Locky - New Ransomware

There are reports that the email is able to slip past most filtering and spam services including Barracuda spamfilter.
Also there are some reports that the shadow volumes are not secure deleted that it can be recovered with recuvra.
 
If you are looking for a silver bullet, a single product or solution, that will prevent this and other types of ransomware - good luck, as is doesn't exist. Put edge solutions in place (like email filtering), lock down common install locations (e.g. app data locations, this is what most of the group policy options & things like Cryptoprevent do), have a good antivirus/antimalware solution in place and have good image-based backups in place (ones that are monitored & tested, preferably). In other words, use a layered defense-in-depth strategy.

We are also stepping our users through regular security training to help them spot phishing emails, along with twice a month phishing security tests in which they receive mock phishing emails. We measure how many people fall victim to these and can provide remedial training, if needed. We are using the services of a company called KnowBe4, which provides the training and capabilities for sending out the tests (with dozens of pre-made templates). Pricing is affordable per-user. Those of you who are MSP's may want to check out their partner program (https://www.knowbe4.com/partnering)
 
I had a small business get this crypto on a workstation and it encrypted the business database on the mapped server. Fortunately had cloud backup and only lost a few hours of input on the database. Point that is interesting is they were running Win Defender on a win 10 workstation and it stopped the encryption part way through. I can see about a quarter of the files in the my docs folder encrypted and the rest still pristine. Have seen this twice before in previous encryption attempts with clients using win def or sec essentials and once the payload starts to encrypt these A/V's stop it part way through.
 
Had a client hit with it today. In a matter of minutes her entire drive was effected. She called me in a panic, I had her disconnect the ethernet as they have mapped drives and shares. One of the mapped drives is for their accounting software (dpwin). Before getting it off the network locky got about half the mapped drive folder which was enough to encrypt their database etc. Luckily it did not yet hit their other shared folders.

On the computer with the mapped drive Shadow Explorer seems to have saved the day. I'm working on it remotely now so won't know for sure till I get there in the morning. Looks like they lost a week or so of accounting data but better than years! Oh and crashplan is installed but apparently hasn't ran a backup (or they somehow got deleted). Not sure what is up with that as it was up and running fine last time I was there.

Haven't even touched the machine that actually got hit yet. Not a lot of work data on it as everything is on mapped drives or shares from other pc's so likely will just nuke it.

Oh and they use Viper and I have CryptoPrevent on all their machines and obviously it got through.
 
Had a client hit with it today. In a matter of minutes her entire drive was effected. She called me in a panic, I had her disconnect the ethernet as they have mapped drives and shares. One of the mapped drives is for their accounting software (dpwin). Before getting it off the network locky got about half the mapped drive folder which was enough to encrypt their database etc. Luckily it did not yet hit their other shared folders.

On the computer with the mapped drive Shadow Explorer seems to have saved the day. I'm working on it remotely now so won't know for sure till I get there in the morning. Looks like they lost a week or so of accounting data but better than years! Oh and crashplan is installed but apparently hasn't ran a backup (or they somehow got deleted). Not sure what is up with that as it was up and running fine last time I was there.

Haven't even touched the machine that actually got hit yet. Not a lot of work data on it as everything is on mapped drives or shares from other pc's so likely will just nuke it.

Oh and they use Viper and I have CryptoPrevent on all their machines and obviously it got through.

Ouch :(
 
Viper hasn't been looking too good in months past. Bitdefender AV Plus has an anti-ransomware module that can be turned on for an extra layer of protection.

Just tossing an idea out, how about having files in each share that have extensions that are commonly attacked. These would be "sacrificial lambs" that are never meant to be changed at all. Nothing different about the file otherwise, normal privileges, not the same name in every share. If a workstation tries to open it with R/W permissions, that MAC gets blocked. If the process is on the server itself, hmmm, how would you handle that?
 
I use and push bitdefender. Before I came along they purchased enough Viber lifetime keys for all the machines so they are pretty set on keeping that. BTW Shadow Explorer did restore the shared accounting folder and they are up and running but did lose a weeks worth of work. Still haven't touched the actual infected machine yet. And they are now finally sold on local backups.
 
Well this thing really did a number on us this past Thursday. I was on my way to work when I got an email from a department manager asking "where did all the files in this share go?" I got ahold of my boss who was in front of a computer and told her to shutdown the File Server ASAP!

Long story short. An employee impatiently waiting on an email from a vendor prompted her to open an email with the subject "print please" and then open the attachment titled "New Text Document (3).rar" then also opening the file inside that compressed file which ended in .js format.

So it was approximately 45 minutes before we were able to track this user down and shut her machine down. Encrypted about 65% of the File Server (permissions being set correctly prevented the rest of the server being infected, also the fact that we shut it down helped too.) It also infected 50% of 3 other servers, sparing the EMR databases, thankfully. But it did get lock a huge chunk of patient data like drivers licenses and insurance cards...what made it worse is when one of our guys restored the File Server from a backup (we backup hourly and the infection started shortly after a backup completed) NONE of the permissions carried over. Great opportunity to set it up correctly I suppose.

~200 employees and still getting tickets left and right about not being able to access "xyz"

Going to tighten up the email filter even more after this one.
 
Is there any reason a .rar file should be allowed as an attachment or even be allowed to open under any circumstances on that network?
 
No, there isn't. Email policies aren't as strict as we'd like them to be because what the company director (or physician on the board) wants, they usually get. Granted, it isn't wide open. I prefer to have these type of uncommon attachments to be stripped from the message with the notification going to the recipient. So that way if it really is a legit attachment the end user can double-check with us.

It's really an "i told you so" moment. Though there is a lot more we (internal IT and our MSP) could have done and should have done to prevent this.
 
It's be nice to see a website dedicated to the assorted cryptolocker variants, and, more importantly, testing the ever-growing variety of products designed to prevent/block/intercept such attacks....
 
I have heard of this Locky ransomware from one of my friends. His computer was attacked by this ransomware and he was asked to pay 0.5 Bitcoin for a piece of software called Locky decrypter. After hearing about his sad story, I searched on Google and found this post. Then I know this Locky ransomware is mainly spread via spam emails. Most of these spam emails have a subject line that reads “ATTN: Invoice J-[random numbers]” and a Word document attachment that has the same name with the subject. Below is how the email looks:

spam-email.png

It is rather hard for people to get rid of the ransomware and get their encrypted files back. So, prevention is very important. There are some tips:

1. You should back up your personal files, such as pictures, music, and documents regularly. You can set up automatic backups or manually back up your files at any time. In case when these files are damaged, deleted or encypted by malware, you can restore them easily.

2. You should disable all except digitally signed Office macros from running. If cyber hackers send emails with a malicious Word document, the macro won’t run.

3. You should use spam filters and avoid opening spam email attachments. Besides, you can try using Symantec Email Security.cloud to block email-borne threats.

4. You should safeguard your computer with a powerful anti-malware program. This can decrease the risk of getting malware infection.
 
I'm curious how cryptoguard.alert compares to malwarebytes anti exploit do they do the same thing? one better than the other? I think pricing is similar.

Malwarebytes has a whole separate anti-ransomware app; I don't think their anti-exploit product gives quite the same coverage. I trust it more than CryptoPrevent.

For customers that have important data and are not particularly good about backups it might be a good little thing to install just in case.
 
Back
Top