paulbf1 0 Posted August 22, 2017 Posted August 22, 2017 Lukitus is a variant of the Locky ransomware. My wife got hit today and it was missed by NOD32. Unfortunately it was linked to a Bank of America email that's a former employer. Encrypts the files with a .lukitus extension. Fortunately, we have backups.
Administrators Marcos 5,466 Posted August 22, 2017 Administrators Posted August 22, 2017 The latest variant of Locky was detected even with an outdated detection engine. When I executed it on a computer where ESET had not been updated for 1 week, it was detected in memory and blocked: Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 8/22/2017 8:45:42 AM;unknown;file;Operating memory » C:\Documents and Settings\Administrator\Desktop\a.exe;a variant of Win32/Filecoder.Locky.L trojan;cleaned by deleting; It could be that an attacker remoted in via RDP, disabled ESET and then ran the ransomware. If you would like to investigate it, collect logs with ELC (choose Threat detection from the menu in ELC), upload the generated zip archive to a safe location and pm me a download link.
paulbf1 0 Posted August 22, 2017 Author Posted August 22, 2017 Hi Marcos. Thanks for the quick reply. The virus was triggered when she clicked on a link in an email (I know, I know :-) ) I restored the drive so all logs were lost. This was with NOD32 2016 and I installed it about 2 weeks ago. From what I've seen in a search, it's a .js file that downloads the locky executable.
Administrators Marcos 5,466 Posted August 22, 2017 Administrators Posted August 22, 2017 The Locky executable was supposed to be detected. On my test machine, I had one week old modules, disabled even real-time protection but the latest Locky was still detected and blocked upon execution. I can check ELC logs anyways, at least to review the configuration and make sure that ESET is not misconfigured somehow.
novice 20 Posted August 23, 2017 Posted August 23, 2017 Hi Marcos, I have noticed a funny trend in this forum: various people are complaining about a non-detection for this or that , only to get an answer from you than on your test machine everything has been detected. See here:
Administrators Marcos 5,466 Posted August 23, 2017 Administrators Posted August 23, 2017 1, In the first case the user probably didn't run it as it was detected only upon execution by AMS at that time. 2, The file was not detected when the user reported it but it was already detected when I replied in the forum. 3, The topic was about a vulnerability, not about detection of specific malware. It was not easily exploitable, at least not without admin rights. Plus on Windows 8.1 and newer, it was not possible to exploit it whatsoever because ESET kernel runs as a protected service on these systems.
itman 1,807 Posted August 23, 2017 Posted August 23, 2017 (edited) On 8/22/2017 at 3:11 AM, paulbf1 said: Hi Marcos. Thanks for the quick reply. The virus was triggered when she clicked on a link in an email (I know, I know :-) ) I restored the drive so all logs were lost. This was with NOD32 2016 and I installed it about 2 weeks ago. From what I've seen in a search, it's a .js file that downloads the locky executable. It's possible an exploit was involved. Is your system fully patched; both system and apps? Also Eset ver. 10 has browser based javascript protection. Don't believe that applies to earlier Eset vers. though. Also appears latest ver. of this malware is now using .vbs files. Quote After that, the Nemucod downloader – which speeds up Locky ransomware distribution – connects to multiple domains from which it fetches the ransomware (sanitized for your online protection). Here’s just a few of them https://heimdalsecurity.com/blog/locky-ransomware-new-lukitus-extension/ Also Nemucod scripts tend to be heavily obfuscated: http://www.kahusecurity.com/2016/deobfuscating-the-nemucod-downloader-script/ Edited August 23, 2017 by itman
itman 1,807 Posted August 23, 2017 Posted August 23, 2017 Also how was this e-mail accessed; via browser or in an e-mail client?
novice 20 Posted August 23, 2017 Posted August 23, 2017 5 hours ago, itman said: It's possible an exploit was involved What about the dedicated anti-ransomware module, present in v10? Shouldn't this module react somehow?
itman 1,807 Posted August 23, 2017 Posted August 23, 2017 (edited) 1 hour ago, John Alex said: What about the dedicated anti-ransomware module, present in v10? OP will have to clarify what version of NOD32 he is using. He mentioned 2016 which I assume means ver. 9. Also for ver. 10 ransomware to function properly, LiveGrid needs to be enabled. Edited August 23, 2017 by itman
paulbf1 0 Posted August 24, 2017 Author Posted August 24, 2017 Hi all, We were using NOD Version 9. The email was accessed with the AOL email web page - mail.aol.com via Firefox 54.0.1. After the incident, I upgraded to V 10.
Most Valued Members peteyt 396 Posted August 24, 2017 Most Valued Members Posted August 24, 2017 4 hours ago, paulbf1 said: Hi all, We were using NOD Version 9. The email was accessed with the AOL email web page - mail.aol.com via Firefox 54.0.1. After the incident, I upgraded to V 10. Yeah it's always best to use the latest version and the good thing with eset is that the licenses work with all versions of the product you purchase
Recommended Posts