cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2837
Views
0
Helpful
16
Replies

Vegclass@aol.com.XTBL Ransomware virus

John
Level 1
Level 1

How to block Vegclass@aol.com.XTBL Ransomware virus in Cisco ESA?

16 Replies 16

Mathew Huynh
Cisco Employee
Cisco Employee

Hey John,

I would suggest the best option is if you have a sample, to open a TAC case so we can escalate the new variants to the Virus vendors being used, and also to the AMP engine available.

Else may i ask what type of attachment is this ransomware within?

Perhaps a filter to stop certain filetypes may also help alleviate some concerns.

Regards,

Matthew

HI Matthew,

How can we block those extension xtbl files? we also experience this same scenario also.

Best regards!

Hello ccg-security,

As the extension is not a supported filetype on the ESA - I would recommend the attachment filename rule to be used to stop this type of file extension by its naming convention.

Regards,

Matthew

Hi Matthew,

Please see screenshot for your review. Hope we can block this on ironport.

Best Regard!

Hello ccg-security,

I would generally add in for this type of file via a content filter (or message filter)

Attachment File Info - Filename -> ends with -> (?i)\.xtbl

Action : drop/quarantine/strip by attachment filename -> (?i)\.xtbl

Then submit and apply this filter to your setup and commit.

Essentially any emails containing attachment that ends in extension .xtbl wil lbe actioned by your filter.

Regards,

Matthew

Hi Matthew,

Thank you very much for this. We will try this later on our end via GUI and update you if its work.

Thank you and best regards!

Hi Matthew,

How can we track in message tracking on ransomeware Vegclass? Hope for your prompt response.

Thank you!

Hi,

You can use the advanced message tracking search options to look for emails with certain types of attachments.

Please see screenshot.

Regards,

Libin

Hi Libin,

Thank you for providing the capture screenshot. We already filtered based on .xtbl attachment but failed. I think that it didn't pass through the ironport. Mcafee endpoint will do the isolation about the malware.

We also block .xtbl files from incoming and outgoing messages in case it passess through the ironport.

Thank you and best Regards!

Andreas2016
Level 1
Level 1

I'm sorry for my english. I'm using google translator. I am Brazilian and work with enterprise network management that work.

I was attacked on the last weekend (27/08/2016) overnight.

Some information that can help understand how the virus works.
This .xtbl estenção is created in the own attack machine, the program that does this is a normal .exe, after this application be in your being infected is created parameter to run (.exe file-name) only after this is done the files start to be encrypted and gain .xtbl estensão.

So in my opinion, will not do anything to block the input files of that type in the firewall.

I have helped.

Hello

We could use the exe file sample to update the Sophos signatures to ensure future instances are avoided, also content and message filters can be configured to block .exe filenames.

Libin

Olá,

Conseguiu descriptografar seus arquivos?

AdolfoPD@yahoo.com.br

hi to all, i can help for your xtbl encrypted files, pls send me your few encrypted files (pdf, doc, xls files are preferable) to my email address, mcerdem82@yahoo.com

hi to all, i can help for your xtbl encrypted files, pls send me your few encrypted files (pdf, doc, xls files are preferable) to my email address, mcerdem82@yahoo.com....