Need Assistance?

Latest Blog Posts

Newsletter

For a Free Quote...

Telnet Network News

Telnet Network News - We'll keep you up to date with what's happening in the industry.

Netfort's How to deal with the Locky Ransomware Email Campaign

Locky Ransomware

Ransomware has been the number one cyber-security threat in 2017. Outbreaks such as WannaCry have caused massive amounts of damage worldwide. If you want to detect Ransomware such as WannaCry you should watch out for an increase in file renames and deploy technologies such as IDS to identify outbreaks on your network. 

Recently there has been an increase in activity associated with the Locky variant of Ransomware. Locky was first detected in 2016 and one of its first victims was the Hollywood Presbyterian Medical Center in Los Angeles, California. The infection encrypted systems throughout the medical center, locking staff out of computers and electronic records. 

The recent Locky campaign saw 23 million messages containing the ransomware sent on 28 August across the United States in what appears to be one of the largest malware campaigns this year.

5 Locky Fingerprints that you need to watch out for

If you want to detect Locky activity on your network, you need to watch out for this activity. Some are directly associated with Locky, others would be suspicious and would need to be checked. Dodgy subject lines which are known to be associated with Locky distribution Clients trying to access the domain greatesthits.mygoldmusic.com Lukitus file extensions on network drives Increase in file renames ZIP file attachments 

Search inbound email for specific subject lines

The email campaign associated with the latest outbreak of Locky uses this list of subject lines:

  • please print 
  • documents 
  • photo 
  • images 
  • scans 
  • pictures 

If you host your own email servers, you should monitor all SMTP servers and alert if any emails using these subject lines are detected. One way to do this is to use Netfort's LANGuardian product to extract the email metadata from network traffic which can be sourced from a SPAN or a mirror port. The image below shows an example of what you should be watching out for.

Monitor DNS or Web Traffic for activity associated with Locky domains

This Locky outbreak uses Visual Basic Script (VBS) files embedded in zip email attachments. The emails do not contain the Ransomware code. When a user opens the attachment the VBS script attempts to connect to the domain greatesthits.mygoldmusic.com. From here, it pulls down the Locky Ransomware and then goes about encrypting files. You can check for activity associated with this domain by monitoring web or DNS traffic. It may also be possible to do this with a firewall or proxy logging, but check your device to see if it capture domain names. The image below shows an example of what you should be watching out for. Here, we can see that a client attempted to access a suspicious domain and would need to be taken off the network and checked.

Watch out for Lukitus file extensions

Once this variant of Locky is active on a network, it will seek out local folders and network based file shares. Files are encrypted and a Lukitus file extension is appended to each file. Make sure you are monitoring all activity to your important network shares. One way to do this is to monitor network traffic to and from the file servers. 

The image below shows an example of what you need to watch out for. The client associated with this event would need to be removed from the network and checked for Ransomware infection.

A sudden increase in file renames is a sign of Ransomware

 All variants of Ransomware which target end user data have common attributes which are to take the user data, encrypt and then rename with a new file extension. In some cases, the files are encrypted with their original file names but the rename action still occurs. 

We recommend that you constantly monitor the rate of file renames on all of your network shares. A good starting point would be to alert on any instances, where the number of file renames goes above 4 per second. Netfort's lab analysis shows that this is a good indicator of mass renaming which is typically associated with Ransomware. Make sure your alerts also contain the client IP address associated with the renaming as they need to be removed from the network immediately.

Get an inventory of what ZIP files are coming into your network

Compressed files (ZIP and others) are often used to deliver malware via email. Many email servers block attachments if they have strange file extensions. However, if the malware is embedded within a ZIP file, it can get through some filters. Most network devices are able to open ZIP files which is why they are used. 

If you host your own email servers, we recommend that you monitor all attachments that are inbound into your network. One way to do this is to monitor network traffic going to and from your email servers. A system such as LANGuardian can extract attachment names from this traffic and provide reports and alerts on suspicious activity.

If you need to put monitoring in place today; download a free 30 day trial of Netfort's LANGuardian product, which includes a Ransomware monitoring dashboard out of the box.



Thanks to Netfort and Darragh Delaney for this article

Candela Releases LANforge Version 5.3.6.
Infosim: Go with the flow – choose the right tool ...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Guest
Wednesday, 22 November 2017

Captcha Image