RAS Infotech | Cyber Security Solutions for Enterprises

Locky: Clearly Bad Behavior

Category Uncategorized
locky-recover-instructions

Over the past week, a new crypto-ransomware threat, dubbed “Locky”, has been making pretty big headlines.

So far, Locky’s most common infection vector has been via e-mail. A word document attachment is sent out claiming to be an invoice. When opened, the document appears scrambled and prompts the recipient to enable macros in order to view, and if they do so, an executable (ladybi.exe) gets dropped and starts encrypting data files using 128-bit AES encryption.

This particular campaign appears to be very well organized, with multiple localizations of the ransomware being deployed worldwide and a large, robust infrastructure in place to support it. Many reports have suggested that the actors behind the spam campaign that is currently spreading Locky are likely the same people who spread the Dridex banking trojan.

Locky auto-generates domain names to call home to. Forcepoint have detailed the domain generation algorithm.

If you’re running our software, DeepGuard, our behavioral detection engine, has been preventing both the attack vectors used by Locky and the behavior of the malware itself. These detections have been around for quite some time already. Following our tried-and-tested prevention strategy, DeepGuard notices malicious behavior, such as Office documents downloading content, dropping files, or running code. DeepGuard stops the mechanisms that allow these sorts of threats to infect your machine right at the source.

The following three detections block malicious behavior associated with Locky and its variants:

  • Trojan-Dropper:W32/Agent.D!DeepGuard
  • Trojan:W32/Pietso.A!DeepGuard
  • Trojan:W32/TeslaCrypt.PE!DeepGuard

These three detections also protect our customers from Pony, Vawtrak, and the latest versions of TeslaCrypt.

Over the weekend, a new Locky infection vector surfaced. This infection vector involves a ZIP attachment containing a JavaScript file, that, if run, downloads the Locky executable and runs it. We detect that variant as Trojan-Downloader:JS/Dridex.W.

Source: https://labsblog.f-secure.com/2016/02/22/locky-clearly-bad-behavior/

RELATED STORIES
RAS Infotech's 24th Anniversary
vamtam-theme-circle-post
Category Uncategorized

Celebrating 24 Years of Excellence: RAS Infotech’s Journey of Innovation and Partnership

April 18, 2024
As RAS Infotech marks its 24th anniversary, we reflect on a journey defined by growth,...
Read More
Best Cybersecurity Distributor of the Year Award 2023
vamtam-theme-circle-post
Category Uncategorized

RAS Infotech Secures Prestigious “Best Cybersecurity Distributor of the Year 2023” Award at Reseller Middle East Partner Excellence Awards

January 31, 2024
In a resounding triumph, RAS Infotech has emerged as the proud recipient of the coveted...
Read More
vamtam-theme-circle-post
Category Uncategorized

6 Important Points about Apple Users

September 1, 2014
F-Secure's latest research asked 2000 respondents in the United States for their views about security...
Read More
vamtam-theme-circle-post
Category Uncategorized

Criminals will continue to Exploit

March 22, 2014
F-Secure security researchers highlight the risks that exploits pose to people running outdated or unpatched...
Read More
vamtam-theme-circle-post
Category Uncategorized

F-Secure Acquires Nordic’s Cybersecurity Leaders

March 21, 2014
F-Secure's acquisition of nSense bolsters the company's expansion into the enterprise segment by offering businesses...
Read More