Locky Ransomware (encrypted virus)

John · ‎03-09-2016

We would like to request for your assistance regarding on this type of Virus that infected our File Server and some of our workstations. We would to know why Ironport not detect this type of encrypted virus.

Robert Sherwin · ‎03-09-2016

Locky IDE definitions are covered on the ESA via Sophos libraries:

ESA updated Sophos IDEs --->

'Rans-Cgw.Ide' Virus Sig. - 17 Feb 2016 02:35:03

Other IDE associated to Troj/DocD* are --->

'Docd-Bcs.Ide' Virus Sig. - 17 Feb 2016 14:30:26

'Docd-Bcq.Ide' Virus Sig. - 17 Feb 2016 09:50:51

Currently – these are the tagged IDE, so – this may change in future time — but, the variant should be within the same Class/IDE range, and will incremented when updated.

If you feel this is missed, please review the email & attachments that this may have been delivered via your appliance's message tracking details. Assure that Sophos is enabled and scanning for the policy this was processed through. If there are doubts and warranted, please open a support case to help review where and why Locky would have been missed. We would prefer that you have a copy of the attachment/payload, and provide that to an engineer once a case is opened via a password zipped file to Cisco so that we can review directly w/ Sophos.

https://supportforums.cisco.com/discussion/12918916/locky

-Robert

Cheers,
Robert Sherwin

Paul Cardelli · ‎03-14-2016

Also keep in mind that Locky is commonly being passed around in Microsoft word documents with Macros containing malicious links. So the virus it's self is not going through the ESA, just a dropper file that when opened with the Macro pulls it through your firewall/web filtering solution.

Just something to consider, although if you point out the dropper file, I'm sure Cisco's team will be able to identify enough to block it for others. AMP and other Advance Malware products are more adapt to finding these then definition based Sophos/McAfee for this reason. Not saying they are not important, but they both type of anti-malware have a purpose.

Finally Training the Human will always be important for those ones that get through. My favorite tool that has been successful is sending similar Phishing simulation e-mails to my users that if they fall for they get immediate training after clicking the link.

Ken Stieers · ‎03-14-2016

Paul,

You can't drop a tidbit like that and not name names! Especially when its a GOOD review.

What's your favorite phishing training tool?

Ken

Paul Cardelli · ‎03-14-2016

Ha ha yeah,

I wish Cisco had a "tool for this," but if they did it might be kind of like knowbe4, which also includes some awareness training. I have also used Metasploit Pro, and there are a couple tools that are free to use (meaning you need to do more work on your side).

I think I posted about this in the past where I actually send the e-mail from Knowbe4, and they have a header in their e-mails so I can inbound filter (for counting stats), and filter outbound (unencrypted of course) when users try and report the phishing e-mails. I then use my policy quarantines in the ESA to see who has been good. Although now Knowbe4 has add the ability to track reported phishing e-mails too, so you can get credit for your trained/good users.

If they report real phishing e-mails then this will continue to goto Cisco as normal. Either way I send a reply e-mail to thank the users for reporting a potential phishy email.

Paul Cardelli · ‎03-14-2016

One more thing I wanted to point out is that because these are coming via Macros in Microsoft Word documents you may want to check out this post (block-office-documents-containing-macros) and create a message and content filter to monitor, maybe even quarantine files with macros until someone double checks to make sure they are not malicious (if there are not too many).

Locky has really taken something legit and turned it evil, so this is a hard pill to swallow for some organizations but don't except Macro documents via e-mail or web from external sources. This is just going to be the way of life going forward or all your files will be encrypted.

I think the average infected right now by Locky per day is at 90,000 system. I also recommend considering filtering other file types commonly used to script things such as .js more.