Analysis of Locky ransomware

Nic

Latest blog post from our threat research team on how Locky works:
http://www.webroot.com/blog/2016/02/22/locky-ransomware/

JaredBusch

countdown until one of my users somehow clicks through all the things.

5...4...3...2...

Dashrender

I just changed the settings on my spam filter to remove all doc and docx from email.

If they need it, they will need to ask me to release it.

PDFs should be the main thing sent via email anyhow. Not saying those damned things are just riddled with security holes either though.

iroal

@Nic said:

Latest blog post from our threat research team on how Locky works:
http://www.webroot.com/blog/2016/02/22/locky-ransomware/

Thanks for the info.

It's terrible "networked drives it can find, even if they are unmapped" "deletion of the Shadow Volume copies"

Carnival Boy

@Dashrender said:

I just changed the settings on my spam filter to remove all doc and docx from email.

If they need it, they will need to ask me to release it.

PDFs should be the main thing sent via email anyhow. Not saying those damned things are just riddled with security holes either though.

Isn't it easier to disable macros in Word? I've never known anyone ever use macros in Word (Excel, yes, Word, no).

scottalanmiller

@iroal said:

It's terrible "networked drives it can find, even if they are unmapped" "deletion of the Shadow Volume copies"

I assume that that is local ones only, people with their mapped drives protected by VSS would still be okay - for the moment.

BRRABill

What is the current thinking for the best practice to protect against this kind of stuff?

At the beginning, simply not mapping drives was enough, but obviously the malware evolves.

I mean, what do we think is the final step that will protect us now, and as far into the future as we can see?

Dashrender

@Carnival-Boy said:

@Dashrender said:

I just changed the settings on my spam filter to remove all doc and docx from email.

If they need it, they will need to ask me to release it.

PDFs should be the main thing sent via email anyhow. Not saying those damned things are just riddled with security holes either though.

Isn't it easier to disable macros in Word? I've never known anyone ever use macros in Word (Excel, yes, Word, no).

easier - I'd say it's a wash. As for using Macros in Word - yeah, you're probably right. I don't know of anyone around here who uses them.

And for exactly that reason you mention (Excel, yes, Word, no) I don't understand why they didn't do this in Excel instead. lol

BRRABill

@Dashrender said:

And for exactly that reason you mention (Excel, yes, Word, no) I don't understand why they didn't do this in Excel instead. lol

Counter-intuitivism.

NO ONE would look in a Word Macro! Ha ha ha.

Dashrender

@BRRABill said:

What is the current thinking for the best practice to protect against this kind of stuff?

At the beginning, simply not mapping drives was enough, but obviously the malware evolves.

I mean, what do we think is the final step that will protect us now, and as far into the future as we can see?

The use of things like ownCould and SharePoint put a huge dent in these types of things. If you have versioning turned on in both, you really mitigate the problem altogether in those spots.

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

Dashrender

@BRRABill said:

@Dashrender said:

And for exactly that reason you mention (Excel, yes, Word, no) I don't understand why they didn't do this in Excel instead. lol

Counter-intuitivism.

NO ONE would look in a Word Macro! Ha ha ha.

eh? by default you still have to tell it to enable macros to run the crap.. that should be a huge red flag.

BRRABill

@Dashrender said:

The use of things like ownCould and SharePoint put a huge dent in these types of things. If you have versioning turned on in both, you really mitigate the problem altogether in those spots.

With SharePoint, only with Microsoft files.

BRRABill

@Dashrender said:

eh? by default you still have to tell it to enable macros to run the crap.. that should be a huge red flag.

You don't think people have that security setting turned off because they got tired of seeing it?

hubtechagain

one of my clients who has the WORST ehr on the planet uses macro's in word and have to be enabled by default and it's very insecure. anyway....i've warned them of this disease, and will filter out doc/docx

BRRABill

@Dashrender said:

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

It's getting to the point where I am going to have to cave and agree 100% with SAM that the only safe thing is having NO local files.

But that just causes so many issues, like backup. I'd love to just throw everything in OneDrive but then if I inadvertently overwrite something (or Microsoft inadvertently messes something up) I have some issues.

JaredBusch

@BRRABill said:

@Dashrender said:

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

It's getting to the point where I am going to have to cave and agree 100% with SAM that the only safe thing is having NO local files.

But that just causes so many issues, like backup. I'd love to just throw everything in OneDrive but then if I inadvertently overwrite something (or Microsoft inadvertently messes something up) I have some issues.

You still need backup. Having files offsite does not resolve that issue.

Dashrender

@BRRABill said:

@Dashrender said:

The use of things like ownCould and SharePoint put a huge dent in these types of things. If you have versioning turned on in both, you really mitigate the problem altogether in those spots.

With SharePoint, only with Microsoft files.

eh? you can store anything you want in SharePoint. and versioning should work just fine with those too - it just won't be incremental, it will be whole files.

stacksofplates

Ha maybe this will put an end to recruiting agencies wanting you to send your resume as a Word file.

I spoke with one recently who wanted me to send my resume as a Word file so she could "copy the information out of it." The resume she had was a PDF..... I don't trust them if they want a docx file.

Dashrender

@JaredBusch said:

@BRRABill said:

@Dashrender said:

The problem is the local syncing. Those files will act and appear just like normal files on the endpoint, and be subject to this problem.

I can think of no way around this on local files.

It's getting to the point where I am going to have to cave and agree 100% with SAM that the only safe thing is having NO local files.

But that just causes so many issues, like backup. I'd love to just throw everything in OneDrive but then if I inadvertently overwrite something (or Microsoft inadvertently messes something up) I have some issues.

You still need backup. Having files offsite does not resolve that issue.

Just tossing this out there - Scott's suggestion isn't about offsite files, it's just about not being local on the machine.

Dashrender

I'm wondering though - do most people use ownCloud (OK JB I can learn) with synced folders? Does ownCloud have versioning?

Using sync'ed folders like OneDrive or ODfB remove the safety that those solutions otherwise provide.