Locky

[jimwillsher 65]

One of our users got hit by a locky variant yesterday, which completely escaped detection by EEA 6.3.2016. It's encrypted all the local files on the PC and we only knew there was a problem when it started to process the shared drives.

 

Needless to say that PC now needs a wipe & reinstall - not handy when it's 300 miles away.

 

I was surprised that EEA didn't even bat an eyelid. Even the basic test of the creation of files with a .locky suffix should have set the alarm bells ringing, no?

 

Is it really only EES that can protect against these encoder-type attacks? We've 180 licenses so it's a significant cost to upgrade EEA to EES, and we have no need for EES's anti-spam (we have an existing solution) or web control (we have an existing solution) or device control (we just have no need for that). So it seems the majority of the EES features are of no use for us, other than the claimed ability to detect encoders.

 

Advice please?

 

Many thanks

 

 

Jim

[Marcos 5,070]

Please email samples[at]eset.com and provide us with the output from ESET Log Collector as per the instructions at hxxp://support.eset.com/kb3466/ for further analysis. Before collecting logs, select "Recently quarantined files" as well. Although Endpoint Security can block malicious communication at the network level to prevent encryption (the feature will be implemented to EAV/EEA within a couple of months as well), Endpoint Antivirus also utilizes mechanisms like HIPS, Advanced Memory Scanner and Exploit Blocker to detect and recognize new malware. Of course, no matter what AV is used and what protection mechanisms are employed, there's still slim chance that malware could make it through all protection layers which is why users should be educated not to click on everything or open any suspicious attachment.

[jimwillsher 65]

Thanks Marcos. Yes we have one or two users who seem to have had a "common sense bypass". At least fifty of our users received the dodgy email yesterday, but only one person opened it.

 

We have the PC quarantined at the moment and it's remote, so I'll get somebody to connect it to an isolated environment that I can access remotely, and then I'll gather the logs. I will also try to get the offending email attachment.

 

Great to hear that this extra protection will come to EEA though.

 

 

Jim

[lemahasta 0]

Same thing happend yesterday in our company. We have eset endpoint security v.6.  Few copies of same mailicious e-mail were received by employees. (.zip attachment). One of them opened (said that "accidentaly, mouse slipped..." and in roughly 3 minutes user's PC and most of the network share files, that this user  had "write" access to ,were encrypted with .LOCKY file extensions and in each folder created .txt file with "instructions" how to get decryption key,

 

I tested it with free AVAST, it correctly responded and blocked threat immediately.

 

Infected PC is physically isolated now, today it will be reviewed, what state it is in and local eset logs will also be reviewed.

[Marcos 5,070]

Please supply us with the output from ESET Log Collector (hxxp://support.eset.com/kb3466/) for further analysis. Before you start collecting logs, also select "Recently quarantined files" in the list. Although the java script downloaders are detected by hardly any vendor when a spam campaigns start, the payload should be blocked fine, at least from what I can tell from js files that we receive from users. We'd need the logs to determine what actually happened on a particular computer and why.

 

Also I wonder how Avast detected it as none of the popular vendors detect new variants (at least not during on-demand scans):

 

AhnLab-V3 Trojan/Win32.Locky 20160317
Qihoo-360 QVM20.1.Malware.Gen 20160317
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 [F] 20160317

 

As for prevention against Nemucod downloaders, you may want to create a HIPS rule that will block execution of the system file C:\Windows\System32\wscript.exe provided that you don't need it to run other scripts.

[Marcos 5,070]

Another one:

 

File name: bgwc3kc
Detection ratio: 5 / 57

Baidu Win32.Trojan.WisdomEyes.151026.9950.9999 20160317
ESET-NOD32 a variant of Win32/Kryptik.ERQB 20160317
Malwarebytes Ransom.Locky 20160317
Qihoo-360 HEUR/QVM20.1.Malware.Gen 20160317
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 [F] 20160317

[Marcos 5,070]

Another one:

Detection ratio:     5 / 57

 

AhnLab-V3 Win-Trojan/Lockycrypt.Gen 20160323
Baidu Win32.Trojan.WisdomEyes.151026.9950.9991 20160323
ESET-NOD32 a variant of Win32/Injector.CVCD 20160323
McAfee Ransomware-FHE!EC10753A4162 20160323
Qihoo-360 HEUR/QVM07.1.0000.Malware.Gen 20160323

[dao 0]

same here... locky encrypted every file ..

 

over 120 clients, 6 servers eset can´t help. tells me to apply backups.. happens.

 

thank you ESET, we will move to CYLANCE

[SweX 871]

thank you ESET, we will move to CYLANCE

 

Cylance vs. Symantec Endpoint and ESET Endpoint. By AV-Comparatives & MRG Effitas

https://forum.eset.com/topic/7924-cylance-vs-symantec-endpoint-and-eset-endpoint-by-av-comparatives-mrg-effitas/

 

Yes, backups are good to have not only when it comes to ransomware, to be on the safe side.

[Gonzalo Alvarez 66]

Hi @dao,

 

If you are a IT security or SysAdmin you should know that "keep thing safe/secure" is a bunch of things

and some daily things.

 

I'm not inventing the wheel here, just pointing which will be the "basics".

 

"Bunch of things":

• Automatic software protection (AKA: Antivirus and all suite related)
• Operating systems up-to-date (really necessary)
• Installed software up-to-date (yes! this in some cases is totally forgotten)
• Backup (even if board says you don't need it, convince them to you are saving a lot of money doing it)
• redundancy backup (2º and 3º backups? yes, in a separated way Better!)
• Company policy (pendrives, web control, etc, etc "parental control" if you want)
• user education (again you will save money and headache here)
• Create automatic process (yes, you will use a lot of time to save time and headaches from the future)
• IT knowledge enhancement (you can always learn about latest tech and software to improve your job/life etc)

The compensation for this work and other things are not mention or discuss here, just the things you

is good to do when you are in charge of company security.

Perhaps I forget to mention somethings, anyone feel free to add if you want.

[Marcos 5,070]

same here... locky encrypted every file ..

over 120 clients, 6 servers eset can´t help. tells me to apply backups.. happens.

thank you ESET, we will move to CYLANCE

 

Our users with the latest version of products and LiveGrid enabled haven't had issues with Locky encryption. I can hardly remember seeing any such support ticket or reports here in the forum. If encryption occurred, it's always been caused by a problem on user's end (unprotected machines in the network, old version of ESET, LiveGird or other protection features disabled, misconfigured ESET product, etc.). I'd strongly recommend having an ESET personnel review your configuration and logs to find out what happened.

 

Speaking about Cylance, I assume it's the company mentioned here: https://malwaretips.com/threads/virustotal-policy-change-may-2016.59586/.

[jimwillsher 65]

Hi Marcos

 

When you say "latest version of products and LiveGrid enabled", could you clarify please? is that the 8.x or 9.x consumer stream or the 6.3.x business stream? As I understand it, 6.3.2016 is the latest business version (EEA), and it doesn't currently have the network-level encryption-style virus support - that was due to be forthcoming. Or am I mistaken?

 

Many thanks

 

 

Jim

[henri2398 0]

Locky ransomware is a very dangerous malware that can easily lock down victim PC. Here you will get to know that Ivan Kwiatkowski – a security expert has tricked a tech support scammer into installing Locky ransomware. Check out the conversation and how he deal with the tech support scammer and what you should do when you receive any fake tech support call.

Edited December 31, 2016 by Marcos
A link to dubious app removed