https://community.checkpoint.com/t5/Endpoint/New-German-Wiper-Blocked-By-SandBlast-Agent-Zero-Day-Prevention/m-p/59656#M3271 <P>A thread on <A title="german wiper" href="https://www.bleepingcomputer.com/forums/t/701735/germanwiper-ransomware-with-random-extensions-08kja-avco3-oqn1b/#entry4839002" target="_blank" rel="noopener">bleeping computer</A>&nbsp;describes an outburst of a new Wiper Malware. This wiper mimics Ransomware behavior but instead of encrypting the files it fills them with zeros (Nulls).</P> <P>Our SandBlast Agent Anti-Ransomware zero day prevention detects and remidiate this attack without a need to update or signature usage.&nbsp;</P> <P>The files are encrypted in our honeypot</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptedFilesnig1a.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2073i990999CCBAFE05A9/image-size/large?v=v2&amp;px=999" role="button" title="EncryptedFilesnig1a.png" alt="EncryptedFilesnig1a.png" /></span></P> <P>File is indeed filled with Nulls and not possible to decrypt</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptedFileWithNulls.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2074iAB81A45F32101D11/image-size/large?v=v2&amp;px=999" role="button" title="EncryptedFileWithNulls.png" alt="EncryptedFileWithNulls.png" /></span></P> <P>SandBlast Agent Anti-Ransomware detects the ransomware process encrypting the files</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptionDetectedBySBAAntiRansomware.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2075i73C9FA0EA4D98629/image-size/large?v=v2&amp;px=999" role="button" title="EncryptionDetectedBySBAAntiRansomware.png" alt="EncryptionDetectedBySBAAntiRansomware.png" /></span></P> <P>SandBlast Agent restores the files</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptedFileRestored.png" style="width: 598px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2076i2FDE029E604D77E0/image-size/large?v=v2&amp;px=999" role="button" title="EncryptedFileRestored.png" alt="EncryptedFileRestored.png" /></span></P> <P>&nbsp;</P> <P>The infection is based on powershell script, I will move next to test this versus our File-Less infection prevention and update.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Gadi</P> <DIV id="tinyMceEditorclipboard_image_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> Mon, 05 Aug 2019 14:38:06 GMT Gad_Naveh 2019-08-05T14:38:06Z https://community.checkpoint.com/t5/Endpoint/New-German-Wiper-Blocked-By-SandBlast-Agent-Zero-Day-Prevention/m-p/59656#M3271 <P>A thread on <A title="german wiper" href="https://www.bleepingcomputer.com/forums/t/701735/germanwiper-ransomware-with-random-extensions-08kja-avco3-oqn1b/#entry4839002" target="_blank" rel="noopener">bleeping computer</A>&nbsp;describes an outburst of a new Wiper Malware. This wiper mimics Ransomware behavior but instead of encrypting the files it fills them with zeros (Nulls).</P> <P>Our SandBlast Agent Anti-Ransomware zero day prevention detects and remidiate this attack without a need to update or signature usage.&nbsp;</P> <P>The files are encrypted in our honeypot</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptedFilesnig1a.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2073i990999CCBAFE05A9/image-size/large?v=v2&amp;px=999" role="button" title="EncryptedFilesnig1a.png" alt="EncryptedFilesnig1a.png" /></span></P> <P>File is indeed filled with Nulls and not possible to decrypt</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptedFileWithNulls.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2074iAB81A45F32101D11/image-size/large?v=v2&amp;px=999" role="button" title="EncryptedFileWithNulls.png" alt="EncryptedFileWithNulls.png" /></span></P> <P>SandBlast Agent Anti-Ransomware detects the ransomware process encrypting the files</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptionDetectedBySBAAntiRansomware.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2075i73C9FA0EA4D98629/image-size/large?v=v2&amp;px=999" role="button" title="EncryptionDetectedBySBAAntiRansomware.png" alt="EncryptionDetectedBySBAAntiRansomware.png" /></span></P> <P>SandBlast Agent restores the files</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EncryptedFileRestored.png" style="width: 598px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2076i2FDE029E604D77E0/image-size/large?v=v2&amp;px=999" role="button" title="EncryptedFileRestored.png" alt="EncryptedFileRestored.png" /></span></P> <P>&nbsp;</P> <P>The infection is based on powershell script, I will move next to test this versus our File-Less infection prevention and update.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Gadi</P> <DIV id="tinyMceEditorclipboard_image_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> Mon, 05 Aug 2019 14:38:06 GMT https://community.checkpoint.com/t5/Endpoint/New-German-Wiper-Blocked-By-SandBlast-Agent-Zero-Day-Prevention/m-p/59656#M3271 Gad_Naveh 2019-08-05T14:38:06Z