Ransomware (Areana)

Has anyone been infected by the Arena Ransomware? We got a call from staff saying they couldn’t open any files on our District network drive. All the file extensions were changed to the .Arena extension. We logged into the server and then got the message about your files have been locked. Here is more details from another site:

https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/

The server is on a VM running 2012 r2. Avast was on the server and updated. We also copied the VM off and opened it back up in a sandboxed environment and ran a full scan. Nothing was picked up by Avast. Should Avast detect this malware and remove it? I know Avast can’t get our files back, but I would hope to stop this from happening. We plan on restoring the VM from backup. We did contact support… I was hoping for at least a call and someone to look into this for us.

Thanks for your help
Jason

Whilst I haven’t been infected by this particular Ransomware, I was infected by a Crypt0l0cker (or something calling itself that) which never got “detected”. The affected machine was quickly identified and taken off the network.

I inquired as to why the Ransomware was not detected and support said it was possible that it was a new variant not yet detected by current definitions. It was a pretty widespread in the news at the time, so would have expected it in definitions if not picked up by heuristics, so my confidence in Avast took a hit.

https://www.avast.com/virus-update-history was of no help and is not even kept current so is pretty useless. I kept my eye on the list and never saw a name similar to Crypt0l0cker so I assumed it was either under a different name or was in definitions already (but I couldn’t view the full history to prove anything).

So whilst I am not helpful in your scenario, I can sympathize with you, as I can see no reason why Arena would not be detected by now given it’s age.

I can only suggest to try and trigger an EICAR test to make sure the VM detects it to prove its actually functional.