Jump to content

New ransomware variant missed


paulbf1
 Share

Recommended Posts

Lukitus is a variant of the Locky ransomware.  My wife got hit today and it was missed by NOD32.  Unfortunately it was linked to a Bank of America email that's a former employer.  Encrypts the files with a .lukitus extension.  Fortunately, we have backups.

Link to comment
Share on other sites

  • Administrators

The latest variant of Locky was detected even with an outdated detection engine. When I executed it on a computer where ESET had not been updated for 1 week, it was detected in memory and blocked:

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
8/22/2017 8:45:42 AM;unknown;file;Operating memory » C:\Documents and Settings\Administrator\Desktop\a.exe;a variant of Win32/Filecoder.Locky.L trojan;cleaned by deleting;

It could be that an attacker remoted in via RDP, disabled ESET and then ran the ransomware. If you would like to investigate it, collect logs with ELC (choose Threat detection from the menu in ELC), upload the generated zip archive to a safe location and pm me a download link.

Link to comment
Share on other sites

Hi Marcos.  Thanks for the quick reply.  The virus was triggered when she clicked on a link in an email (I know, I know :-) )  I restored the drive so all logs were lost.  This was with NOD32 2016 and I installed it about 2 weeks ago.  From what I've seen in a search, it's a .js file that downloads the locky executable.

Link to comment
Share on other sites

  • Administrators

The Locky executable was supposed to be detected. On my test machine, I had one week old modules, disabled even real-time protection but the latest Locky was still detected and blocked upon execution. I can check ELC logs anyways, at least to review the configuration and make sure that ESET is not misconfigured somehow.

Link to comment
Share on other sites

Hi Marcos,

I have noticed a funny trend in this forum: various people are complaining about a non-detection for this or that , only to get an answer from you than on your test machine everything has been detected.

See here:

 

Link to comment
Share on other sites

  • Administrators

1, In the first case the user probably didn't run it as it was detected only upon execution by AMS at that time.

2, The file was not detected when the user reported it but it was already detected when I replied in the forum.

3, The topic was about a vulnerability, not about detection of specific malware. It was not easily exploitable, at least not without admin rights. Plus on Windows 8.1 and newer, it was not possible to exploit it whatsoever because ESET kernel runs as a protected service on these systems.

Link to comment
Share on other sites

On ‎8‎/‎22‎/‎2017 at 3:11 AM, paulbf1 said:

Hi Marcos.  Thanks for the quick reply.  The virus was triggered when she clicked on a link in an email (I know, I know :-) )  I restored the drive so all logs were lost.  This was with NOD32 2016 and I installed it about 2 weeks ago.  From what I've seen in a search, it's a .js file that downloads the locky executable.

It's possible an exploit was involved. Is your system fully patched; both system and apps?

Also Eset ver. 10 has browser based javascript protection. Don't believe that applies to earlier Eset vers. though.

Also appears latest ver. of this malware is now using .vbs files.

Quote

After that, the Nemucod downloader – which speeds up Locky ransomware distribution –  connects to multiple domains from which it fetches the ransomware (sanitized for your online protection). Here’s just a few of them

https://heimdalsecurity.com/blog/locky-ransomware-new-lukitus-extension/

Also Nemucod scripts tend to be heavily obfuscated: http://www.kahusecurity.com/2016/deobfuscating-the-nemucod-downloader-script/

Edited by itman
Link to comment
Share on other sites

5 hours ago, itman said:

It's possible an exploit was involved

What about the dedicated anti-ransomware module, present in v10?

Shouldn't this module react somehow?

Link to comment
Share on other sites

1 hour ago, John Alex said:

What about the dedicated anti-ransomware module, present in v10?

OP will have to clarify what version of NOD32 he is using. He mentioned 2016 which I assume means ver. 9.

Also for ver. 10 ransomware to function properly, LiveGrid needs to be enabled.

Edited by itman
Link to comment
Share on other sites

Hi all,

We were using NOD Version 9.  The email was accessed with the AOL email web page - mail.aol.com via Firefox 54.0.1.  After the incident, I upgraded to V 10.

Link to comment
Share on other sites

  • Most Valued Members
4 hours ago, paulbf1 said:

Hi all,

We were using NOD Version 9.  The email was accessed with the AOL email web page - mail.aol.com via Firefox 54.0.1.  After the incident, I upgraded to V 10.

Yeah it's always best to use the latest version and the good thing with eset is that the licenses work with all versions of the product you purchase

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...