Analysis of Locky ransomware

JaredBusch

Look what hit my quarantine.

So I delivered it.

OMG! I owe them $298,39

Wait what? comma 39 cents? What the f[moderated] is that.

This is an admin email account at a client. If the admin account has it, it is only time before someone does all the things.

Dashrender

this is why I turned off Doc and DOCX files via the spam filter.

BRRABill

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

wirestyle22

@BRRABill said:

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

Much better ways to share documents than through email

BRRABill

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

scottalanmiller

@JaredBusch weird mix of USD and European notation there.

Dashrender

@BRRABill said:

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

Then I can white list them. Luckily - we rarely need those sent through email.

Dashrender

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

BRRABill

@Dashrender said:

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

It was more a ML concession. I just assumed there was an easy was in ODfB everyone was using I was unaware of.

For the most part file sharing like that is a PITA, especially for most users who have no idea. I have to get the file, and share it out, etc..

stacksofplates

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs (doesn't really matter what service you use), but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

Dashrender

@johnhooks said:

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs, but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

This is something awesome about O365 and Google Apps as well.

stacksofplates

@Dashrender said:

@johnhooks said:

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs, but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

This is something awesome about O365 and Google Apps as well.

Ya I've used both. I have a Microsoft account and an Office 365 account. The Office online stuff is nice, and same with Google Docs. I just use Zoho for mail so that makes sense for me.

aaron-closed account

This post is deleted!

Alex Sage

@Nic Sorry, I don't click on links

Nic

@aaronstuder said:

@Nic Sorry, I don't click on links

come on, it's just a little ransomware, that's all

BRRABill

@aaron said:

@aaron said:

Yes, Backblaze can help with ransomware.

To follow up, Backblaze was hit with CryptoWall on a corporate Windows machine. Not Locky... But I I think it's a better story to follow than my shorter answers.

If you'd like to read the unfortunate details and how it was recovered from backup https://www.backblaze.com/blog/cryptowall-ransomware-recovery/

The nice part is that you can get a full restore as of a certain day. Certainly a good part of a nice backup strategy.

wirestyle22

@BRRABill said:

@aaron said:

@aaron said:

Yes, Backblaze can help with ransomware.

To follow up, Backblaze was hit with CryptoWall on a corporate Windows machine. Not Locky... But I I think it's a better story to follow than my shorter answers.

If you'd like to read the unfortunate details and how it was recovered from backup https://www.backblaze.com/blog/cryptowall-ransomware-recovery/

The nice part is that you can get a full restore as of a certain day. Certainly a good part of a nice backup strategy.

What is the range of time though? 7 days? 30 days?

BRRABill

@wirestyle22 said:

What is the range of time though? 7 days? 30 days?

They keep 30 days of revisions/deletions.

mmruiz

Are you using Microsoft EMET at your machines? Which antivirus is your favourite?

Here, some spanish security gurus say EMET is necessary in all cases, also with Windows 10.

BRRABill

http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/