20.02.2016     Follow me on Facebook
by Edgar Gierth

PREVENT YOUR MAIL SERVERS AGAINST LOCKY RANSOMEWARE ATTACKS

A new ransomware has been discovered called Locky that encrypts your data using AES encryption and then demands bitcoins to decrypt your files. It has been defiantly hitting computers on a large scale over the past few days. While the majority of infected users are currently in Germany, the attack surface appears to be expanding with rampant rapidity. At this time, there is no known way to decrypt files encrypted by Locky.



SITUATION

Locky targets a large amount of file extensions and even more importantly, could encrypt data on computers and also on servers if it maybe will be safed on network shares. The Locky ransomeware could completely change the filenames for encrypted files to make it more difficult to restore the right data. In most cases Locky will get entrance to your computer or network over emails caused on malignant attachment. Most emails has Microsoft Word attachments like "invoice..", that will include Macros to encrypt data, but also other filenames are possible.



One hour of infection stats

-Locky one hour of infection stats



TEMPORARY SOLUTUION

In addition to the method of virus and malware scanning on incomming emails, and also virus and malware scanning software on servers and client computers, you could refuse to accept (external emails) with the currently known attachment names and file types on your email servers. If you have company requirements to accept these attachments, you should quarantine these attachments of external senders first, and to resend these attachments only on dedicated requests.

These file names and file types are the following:

*.doc
*.docx
*.dot
*.mdb
*.accdb
*.xls
*.xlt
*.xlsx
*.xlsm
. *.xltx
*.xltm
*.xlsb
*.xlam
*.pptx
*.pptm
*.potx
*.potm
*.ppam
*.ppsx
*.ppsm
*.docm
*.dotx
*.dotm
*.vsdx
*.vssx
*.vstx
*.vsdm
*.vssm
*.vstm
*.vss
*.shs
*.pps
*.ppt
*.mpp
*.rtf
*.wri
*invoice*
*invoice*

Further on you can reject incomming emails from this IP addresses or domain names:

109.234.38.35
173.214.183.81
193.124.181.169
195.154.241.208
195.64.154.14
46.4.239.76
66.133.129.5
86.104.134.144
91.195.12.185
iynus.net
iglobali.com
jesusdenazaret.com.ve
southlife.church
villaggio.airwave.at

Of course you shall ensure that all anti-virus scanners, malware scanners, anti-spam scanners, servers, workstations and client software will be on the latest patch level.

ml>