Jump to content

New Ransomware "Locky" blocked


jaketails

Recommended Posts

Hi!

I'm an Italian IT and in this period we're oveloaded by cyptolocker, ctb-locker, cryptowall and TeslaCrypt.

I've take some samples of any ramsomware by my clients and i put all in a Virtual Machine to test Malwarebytes Anti-Ramsonware Beta Software and I admit that so much impressive how it works quickly and cleverly: it destroy all of my samples of ramsomware...

but this evening someone bring to our office a PC infected by a new kind of ramsomware with ".locky" extension.

 

This link below is the only one i've found with some information about it... 

https://medium.com/@networksecurity/locky-ransomware-virus-spreading-via-word-documents-51fcb75618d2#.4v9n04xjf

 

I got a sample of the executable from the infected PC and i put it in the Virtual Machine...

And I have to say with regret that Malwarebytes Anti-Ramsonware Software don't block or recognize this type of ramsomware.

 

MOD'S NOTE: Malwarebytes Anti-Ransomware DOES BLOCK Locky. You're just seeing the ransom readme. File encryption is blocked by Malwarebytes Anti-Ransomware.

 

I pray that some programmer reads this topic and implements something about it in Malwarebytes Anti-Ramsonware Software because I foresee a wide spread of this new ramsonware.

 

I hope this topic help programmer and someone...

 

Bye.

Link to post
Share on other sites

MBARW has blocked Locky from day one of its release. I have also even tested with the dropper from OP and a coworker of mine also did.

The only concern is that right now it does get 2-3 files before it stopped, but this is expected with some ransomware in this beta, and we already have a plan of action for these cases.

Another thing that may confuse people and make them think they still got infected is that the ransomware note is left on the machine or opened. This is nothing, and ur files are still protected and safe, we simply have not added a clean up for those ransom files yet, but will in the future.

Thanks for the feedback!

Link to post
Share on other sites

am attempting to test the antiransomeware. i have a pc that is infected with locky. i have booted the pc up in safe mode and installed the mbam antiransomeware s/w - the install went fine but then came back with "unable to connect to the service". my plan was to reboot and then attach a usb drive to see if the mbam s/w works but when i reboot i get the message: "there was a problem activating your malwarebytes antiransomeware beta".

wondering how to test from here.

Link to post
Share on other sites

  • 3 weeks later...

from my experiences mcafee is a waste of money and resources, along with most symantec products. but then again, i've not found any one program that does it all. mbam is pretty good but not as good as it once was. Eset, sophos are fairly decent. i'm hoping this mbam anti-ransomeware app does the job for ransomeware. locking down email attachments at the server level is the best preventative approach that i know of right now. using shadow copies on windows platforms and verified daily/hourly backups and/or snapshots seem to be my best approach to disaster recovery.

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.