locky file extensions and the locky crypto

The locky crypto virus has been prevalent lately.  I asked a colleague from another firm who mainly does Cisco ASA Firewalls how many clients of theirs have gotten a crypto lately and he said it was out of control.  He has had 4 or so of his clients in the past few weeks get it. Asking what they do to prevent it he didn’t have any real answers but we chatted about a few they haven’t implemented like Active Directory Group Policies and such. Additionally, if Cisco did have a process it would mean more licensing and fee’s.

The locky crypto mainly comes in as an email attachment, a word document, excel file or javascript file (.docm, .doc, .xls and .js).  If you enabled or have enabled macros in your Microsoft Office you’re in trouble!

What it does is:

  1. Executes a download from a web server on the Internet, much like you’d download anything but in this instance you don’t know it’s coming!  This is called a “downloader”.
  2. It executes that download commonly called the “payload” to then encrypt your files with a .locky extension from a set of encryption keys it exchanges with another web server.
  3. During encryption in each folder it drops an html file and a text file on what  you need to do if you want to get your files back – that ransom.

Things often seem to be “running slowly” on your computer during this process because the locky is busy encrypting your files (pictures, documents, video files and other valuable items).  It also gathers information on what type of system you’re running and if it is a corporate machine or not.

The FBI encourages you to pay but I don’t.  If you’ve already gotten it; it’s too late!  To prevent getting it what you need to do is:

  • Prevent it from ever happening with Firewall-Z that blocks known ransomware networks and ransomware networks that are newly discovered (updated block lists).
  • Use packet filters to detect and block the content of an application stream that has locky signatures.  Firewall-Z uses SNORT to accomplish this.
  • Depending on your infrastructure use computer policies to block users from enabling macros on untrusted files – this is not a function of Firewall-Z but we can help you if needed.
  • Use a spam filter that does not allow macro’s to be transfered and strips them out – again not a function of Firewall-Z but we can help as we also have a SPAM solution.

Firewall-Z should be a piece of your security layer to defend the perimeter.  It is the first layer in your defense.

I personally just tried to go to a well known IP from my workstation and our block list prevented me from the attempt as demonstrated below (I tried to PING the Destination of:  173.214.183.81):

This V3 list blocks:  Attacks, spyware, viruses including brute force attackers and probes

locky block
Apr 18 08:40:35 LAN locky_rule EITS_v3 auto rule (xxxxxxxxxx) DNS Lookup Block 192.168.0.89 Resolve DNS 173.214.183.81 ICMP

 

Free hardware and a low monthly subscription is available!

Leave a Reply

Your email address will not be published. Required fields are marked *