Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Ransomware Canaries
Environment: Windows
The File
You may have discovered a new file on your host (C:\INTERNAL\__EMPTY) that contains the following text from Huntress:
This is a Huntress Vaccine file. Huntress has created this file to disrupt variants of some known malware families.
Why is Huntress creating these files?
This file makes it appear that the endpoint is part of a Windows Defender Sandbox. This causes some malware to exit before completing its objective on a system. For example, QAKBOT malware which propagates rapidly through a local network, making it difficult to remove fully. The existence of this file can, in some cases, prevent QAKBOT from reaching the propagation stage of the attack.
Additional Information
The following external articles reference this technique as a method to hinder or prevent some malware families from successfully executing on systems:
https://asec.ahnlab.com/en/39537/