Jump to content
jaketails

New Ransomware "Locky" blocked

Recommended Posts

Hi!

I'm an Italian IT and in this period we're oveloaded by cyptolocker, ctb-locker, cryptowall and TeslaCrypt.

I've take some samples of any ramsomware by my clients and i put all in a Virtual Machine to test Malwarebytes Anti-Ramsonware Beta Software and I admit that so much impressive how it works quickly and cleverly: it destroy all of my samples of ramsomware...

but this evening someone bring to our office a PC infected by a new kind of ramsomware with ".locky" extension.

 

This link below is the only one i've found with some information about it... 

https://medium.com/@networksecurity/locky-ransomware-virus-spreading-via-word-documents-51fcb75618d2#.4v9n04xjf

 

I got a sample of the executable from the infected PC and i put it in the Virtual Machine...

And I have to say with regret that Malwarebytes Anti-Ramsonware Software don't block or recognize this type of ramsomware.

 

MOD'S NOTE: Malwarebytes Anti-Ransomware DOES BLOCK Locky. You're just seeing the ransom readme. File encryption is blocked by Malwarebytes Anti-Ransomware.

 

I pray that some programmer reads this topic and implements something about it in Malwarebytes Anti-Ramsonware Software because I foresee a wide spread of this new ramsonware.

 

I hope this topic help programmer and someone...

 

Bye.

Share this post


Link to post
Share on other sites

Hi, by my research Locky has been around for over a week and MalwareBytes' Anti-Ransomware software hasn't blocked it yet, that is a HUGE concern if we are to rely on the product to block such attacks, is there an update on this? 

Share this post


Link to post
Share on other sites

MBARW has blocked Locky from day one of its release. I have also even tested with the dropper from OP and a coworker of mine also did.

The only concern is that right now it does get 2-3 files before it stopped, but this is expected with some ransomware in this beta, and we already have a plan of action for these cases.

Another thing that may confuse people and make them think they still got infected is that the ransomware note is left on the machine or opened. This is nothing, and ur files are still protected and safe, we simply have not added a clean up for those ransom files yet, but will in the future.

Thanks for the feedback!

Share this post


Link to post
Share on other sites

Thanks Decrypterfixer for your such incredible work! Maybe my version don't block Locky because I only have the exe and not the word file when i test it... I wish you good work and I hope that future version will still blocked by this fantastic antiramsonware! Bye

Share this post


Link to post
Share on other sites

am attempting to test the antiransomeware. i have a pc that is infected with locky. i have booted the pc up in safe mode and installed the mbam antiransomeware s/w - the install went fine but then came back with "unable to connect to the service". my plan was to reboot and then attach a usb drive to see if the mbam s/w works but when i reboot i get the message: "there was a problem activating your malwarebytes antiransomeware beta".

wondering how to test from here.

Share this post


Link to post
Share on other sites

ok, had to connect to the internet to activate. now inserting usb e: drive but mbam still not seeing anything happening and i suspect that nothing is happening because the files on the usb stick are fine. apparently the process has ended once the ransomeware wallpaper is displayed?

Share this post


Link to post
Share on other sites

What Decrypt means by "clean up" is removing the residual leftovers. PeAcE

Share this post


Link to post
Share on other sites

We got hit by Locky on Tuesday of this week and all our computers run Malwarebytes.  It did not block it and that computer and our network drives were encrypted.  I had to wipe our network drives and restore them from backups.

Share this post


Link to post
Share on other sites

Just malwarebytes.  Isn't it supposed to stop it?  I also run McAffee and it didn't stop it either.  

 

How many programs do we need to run?

Share this post


Link to post
Share on other sites

from my experiences mcafee is a waste of money and resources, along with most symantec products. but then again, i've not found any one program that does it all. mbam is pretty good but not as good as it once was. Eset, sophos are fairly decent. i'm hoping this mbam anti-ransomeware app does the job for ransomeware. locking down email attachments at the server level is the best preventative approach that i know of right now. using shadow copies on windows platforms and verified daily/hourly backups and/or snapshots seem to be my best approach to disaster recovery.

Share this post


Link to post
Share on other sites
On 17.3.2016 at 9:14 AM, shiko0o said:

Any chance for MSI package to be deployed over GPO.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.