Analysis of Locky ransomware

BRRABill

@aaron

Awesome info. That might just be the solution.

JaredBusch

Look what hit my quarantine.

So I delivered it.

OMG! I owe them $298,39

Wait what? comma 39 cents? What the f[moderated] is that.

This is an admin email account at a client. If the admin account has it, it is only time before someone does all the things.

Dashrender

this is why I turned off Doc and DOCX files via the spam filter.

BRRABill

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

wirestyle22

@BRRABill said:

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

Much better ways to share documents than through email

BRRABill

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

scottalanmiller

@JaredBusch weird mix of USD and European notation there.

Dashrender

@BRRABill said:

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

Then I can white list them. Luckily - we rarely need those sent through email.

Dashrender

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

BRRABill

@Dashrender said:

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

It was more a ML concession. I just assumed there was an easy was in ODfB everyone was using I was unaware of.

For the most part file sharing like that is a PITA, especially for most users who have no idea. I have to get the file, and share it out, etc..

stacksofplates

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs (doesn't really matter what service you use), but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

Dashrender

@johnhooks said:

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs, but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

This is something awesome about O365 and Google Apps as well.

stacksofplates

@Dashrender said:

@johnhooks said:

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs, but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

This is something awesome about O365 and Google Apps as well.

Ya I've used both. I have a Microsoft account and an Office 365 account. The Office online stuff is nice, and same with Google Docs. I just use Zoho for mail so that makes sense for me.

aaron-closed account

This post is deleted!

Alex Sage

@Nic Sorry, I don't click on links

Nic

@aaronstuder said:

@Nic Sorry, I don't click on links

come on, it's just a little ransomware, that's all

BRRABill

@aaron said:

@aaron said:

Yes, Backblaze can help with ransomware.

To follow up, Backblaze was hit with CryptoWall on a corporate Windows machine. Not Locky... But I I think it's a better story to follow than my shorter answers.

If you'd like to read the unfortunate details and how it was recovered from backup https://www.backblaze.com/blog/cryptowall-ransomware-recovery/

The nice part is that you can get a full restore as of a certain day. Certainly a good part of a nice backup strategy.

wirestyle22

@BRRABill said:

@aaron said:

@aaron said:

Yes, Backblaze can help with ransomware.

To follow up, Backblaze was hit with CryptoWall on a corporate Windows machine. Not Locky... But I I think it's a better story to follow than my shorter answers.

If you'd like to read the unfortunate details and how it was recovered from backup https://www.backblaze.com/blog/cryptowall-ransomware-recovery/

The nice part is that you can get a full restore as of a certain day. Certainly a good part of a nice backup strategy.

What is the range of time though? 7 days? 30 days?

BRRABill

@wirestyle22 said:

What is the range of time though? 7 days? 30 days?

They keep 30 days of revisions/deletions.

mmruiz

Are you using Microsoft EMET at your machines? Which antivirus is your favourite?

Here, some spanish security gurus say EMET is necessary in all cases, also with Windows 10.