Locky

[Mike45 1]

HI,

how to block process that create .locky files

HIPS seems not working for this

thanks

[MrWrighty 5]

You need to find the source process that is running and kill it, then remove tmp files in the users account.

 

Customer of mine just been hit big time, encrypted 58000 Files. According to Eset it should also delete all VSS shadow copies but that doesn't seem to have happen as I am able to restore from previous versions.

[Gonzalo Alvarez 65]

Hi @Mike45,

 

ESET Live Grid should be active to ensure protection against new waves of threats,

also keeping the ESET in latest version help too.

 

Check your ESET config.

[Mike45 1]

i've already the latest version/definitions for sure

my eset config is ok

my question is : why when i ask eset (in hips) to block files it doesn't work

[Marcos 3,634]

my question is : why when i ask eset (in hips) to block files it doesn't work

 

Could you please clarify what you mean? Did you create a block HIPS rule and it didn't work, ie. it failed to block a particular file ?

[Mike45 1]

yes, i've test many rules, nothing work

is there anyone that could make it work ?

[Marcos 3,634]

I'm sorry but it's still not clear what you're trying to achieve. What exactly doesn't work? Please clarify.

[Mike45 1]

i want to block/disable .locky files creation/rename

like this :
hxxp://www.netstaff.fr/blog/?p=768

Edited March 18, 2016 by Mike45

[toxinon12345 32]

HIPS is for geek users.

It seems you must use the notation HKEY_USERS rather than HKEY_CURRENT_USER.

Edited March 19, 2016 by toxinon12345

[Mike45 1]

i don't speak about HKCU\Software\locky
but about .locky files (second screen capture)
 

[toxinon12345 32]

i speak about .locky files (second screen capture)

The only requirement is the 'drive:\' prefix

Anyway I'm not sure if that is recursive for all nested directory levels

[toxinon12345 32]

HIPS is for geek users.

I created a HIPS rule as a mitigation for the LOCKY threat (Filecoder):

---> Log enabled, notification enabled

---> Registry keys [blocked] for

√[Renaming]

√[Modify] operations

HKEY_USERS\*\software\LOCKY\*

Then make sure to remove any existing LOCKY regkey at that location

Edited March 19, 2016 by toxinon12345

[Mike45 1]

ok thanks

but how to block locky file creation ?

if i block this registry key, locky is totaly blocked ?

[toxinon12345 32]

We even could block application execution from %temp% folder.

Create a rule blocking application start for :

---> [userFolder]\appData\Local\Temp\svchost.exe

as far as I know, Locky writes to this path as part of its install

Edited March 19, 2016 by toxinon12345

[toxinon12345 32]

Ok, another plus would make a Directory tree Read-only.

For example, I designed my HD partition 'F:' as Read only by creating this rule:

Blocked file writes for:

This source app

----> [userFolder]\appData\Local\temp\svchost.exe

These file path

---> F:\*.*

So F: and any subfolder would be protected against Locky

Edited March 19, 2016 by toxinon12345

[Mike45 1]

i've not ask for this...w

why don't you answer correctly ? :/
block execution of temp .exe isn't a right solution for sur

create a partition for 300 computer ??

so i've just ask how to block creation of .locky files (block this extention in HIPS eset rules) because it does't do what i add

[macros 1]

well, there must be solution from eset for block .locky file creation.

why we should do trick from hips. what our antivirus for then?

[Mark Miller 0]

Hello my computer infected by ransomware. please guide me to remove !

[Marcos 3,634]

Hello my computer infected by ransomware. please guide me to remove !

 

If you are a paying user, submit the following stuff to samples@eset.com:

1, the output from ESET Log Collector (hxxp://support.eset.com/kb3466/)

2, examples of encrypted files (ideally some Office documents)

3, payment instructions

[karcer 0]

Is there a way toi recover the files with the now extension .locky For the most part I do not care for the files that were encrypted but there are a few that I would really like to have back.

[Marcos 3,634]

Unfortunately, files encrypted by Filecoder.Locky cannot be decrypted. As instructed above, feel free to provide me with the output from ESET Log Collector for a check to make sure that you have ESET configured for maximum protection.

[Mike45 1]

hxxp://www.lemondeinformatique.fr/actualites/lire-des-chercheurs-retrouvent-une-parade-contre-cryptoxxx-64828.html

[Marcos 3,634]

hxxp://www.lemondeinformatique.fr/actualites/lire-des-chercheurs-retrouvent-une-parade-contre-cryptoxxx-64828.html

 

This topic is about Locky, not about CryptProjectXXX which we at ESET can decode as well.