Hot Take Kaspersky and various other AVs can't detect simple ransomware script

[Ahmed Uchiha]

I found someone online create simple ransomware basic sample it encrypts local folder files into .txt extension but, Kaspersky couldn't protect the system against it but, Bitdefender detected the script and blocked it I didn't try ESET or Macafee but, it's disappointing that Kaspersky didn't pick it up and after reporting the code to Kaspersky they said it's safe.
this is the source code saved as .bat file if someone want to test

@echo off
setlocal enabledelayedexpansion
for %%f in (*.*) do (
ren "%%f" "%%~nxf.txt"
)


and this is the decryption key source code for this sample it should be saved as .bat and the password is: 123

@echo off
setlocal enabledelayedexpansion
set /p "input=enter password to unlock :"
if "%input%"=="123" (
echo password correct ....
for %%f in (*.txt) do (
set "name=%%~nf"
set "ext=%%~xf"
ren "%%f" "!name!"
)
echo done
)else (
echo wrong password ....
)
pause



I want to know why Kaspersky virus lab flagged the sample as safe although it can encrypt files in the same folder which can cause data loss and Bitdefender detects it as malware.

 

[Ahmed Uchiha]

this should be simple sample not detected by Kaspersky why is that and virus team flagged it as safe at least it should be flagged as bad joke virus.

 

[harlan4096]

Are you sure We can consider that script a "ransomware script"?

 

[Divergent]

I found someone online create simple ransomware basic sample it encrypts local folder files into .txt extension but, Kaspersky couldn't protect the system against it but, Bitdefender detected the script and blocked it I didn't try ESET or Macafee but, it's disappointing that Kaspersky didn't pick it up and after reporting the code to Kaspersky they said it's safe.
this is the source code saved as .bat file if someone want to test

@echo off
setlocal enabledelayedexpansion
for %%f in (*.*) do (
ren "%%f" "%%~nxf.txt"
)


and this is the decryption key source code for this sample it should be saved as .bat and the password is: 123

@echo off
setlocal enabledelayedexpansion
set /p "input=enter password to unlock :"
if "%input%"=="123" (
echo password correct ....
for %%f in (*.txt) do (
set "name=%%~nf"
set "ext=%%~xf"
ren "%%f" "!name!"
)
echo done
)else (
echo wrong password ....
)
pause



I want to know why Kaspersky virus lab flagged the sample as safe although it can encrypt files in the same folder which can cause data loss and Bitdefender detects it as malware.

This script does not encrypt any data. It only changes file names, which breaks the operating system's ability to open them with the correct program. The file content remains completely intact and unharmed.

It's a classic example of something that looks scary to an inexperienced user but is technically harmless to the actual data.

While the script does demand a password to restore files, it fails the primary test of being ransomware because it does not perform any encryption. The "damage" is superficial and easily repaired even without the password by anyone with basic knowledge of the command line.

 

[Ahmed Uchiha]

Are you sure We can consider that script a "ransomware script"?

I am not expert but, when I tested it the files extension changed and were useless, I didn't test within system 32 files but, at least Kaspersky should flag it as bad joke as it can damage files

 

[Parkinsond]

@echo off
setlocal enabledelayedexpansion
for %%f in (*.*) do (
ren "%%f" "%%~nxf.txt"
)

You saved this code as a bat file?

 

[Ahmed Uchiha]

This script does not encrypt any data. It only changes file names, which breaks the operating system's ability to open them with the correct program. The file content remains completely intact and unharmed.

It's a classic example of something that looks scary to an inexperienced user but is technically harmless to the actual data.

While the script does demand a password to restore files, it fails the primary test of being ransomware because it does not perform any encryption. The "damage" is superficial and easily repaired even without the password by anyone with basic knowledge of the command line.

but Bitdefender detects that file as malware.
it might be harmless not a fully ransomware but, it can be used as scareware or bad joke and not all people can revert this action on their own

 

[Ahmed Uchiha]

You saved this code as a bat file?

yes, I saved it and used it as .bat file it changes files extension within same folder.

 

[Parkinsond]

yes, I saved it and used it as .bat file it changes files extension within same folder.

I have saved it as a bat file named rw.bat and uploaded to VT:

 

[Ahmed Uchiha]

I have saved it as a bat file named rw.bat and uploaded to VT:
View attachment 290861

please test it in a virtual machine with Bitdefender it will catch it I don't why but, Bitdefender full app can detect it but, VT engines don't

 

[Divergent]

but Bitdefender detects that file as malware.
it might be harmless not a fully ransomware but, it can be used as scareware or bad joke and not all people can revert this action on their own

Kaspersky likely does not detect the script because it analyzes the code and sees that it lacks a truly destructive payload, it only renames files without encrypting or destroying the underlying data.

Because of this, Kaspersky is sticking to a stricter technical definition of what constitutes a destructive threat, possibly to avoid false positives on legitimate admin scripts.

In short, their system determines that since the action is easily reversible and doesn't cause permanent data loss, it classifies the script as a nuisance or prank rather than a true malware infection.

 

[Ahmed Uchiha]

Kaspersky likely does not detect the script because it analyzes the code and sees that it lacks a truly destructive payload, it only renames files without encrypting or destroying the underlying data.

Because of this, Kaspersky is sticking to a stricter technical definition of what constitutes a destructive threat, possibly to avoid false positives on legitimate admin scripts.

