Analysis of Locky ransomware
-
@aaron
Awesome info. That might just be the solution.
-
Look what hit my quarantine.
So I delivered it.
OMG! I owe them $298,39
Wait what? comma 39 cents? What the f[moderated] is that.
This is an admin email account at a client. If the admin account has it, it is only time before someone does all the things.
-
this is why I turned off Doc and DOCX files via the spam filter.
-
@Dashrender said:
this is why I turned off Doc and DOCX files via the spam filter.
What if your users legitimately need those files?
-
@BRRABill said:
@Dashrender said:
this is why I turned off Doc and DOCX files via the spam filter.
What if your users legitimately need those files?
Much better ways to share documents than through email
-
-
@JaredBusch weird mix of USD and European notation there.
-
@BRRABill said:
@Dashrender said:
this is why I turned off Doc and DOCX files via the spam filter.
What if your users legitimately need those files?
Then I can white list them. Luckily - we rarely need those sent through email.
-
@BRRABill said:
@wirestyle22 said:
Much better ways to share documents than through email
Good point.
Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.
Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection. -
@Dashrender said:
Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.
Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.It was more a ML concession. I just assumed there was an easy was in ODfB everyone was using I was unaware of.
For the most part file sharing like that is a PITA, especially for most users who have no idea. I have to get the file, and share it out, etc..
-
@Dashrender said:
@BRRABill said:
@wirestyle22 said:
Much better ways to share documents than through email
Good point.
Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.
Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.I don't really do any local editing any more. Since I have Zoho I use Zoho Docs (doesn't really matter what service you use), but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.
-
@johnhooks said:
@Dashrender said:
@BRRABill said:
@wirestyle22 said:
Much better ways to share documents than through email
Good point.
Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.
Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.I don't really do any local editing any more. Since I have Zoho I use Zoho Docs, but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.
This is something awesome about O365 and Google Apps as well.
-
@Dashrender said:
@johnhooks said:
@Dashrender said:
@BRRABill said:
@wirestyle22 said:
Much better ways to share documents than through email
Good point.
Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.
Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.I don't really do any local editing any more. Since I have Zoho I use Zoho Docs, but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.
This is something awesome about O365 and Google Apps as well.
Ya I've used both. I have a Microsoft account and an Office 365 account. The Office online stuff is nice, and same with Google Docs. I just use Zoho for mail so that makes sense for me.
-
This post is deleted! -
@Nic Sorry, I don't click on links
-
@aaronstuder said:
@Nic Sorry, I don't click on links
come on, it's just a little ransomware, that's all
-
@aaron said:
@aaron said:
Yes, Backblaze can help with ransomware.
To follow up, Backblaze was hit with CryptoWall on a corporate Windows machine. Not Locky... But I I think it's a better story to follow than my shorter answers.
If you'd like to read the unfortunate details and how it was recovered from backup https://www.backblaze.com/blog/cryptowall-ransomware-recovery/
The nice part is that you can get a full restore as of a certain day. Certainly a good part of a nice backup strategy.
-
@BRRABill said:
@aaron said:
@aaron said:
Yes, Backblaze can help with ransomware.
To follow up, Backblaze was hit with CryptoWall on a corporate Windows machine. Not Locky... But I I think it's a better story to follow than my shorter answers.
If you'd like to read the unfortunate details and how it was recovered from backup https://www.backblaze.com/blog/cryptowall-ransomware-recovery/
The nice part is that you can get a full restore as of a certain day. Certainly a good part of a nice backup strategy.
What is the range of time though? 7 days? 30 days?
-
@wirestyle22 said:
What is the range of time though? 7 days? 30 days?
They keep 30 days of revisions/deletions.
-
Are you using Microsoft EMET at your machines? Which antivirus is your favourite?
Here, some spanish security gurus say EMET is necessary in all cases, also with Windows 10.