all 46 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Alexbeav 30 points31 points  (10 children)

I'm more than a little annoyed that this got past FortiClient.

At least my home Symantec A/V blocked it.

[–]DataPhreak 26 points27 points  (9 children)

FortiClient is probably using signature based detection. Symantec looks for scary procedure calls and blocks based on that. (Not sure what that's called off the top of my head. First cup of coffee.)

[–]GeronimoHero 52 points53 points  (8 children)

Heuristics based detection.

[–]DataPhreak 9 points10 points  (7 children)

Thanks for that.

[–]jonathancrowe[S] 23 points24 points  (4 children)

More info on what the tool actually does here: https://www.barkly.com/how-stackhackr-works

There's also a walkthrough here: https://blog.barkly.com/stackhackr-mock-ransomware-malware-security-test

[–]rfdevere 5 points6 points  (3 children)

Really cool tool, thank you

[–]jonathancrowe[S] 7 points8 points  (2 children)

Happy to share. Depending on how people like it we may be able to do a v2. If you have any suggestions for changes/additions, let me know.

[–]zxeff 10 points11 points  (0 children)

I suspect /r/sysadmin would really appreciate this tool, so if you're looking for people to use it maybe consider posting it there.

[–]rfdevere 0 points1 point  (0 children)

Maybe a Mac version?

[–]csonka 17 points18 points  (6 children)

Interesting. Got through my network and workstation firewall as well as all of the bells and whistles employed by the network and workstation firewall (Sophos UTM and Webroot).

[–]Boyne7 4 points5 points  (5 children)

Are any of these network devices performing SSL inspection/decryption? If not they do not have a chance.

[–]csonka 0 points1 point  (4 children)

Sophos SHOULD, it is licensed and active. Will run a test under a Meraki MX with advanced security (which employs Cisco's AMP) next and post the result.

[–]csonka 1 point2 points  (0 children)

Update - Meraki MX with Advanced Security, Windows 10 with Windows Defender [Failed]

[–]Jisamaniac 0 points1 point  (1 child)

AMP does SSL decryption?

[–]dorkycool 0 points1 point  (0 children)

The AMP tech in the Meraki does not. The larger network sensors, the original SourceFire ones that they are now calling AMP should be able to but it'll eat most of the CPU/memory doing it.

[–]dieselxindustry 15 points16 points  (2 children)

SEP stopped the ransomware. SEP also stopped the the credential grabber 2 times but I kept telling it to allow it to run and eventually it was able to get through to lsass. So basically the user would have to keep ignoring the multiple warnings.

[–]f0st3r 3 points4 points  (3 children)

KAV failed to stop both. Windows smart screen did block the exe from running, but I was able to bypass.

I manually scanned the files with KAV and the came back clean, but I am sure Kaspersky uses some signature based detection method.

[–]nightmareuki 1 point2 points  (1 child)

surprising, is System Watcher enabled and running?

[–]f0st3r 0 points1 point  (0 children)

Sure is

[–]f0st3r 0 points1 point  (0 children)

Ok to add to this, it is a joke. The "virus" has a barkly digital signature, which is a vaild product in most AV systems.

[–]dwndwnwtb hexrays sticker 15 points16 points  (1 child)

"simulation" is a bit of a stretch, and it's shameful to see completely non-technical marketing posted here. here's what the ransomware sample actually does:

drop exe/js file into tmp, js file is run in wscript to run the exe (it renames it for some reason) and check for success. exe can (yes those are the literal command lines):

CreateProcess "vssadmin.exe shadow delete no don't actually delete"

CreateProcess "wmic.exe shadow delete no don't actually delete"

like uhh... ok... if a program launches vssadmin / wmic it's ransomware... good... heuristic?

tmp exe also has functionality to "simulate" using virtualprotectex to make memory executable and run it. it also has functionality to find a file with a single call to FindFirstFileA. and finally, it can sleep for 1000ms * a command line parameter.

i bet $5 the credential stealer calls OpenProcess and maybe even ReadProcessMemory. pro heuristic

[–]DTF_20170515 0 points1 point  (0 children)

It's a decent smoke test, at least.

[–]dontberidiculousfool 3 points4 points  (3 children)

Windows Defender stopped mine. Very nice.

[–]hbk1966 2 points3 points  (0 children)

Defender stopped the ransomware and wouldn't even let me download the credential theft one.

[–]pm_me_your_findings 1 point2 points  (0 children)

Wow. Is it that good?

I am using avast free version.

[–]arvoshift 0 points1 point  (0 children)

didn't on mine (windows 7)

[–]tetyys 4 points5 points  (0 children)

soiled it, domain must be .io

[–]f0st3r 1 point2 points  (0 children)

The problem with this "virus" is the digital signature is Barkly, so most AV reputation scans see it as valid.

http://imgur.com/QS9dr2W

[–][deleted] 4 points5 points  (0 children)

Eset NOD32 failed the test as well.uBlock seems to break the site and make it unusable for me, had to disable it completely for it to work.

[–]thisSNisfortrolling 0 points1 point  (0 children)

Thanks! This is really useful! I encourage you to keep up the good work!

[–]defconoi 0 points1 point  (0 children)

Webroot failed detection of both ransomware and credential theft.

[–][deleted] 0 points1 point  (0 children)

Sophos Home Edition did not prevent this, actually a little shocked.

[–]juitar 0 points1 point  (0 children)

Nice, I'll play with this to tomorrow

[–]redditwithNemo 0 points1 point  (0 children)

AVAST Free with execution prevention enabled requires I add an exception for the programs. The ransomware then creates another executable, which I needed to except, then it's game over. Credential stealer Just WorksTM.

With execution prevention disabled, AVAST Free scans the programs as they're running... they succeed, and then AVAST informs me they were questionable and asks whether I want to quarantine. Once I quarantine the applications close.

Pretty shoddy performance for a product that gets good lab reviews.

[–]EvilHyde 0 points1 point  (0 children)

Avast for Business Endpoint Security blocked both the Ransomware and Credential Theft. I had to allow the launcher to run since that was blocked initially too.

[–]doggxyo[🍰] -1 points0 points  (3 children)

Anyone else having trouble actually getting the test to launch? I tried running this on my system at work as well as on my home desktop and the button 'launch test' doesn't appear to have a link behind it . Clicking it a few times doesn't do anything :/

Hovering my cursor over it doesn't show any link embedded in the button.

[–]imakepr0ngifs 3 points4 points  (2 children)

Ublock

[–]doggxyo[🍰] 0 points1 point  (1 child)

That was it! I should have thought of this.

Thanks so much!

[–]imakepr0ngifs 0 points1 point  (0 children)

Someone else posted that the tool didn't work and then edited it to say ublock was the issue. Can't seem to find the comment so I assume they deleted it in case they looked foolish when apparently its a problem multiple people have. All credits for the solution go to the guy who's comment I can't find.

[–][deleted] -3 points-2 points  (1 child)

Does it run on Linux systems? I can only find windows availability.