui/file/443ba4beb9e39750956a6f30399d9cf0ee20dd74ff7fef3076fcf5fcdd244a06
https://www.virustotal.com/gui/file/08303d62f72e58e997e5caa20bf00c7d2ad37e9a14401cd6ac28def5a5a9231f?nocache=1
https://www.virustotal.com/gui/file/2093c1916e7a08a756431abda7ba9227355317571791dfa81d088371e764f0a8
https://www.virustotal.com/gui/file/0af1bdc1910735ff6d66586fd22868c4aadb6166823d8ca34947e26aff84b137

AnyRun Sandbox:
https://app.any.run/tasks/5220a43e-b8a8-4c6e-bce2-42be95284112
https://app.any.run/tasks/1deaf899-1405-47b7-a983-a8c12f5bd3bc
https://app.any.run/tasks/1112835e-5d09-4847-83f7-6524dc8d960c
https://app.any.run/tasks/c1a39636-3ebb-415c-9ad7-63f9164d9284

I hope to hear positive Feedback on them being added to the Database.

Best Regards,
ZeroX

[harlan4096]

Welcome to Kaspersky Community.

 

2 of them 4 are already detected on demand, so also, on execution:

 

 

I will try in a VM the other 2, and report them if needed.

 

Thanks!

 

P.S.: how did You report / upload to OPEN TIP the files, with extension .bin or?

[ZeroX]

Hello Harlan,

I dont know with wich file ending i uploaded them, probably with .exe because the Sanbox Analysis probably wouldnt be able to execute them correctly i guess.

Yeah i already tried the Main and Sigma yesterday and they are now detected luckily.
Before they got added they were able to encrypt the User Files because System Watcher wasnt fast enough, i also saw that System Watcher now Detects their Execution. So good Work Kaspersky Team.

What about the other two samplos tho?

Best Regards,
ZeroX
 

[harlan4096]

I tried the other 2, and none of them encrypted any files here, one of them (hasan.exe) looks a proof of concept, showing it a warning in Desktop, but did no encrypted my system, and the other, KPremium detected an UAC modification and showed a warning to Fix, terminal windows remained asking a supposed password to decrypt the files, but again no files were encrypted, but it's true that system got mouse uncontrolled.

[ZeroX]

Alrighty, but yeah for the Mouse Stealer (wich normally also deleted user files, dont know the sample name anymore rn) there should also be a Signature Added and System Watcher should be adjusted so it detects such kind malicious behavior of removing the Mouse Curser because its nothing big but it renders the complete System Unusable and that should not happen. I mean were talking about Kaspersky here, so i set high standarts and i would wanna see that it can also prevent such ways of destroying a System.

Best Regards,
ZeroX

[harlan4096]

That sample is already detected.