cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dwee
Level 10
Report Inappropriate Content
Message 1 of 6

kupidon,ProLock ransomware

Jump to solution

Dear All expert,

i want to ask if mcafee already cover for these ransomware in their DAT's ?, and if already covered please someone kindly give me the links for the kb's, i have already search and still theres no kb about these two ransomwares, and for info , i use mcafee ENSTP 10.7

1 Solution

Accepted Solutions
rfranci
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: kupidon,ProLock ransomware

Jump to solution

Hi @Dwee 

Thank you for reaching us on community.

ProLock ransomware:

As per the article : https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ranso...

The entry vector of the ransomware is an exposed remote desktop connection.

The ransomware initially drops a file named "WinMgr.bmp". An image file with embedded Ransomware code.

WinMgr.bmp:a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0

The same file can be ZIP into a package and unzipped with a process named "unlock.exe" to provide the final WinMgr.bmp in some instances:

https://www.virustotal.com/graph/g6526503734fa430b9e27244b76b26023eaa34baa1c28470bb1bfb56737e075cd

Zip : c2b2f7b2b9a2a599f01bcd099be4f13980e04bb6a6ddbf744cf531830d8386cd

Unlock .exe : e447012533890b6654511334be83077e58e922f238e616900e5be2d181c04478

You can block the ransomware from encrypting the file by creating a Access protection rule to block "*.ProLock"

Executable : *

Sub rule path: **\*.PowerLock

 

 Kupidon ransomware:

As there no hash values related to kupidon ransomware, with which we can check the detection, we will not be able to conform if we have detection.

https://www.bleepingcomputer.com/news/security/kupidon-is-the-latest-ransomware-targeting-your-data/ might be helpful in understanding the Ransomware. Also it is worth noting the sentence in the article stating "Unfortunately, we have not been able to find a sample of the Kupidon Ransomware, so there is no way to analyze it for weaknesses."

As far as i have searched, i didn't find a valid IOC from Kupidon ransomware.

You can block the ransomware from encrypting the file by creating a Access protection rule to block"*.Kupidon".

Executable : *

Sub rule path : **\*.kupidon

Note : On creating the access protection block rules, we strongly recommend you to test the rules on one machine before applying to the complete organization.

Hope that helps !

- Rohit Francis

View solution in original post

5 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 6

Re: kupidon,ProLock ransomware

Jump to solution

Hi @Dwee 

Thank you for posting on the Community.

Could you please share the IOCs that you wish to receive confirmation of detection for? We can't provide details purely based on name as this can be quite generic.

BSharma
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: kupidon,ProLock ransomware

Jump to solution

Hello Dwee

Thank you for posting on McAfee Community.

For ProLock Ransomware, I found following advisory/IOC from Bleeping computer website and its updated on March 20, 2020 with Hash value.
Reff: https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ranso...

Hash: a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0
McAfee Detection name : Ransom/ProLock

For "kupidon Ransomware" I will need IOC/Advisory detail including hashes to confirm coverage from McAfee .


Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Dwee
Level 10
Report Inappropriate Content
Message 4 of 6

Re: kupidon,ProLock ransomware

Jump to solution

Dear all,

 

Sorry but i dont have what you called IOC, i'm only being inform that theres new ransomware (prolock and kupidon) and we (IT guys) have always to be prepared, and we have to give to the user some solid answer and prove (with mcafee KB or official statement) that our Mcafee ENSTP can and will blocked those two and any newest malicious stuff, so far i just give them answer such as "as long we have "up-to-date DAT's and engine we're fine", but some user still want solid prove for that,

i found some info in this site https://www.hybrid-analysis.com/search?query=kupidon

thanks

rfranci
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: kupidon,ProLock ransomware

Jump to solution

Hi @Dwee 

Thank you for reaching us on community.

ProLock ransomware:

As per the article : https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-rebrands-as-prolock-ranso...

The entry vector of the ransomware is an exposed remote desktop connection.

The ransomware initially drops a file named "WinMgr.bmp". An image file with embedded Ransomware code.

WinMgr.bmp:a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0

The same file can be ZIP into a package and unzipped with a process named "unlock.exe" to provide the final WinMgr.bmp in some instances:

https://www.virustotal.com/graph/g6526503734fa430b9e27244b76b26023eaa34baa1c28470bb1bfb56737e075cd

Zip : c2b2f7b2b9a2a599f01bcd099be4f13980e04bb6a6ddbf744cf531830d8386cd

Unlock .exe : e447012533890b6654511334be83077e58e922f238e616900e5be2d181c04478

You can block the ransomware from encrypting the file by creating a Access protection rule to block "*.ProLock"

Executable : *

Sub rule path: **\*.PowerLock

 

 Kupidon ransomware:

As there no hash values related to kupidon ransomware, with which we can check the detection, we will not be able to conform if we have detection.

https://www.bleepingcomputer.com/news/security/kupidon-is-the-latest-ransomware-targeting-your-data/ might be helpful in understanding the Ransomware. Also it is worth noting the sentence in the article stating "Unfortunately, we have not been able to find a sample of the Kupidon Ransomware, so there is no way to analyze it for weaknesses."

As far as i have searched, i didn't find a valid IOC from Kupidon ransomware.

You can block the ransomware from encrypting the file by creating a Access protection rule to block"*.Kupidon".

Executable : *

Sub rule path : **\*.kupidon

Note : On creating the access protection block rules, we strongly recommend you to test the rules on one machine before applying to the complete organization.

Hope that helps !

- Rohit Francis

View solution in original post

Dwee
Level 10
Report Inappropriate Content
Message 6 of 6

Re: kupidon,ProLock ransomware

Jump to solution

thank you for your reply,

ok , can i assume with the latest DAT's we save from prolock ransomware? and for the kupidon we have to create access protection rule to block it? 

thanks

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community