Hello

John · ‎08-15-2016

How to block Vegclass@aol.com.XTBL Ransomware virus in Cisco ESA?

Mathew Huynh · ‎08-16-2016

Hey John,

I would suggest the best option is if you have a sample, to open a TAC case so we can escalate the new variants to the Virus vendors being used, and also to the AMP engine available.

Else may i ask what type of attachment is this ransomware within?

Perhaps a filter to stop certain filetypes may also help alleviate some concerns.

Regards,

Matthew

ccg-security · ‎08-16-2016

HI Matthew,

How can we block those extension xtbl files? we also experience this same scenario also.

Best regards!

Mathew Huynh · ‎08-16-2016

Hello ccg-security,

As the extension is not a supported filetype on the ESA - I would recommend the attachment filename rule to be used to stop this type of file extension by its naming convention.

Regards,

Matthew

ccg-security · ‎08-16-2016

Hi Matthew,

Please see screenshot for your review. Hope we can block this on ironport.

Best Regard!

Mathew Huynh · ‎08-16-2016

Hello ccg-security,

I would generally add in for this type of file via a content filter (or message filter)

Attachment File Info - Filename -> ends with -> (?i)\.xtbl

Action : drop/quarantine/strip by attachment filename -> (?i)\.xtbl

Then submit and apply this filter to your setup and commit.

Essentially any emails containing attachment that ends in extension .xtbl wil lbe actioned by your filter.

Regards,

Matthew

ccg-security · ‎08-16-2016

Hi Matthew,

Thank you very much for this. We will try this later on our end via GUI and update you if its work.

Thank you and best regards!

ccg-security · ‎08-16-2016

Hi Matthew,

How can we track in message tracking on ransomeware Vegclass? Hope for your prompt response.

Thank you!

Libin Varghese · ‎08-17-2016

Hi,

You can use the advanced message tracking search options to look for emails with certain types of attachments.

Please see screenshot.

Regards,

Libin

ccg-security · ‎08-18-2016

Hi Libin,

Thank you for providing the capture screenshot. We already filtered based on .xtbl attachment but failed. I think that it didn't pass through the ironport. Mcafee endpoint will do the isolation about the malware.

We also block .xtbl files from incoming and outgoing messages in case it passess through the ironport.

Thank you and best Regards!

Andreas2016 · ‎08-30-2016

I'm sorry for my english. I'm using google translator. I am Brazilian and work with enterprise network management that work.

I was attacked on the last weekend (27/08/2016) overnight.

Some information that can help understand how the virus works.
This .xtbl estenção is created in the own attack machine, the program that does this is a normal .exe, after this application be in your being infected is created parameter to run (.exe file-name) only after this is done the files start to be encrypted and gain .xtbl estensão.

So in my opinion, will not do anything to block the input files of that type in the firewall.

I have helped.

Libin Varghese · ‎08-30-2016

Hello

We could use the exe file sample to update the Sophos signatures to ensure future instances are avoided, also content and message filters can be configured to block .exe filenames.

Libin

adolfopd · ‎09-29-2016

Olá,

Conseguiu descriptografar seus arquivos?

AdolfoPD@yahoo.com.br

mcerdem82 · ‎11-16-2016

hi to all, i can help for your xtbl encrypted files, pls send me your few encrypted files (pdf, doc, xls files are preferable) to my email address, mcerdem82@yahoo.com

mcerdem82 · ‎11-16-2016

hi to all, i can help for your xtbl encrypted files, pls send me your few encrypted files (pdf, doc, xls files are preferable) to my email address, mcerdem82@yahoo.com....