Locky - New Ransomware

B

Bizybone

Member
Reaction score
27
Has anybody else come across this one yet? I'm IT Support at an Oncology center and our physician email distribution group received any email with the subject "Scanned Invoice". It had a word document attached. Running it will launch a macro and pulldown a .exe file which will then commence the encryption process.

I blasted an email out letting them know to delete it. But, lucky for me many of the physicians do not read their emails in a timely manner so that gave me time to jump in their mailboxes and delete it for them. Didn't want to take any chances.

I ran the .doc inside of sandboxie and watched as it began to encrypt the local and networkshare files. It will leave behind a "_Locky_recover_instructions.txt" file with instructions on how to decrypt....just fyi
 
Last edited:
We had a client with it last week. It infected mapped drives as well as the local machine.

I was lucky enough to recover the data on the mapped drives through Shadow Explorer but the laptop (where the infection originated) itself was screwed. A few people online state that the files it encrypts are first copied, encrypted and then the original file deleted. I tried recovery of deleted files but it didn't work for me but it may work for others so worth a try.
 
The world seriously needs to nip this ransomware thing in the butt even if that means making it highly illegal to pay the ransom. It seems like the days of fancy rootkits are gone and malware creators have no incentive to go that fancy route when they can make more money by creating ransomware which is far easier to do.

Edit: I just think the situation is going to get worse and worse
 
ComputerRepairTech said:
The world seriously needs to nip this ransomware thing in the butt even if that means making it highly illegal to pay the ransom. It seems like the days of fancy rootkits are gone and malware creators have no incentive to go that fancy route when they can make more money by creating ransomware which is far easier to do.

Edit: I just think the situation is going to get worse and worse
Click to expand...

Absolutely agree.
 
An IT associate I supply Datto services for his clients had a client infected with it last week. Same MO, email with invoice attachment. He wiped the infected PC and restored data from most recent, uninfected snapshot.

I think this is a bit easier to restore files for since the files are all renamed. It's safe to say any file with a normal name is not encrypted. If using a tool like winmerge, it makes the restore process go faster.
 
At my corporate job, we started using Choicemail. Only emails we acknowledge reach our inboxes. It's worth a look.
A backup plan is definitely a must nowaydays.
Also, remove admin rights from Windows accounts.
There are companies that offer security training to employees on how to spot malicious attachments and links.
I had a customer with an encrypted server because they were using the server as a workstation. They recovered from backup, partially.
 
Since ransomware is becoming more profitable now there is ransomware that attacks websites and webservers, multiple hospitals in Germany got hit as well as power grids overseas funny thing is that is what antivirus should help but don't malwarebytes is going in the right direction with anti-ransomware software.
I have had customers with kaspersky 2016,norton 2016,mcafee 2016,avg 2016 and avast 2016 get hit by some form of cryptovirus ,teslacrypt,cryptowall ect. it did not help at all.
 
I've been running HitmanPro.Alert on my own PCs, but I'm really not clear on exactly what their licensing is - I know HitmanPro as an antivirus is paid, but I'm pretty sure HitmanPro.Alert is free, and I think that their CryptoGuard piece is part of that. However, when you go to the CryptoGuard page, it includes pricing and links (which are for purchasing HitmanPro, the full package).

Once upon a time they also had some things on there about installing it on file servers where it would watch and block encryption activity, but all that seems to be missing now, along with the server operating systems on the compatibility list.
 
I run CryptoGuard.Alert on my system and found te same confusion when I try to install lit on customers' systems now. It seems no longer free, but if you have it installed, it still works fine. Pops up every time I start FF saying it's on-guard.
 
I had one of these a couple of days ago
His important files we got from sent emails attachments the backup was 6 months old
shadow explorer did not work
I installed Cryptoprevent I assume it works for Locky
all file had extension locky
 
Larry Sabo said:
I run CryptoGuard.Alert on my system and found te same confusion when I try to install lit on customers' systems now. It seems no longer free, but if you have it installed, it still works fine. Pops up every time I start FF saying it's on-guard.
Click to expand...

I'm curious how cryptoguard.alert compares to malwarebytes anti exploit do they do the same thing? one better than the other? I think pricing is similar.
 
I don't know how they compare, to tell the truth. My understanding is CryptoGuard monitors network traffic IP addresses and blocks those that are known to distribute encryption keys, or something like that. (Sorry, I've had this damned cold for 3 weeks now and I'm brain dead). It was free and I've never been asked to pay. However, whenever I go to install it on a customer's PC, I think they end up with a trial of HMP, and CryptoGuard. I think the terms now prevent me from doing that, but I'm really vague on it as I haven't tried it in some time now. Sorry I couldn't be more helpful.
 
What about Cryptoprevent does this not work anymore

I guess the only prevent is to backup every day and disconnect back up drive when done.

It deleted the shadow copy file in post it said you can use Recuva for deleted shadow copy
then recover with ShadowExplorer
 
Last edited:
The best thing , from my IT-experience , and following the security industry ... the best is indd to backup every day.
How to do a backup is i think a new lucrative business model :)
 
We have been locking users down and where possibly remove admin rights. We use MaxFocus and have put a script in to place that locks down workstations and prevents executables running in the %appdata% directories and a few other locations.
Also been enforcing good antispam policies. Those on Office 365 locking it down to only receive email from our spam filter and to block Exe attachments.

Also educating users to spot potential issues and report it to us so we can deal with issue. Seems to be working well so far.
 
Received a complaint yesterday that Locky had struck one of my customer's friend's laptop and was asked to look at it. Just about every file had been encrypted, and unfortunately System Restore had not produced any restore points and therefore using Shadow Copies or Shadow Explorer to restore the affected files was out of the question.

It appears that the only way to stay safe from this latest ransonware strain is to backup to an external source on a regular basis and then disconnect the device. I personally use CryptoPrevent, but have no idea whether it will help to prevent against the new Locky attacks. In the main such attacks appear to come from email attachments such as bogus invoices or shipping documents, so its a case of educating users not to be tempted to open such messages unless they are know to come from a known source.
 
You must log in or register to reply here.

Similar threads

callthatgirl
Outlook Classic to New Outlook Autocomplete
Replies
0
Views
381
callthatgirl
callthatgirl
Porthos
New ransomware attacks target your NAS devices, backup storage
Replies
1
Views
892
ell
E
HCHTech
New Locky variant - THOR file extension
Replies
10
Views
1K
Easy PC
E
Pixelated Tech
New Strain of Ransomware
Replies
1
Views
861
Pixelated Tech
Pixelated Tech
Z
  • Locked
Johnycryptor ransomware
Replies
6
Views
1K
Kitten Kong
Kitten Kong
Back
Top