In short, their system determines that since the action is easily reversible and doesn't cause permanent data loss, it classifies the script as a nuisance or prank rather than a true malware infection.

but, if this script ran in system32 folder it will cause it to fail as it changes system files same if it ran into game file it would break or corrupt the files.

 

[Andy Ful]

but, if this script ran in system32 folder it will cause it to fail as it changes system files same if it ran into game file it would break or corrupt the files.

This requires another malware to get high privileges, drop, and execute batch files in the system folder.

 

[Ahmed Uchiha]

This requires another malware to get high privileges, drop, and execute batch files in the system folder.

Got it but, it overall considered as safe file correct, I am not expert but, when I saw the video and tried the app made me consider it as malicious even if it's a joke.

 

[RoboMan]

What you have there isn’t really “ransomware” in the sense security labs define it. It’s just a batch script that renames files by tacking “.txt” onto the end of the filename. It doesn’t do any encryption, it doesn’t spread, it doesn’t demand a ransom, and it doesn’t even lock you out permanently; your so-called “decryption” script just strips the extension back off.

From Kaspersky’s perspective, this is probably a potentially unsafe script, but not malware. Their virus lab typically only flags things as malware when they:

-Exploit a vulnerability
-Use real encryption to make recovery impossible without a key
-Attempt persistence, spreading, or evasion
-Probably when they demand a ransom (I think, when analyzing in their virus lab, this is taken into consideration)

This script does none of that, it’s the same as a prank script that renames files. It can cause data loss if misused, sure, but by that logic, del *.* would also be “ransomware.”

Bitdefender probably flagged it heuristically because it looks like a mass file modification script, which can resemble destructive malware. Kaspersky went stricter on definition and said: “this isn’t a virus, it’s just a batch renamer.”

EDIT:
Kaspersky has two separate layers for ransomware:

1. Detection/Blocking layer (signatures, heuristics, behavior monitoring), which will act to stop the ransomware process
2. Ransomware Remediation module, which is basically a failsafe that makes shadow copies of files being modified, so if something slips past initial detection, it can roll them back.

Since the remediation module didn't pop up once this script "encrypted" the files, this gives you an idea that Kaspersky doesn't see the file as ransomware.

 

[bazang]

please test it in a virtual machine with Bitdefender it will catch it I don't why but, Bitdefender full app can detect it but, VT engines don't

False Positive behavioral detection by Bitdefender.

The script is not malicious. Oh, I agree it can cause damage but you can obtain hundreds, if not thousands, of legitimate non-malicious scripts that can cause damage. For example, you can find a script that, when executed, will erase the system drive.

If the new threshold of maliciousness is now "It can cause damage!", then all the hoomans in front of any digital device need to be quarantined and deleted.

 

[Ahmed Uchiha]

What you have there isn’t really “ransomware” in the sense security labs define it. It’s just a batch script that renames files by tacking “.txt” onto the end of the filename. It doesn’t do any encryption, it doesn’t spread, it doesn’t demand a ransom, and it doesn’t even lock you out permanently; your so-called “decryption” script just strips the extension back off.

From Kaspersky’s perspective, this is probably a potentially unsafe script, but not malware. Their virus lab typically only flags things as malware when they:

-Exploit a vulnerability
-Use real encryption to make recovery impossible without a key
-Attempt persistence, spreading, or evasion
-Probably when they demand a ransom (I think, when analyzing in their virus lab, this is taken into consideration)

This script does none of that, it’s the same as a prank script that renames files. It can cause data loss if misused, sure, but by that logic, del *.* would also be “ransomware.”

Bitdefender probably flagged it heuristically because it looks like a mass file modification script, which can resemble destructive malware. Kaspersky went stricter on definition and said: “this isn’t a virus, it’s just a batch renamer.”

Got it thank you for clarifying I contacted kaspersky and told them to detect it as bad joke script but, they refused they said it's safe and the script doesn't do anything malicious.
Thank you so much for detailed information.

 

[Ahmed Uchiha]

False Positive behavioral detection by Bitdefender.

The script is not malicious. Oh, I agree it can cause damage but you can obtain hundreds, if not thousands, of legitimate non-malicious scripts that can cause damage. For example, you can find a script that, when executed, will erase the system drive.

If the new threshold of maliciousness is now "It can cause damage!", then all the hoomans in front of any digital device need to be quarantined and deleted.

These legitimate tools makes me worry as they might be misused even for joke file might be sent in Halloween bitdefender tend to be always paranoia when dealing with unknown files it can detect any potential threat which might lead to high false positive

 

[Parkinsond]

bitdefender tend to be always paranoia

B gave me the highest FP detections among all AVs I have tried.

 

[bazang]

These legitimate tools makes me worry as they might be misused even for joke file might be sent in Halloween bitdefender tend to be always paranoia when dealing with unknown files it can detect any potential threat which might lead to high false positive

Bitdefender responded to all the criticisms that it did not protect against malicious scripts by developing and implementing behavioral detection that blocks many legitimate scripts.

Bitdefender gave all of its haters what they wanted.

I would solve the problem of consumers executing scripts without knowledge by completely removing the capability to execute any type of script from the operating system. Only after a home user obtained a license to operate the digital device through passing a difficult written examination and practical lab exercises would I restore the ability to execute scripts and allow them to use those capabilities.