Helpful ReplyHot!“Locky” ransomware

Page: 12 > Showing page 1 of 2
Author
Wayne1
Gold Member
  • Total Posts : 175
  • Scores: 2
  • Reward points: 0
  • Joined: 2004/03/11 08:04:32
  • Location: Switzerland
  • Status: offline
2016/02/18 07:26:52 (permalink)
0

“Locky” ransomware

Hi guys
I'm definitely not paranoid, but I'm a bit scared of the new "Locky" ransomware. Fortinet has published yesterday a blog post about Locky, but I can't find anything in the AV signature database nor in the IPS for this Locky bastard. Does anyone know which scan engine is able to detect Locky or Dridex?
 
Thx
Wayne

 
FG-200D, FG-100D, FWF-60D, FWF-60E, FWF 40C, FAZVM64, Fortimail VM
#1
Selective
Expert Member
  • Total Posts : 2714
  • Scores: 104
  • Reward points: 0
  • Joined: 2007/07/03 10:44:56
  • Location: Gothenburg - Sweden
  • Status: offline
Re: “Locky” ransomware 2016/02/18 13:12:56 (permalink) ☄ Helpfulby bekjos01 2016/03/29 11:05:50
0
My old collegue is sitting with a customer as we speak, they got Locky in a word document containing a macro, encrypted 400000 files. He is going to be there all night....
I also want a signature now ;)
#2
Troubleshooter_73
Bronze Member
  • Total Posts : 22
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/27 04:31:08
  • Status: offline
Re: “Locky” ransomware 2016/02/18 23:09:27 (permalink)

FCNSA 5, FCNSP 5
#3
Selective
Expert Member
  • Total Posts : 2714
  • Scores: 104
  • Reward points: 0
  • Joined: 2007/07/03 10:44:56
  • Location: Gothenburg - Sweden
  • Status: offline
Re: “Locky” ransomware 2016/02/18 23:34:54 (permalink)
0
Sweet, but cannot find it in my lists. Anyone found it ?
#4
Wayne1
Gold Member
  • Total Posts : 175
  • Scores: 2
  • Reward points: 0
  • Joined: 2004/03/11 08:04:32
  • Location: Switzerland
  • Status: offline
Re: “Locky” ransomware 2016/02/19 02:41:47 (permalink)
0
It's a bit annoying, Symantec and most other competitor detect it already, but Fortinet is still sleeping
 
https://www.virustotal.com/de/file/976059c030c256db4a22d0fcbf2372cc3320877025154b5efeb3f7a1a26b1774/analysis/
 
 

 
FG-200D, FG-100D, FWF-60D, FWF-60E, FWF 40C, FAZVM64, Fortimail VM
#5
Selective
Expert Member
  • Total Posts : 2714
  • Scores: 104
  • Reward points: 0
  • Joined: 2007/07/03 10:44:56
  • Location: Gothenburg - Sweden
  • Status: offline
Re: “Locky” ransomware 2016/02/19 02:46:20 (permalink)
0
I got this from support an hour ago:
 
Thank you for contacting Fortinet IPS.  We have developed signature, Locky.Botnet, to address this ransomware. However, the signature has to go through "beta" testing first before it can be officially released. Barring any unforeseen circumstances, this signature should be released soon.
#6
Wayne1
Gold Member
  • Total Posts : 175
  • Scores: 2
  • Reward points: 0
  • Joined: 2004/03/11 08:04:32
  • Location: Switzerland
  • Status: offline
Re: “Locky” ransomware 2016/02/19 03:13:32 (permalink)
0
Thx for sharing!

 
FG-200D, FG-100D, FWF-60D, FWF-60E, FWF 40C, FAZVM64, Fortimail VM
#7
rwpatterson
Expert Member
  • Total Posts : 8040
  • Scores: 157
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: “Locky” ransomware 2016/02/19 05:51:11 (permalink)

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FGT60B
FWF60B
FWF80CM (2)
FWF81CM
 
#8
Wayne1
Gold Member
  • Total Posts : 175
  • Scores: 2
  • Reward points: 0
  • Joined: 2004/03/11 08:04:32
  • Location: Switzerland
  • Status: offline
Re: “Locky” ransomware 2016/02/19 05:56:56 (permalink)
0
Owh sh*t......that's why Fortinet has to hurry up  They should be definitely quicker with new sig for such disastrous malware.
Go go go IPS Team  
 

 
FG-200D, FG-100D, FWF-60D, FWF-60E, FWF 40C, FAZVM64, Fortimail VM
#9
Wayne1
Gold Member
  • Total Posts : 175
  • Scores: 2
  • Reward points: 0
  • Joined: 2004/03/11 08:04:32
  • Location: Switzerland
  • Status: offline
Re: “Locky” ransomware 2016/02/22 01:21:12 (permalink)
0
Finaly, since yesterday it's included in the current defenitions.
 
http://www.fortiguard.com/encyclopedia/locky
 
 

 
FG-200D, FG-100D, FWF-60D, FWF-60E, FWF 40C, FAZVM64, Fortimail VM
#10
Selective
Expert Member
  • Total Posts : 2714
  • Scores: 104
  • Reward points: 0
  • Joined: 2007/07/03 10:44:56
  • Location: Gothenburg - Sweden
  • Status: offline
Re: “Locky” ransomware 2016/02/22 02:23:46 (permalink)
0
I have a custom IPS rule for Locky provided by FortiGuard IPS Team,
 
If anyone is intressted, please PM me.
 
But be aware, it´s not a public signature yet, it could produce false positives.
#11
SecurityPlus
Silver Member
  • Total Posts : 118
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: “Locky” ransomware 2016/03/01 11:12:40 (permalink)
0
I too am curious. I also search for Locky after reviewing this article:
https://blog.fortinet.com/post/a-closer-look-at-locky-ransomware-2
 
From the tone of the article I assumed that the protection was already in place but I can't find that users are protected. Does anyone know more about this.
 
Thanks
#12
madunix
Bronze Member
  • Total Posts : 22
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/11/16 22:52:20
  • Status: offline
Re: “Locky” ransomware 2016/03/12 07:21:14 (permalink)
0
still I cant find locky at my IPS
#13
ede_pfau
Expert Member
  • Total Posts : 5255
  • Scores: 334
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: “Locky” ransomware 2016/03/12 14:14:14 (permalink)
0
"Locky.botnet" is an AppControl signature in the Botnet category.
It's probably based on IPS signatures.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#14
madunix
Bronze Member
  • Total Posts : 22
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/11/16 22:52:20
  • Status: offline
Re: “Locky” ransomware 2016/03/14 03:50:40 (permalink)
0
Ok Got it
#15
SecurityPlus
Silver Member
  • Total Posts : 118
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: “Locky” ransomware 2016/03/14 16:45:38 (permalink)
0
Thanks!
 
If using firmware version 5.4.0 it appears that Lockey.Botnet will be blocked provided we do the following:
1. Security Profile / Application Control, select to block Botnet Category
2. Under the respective Policy & Objects / IPv4 Policy / Policy, activate Application Control Security Profile
 
Am I missing anything?
#16
MrSinners
Bronze Member
  • Total Posts : 46
  • Scores: 6
  • Reward points: 0
  • Joined: 2014/03/05 09:22:42
  • Status: offline
Re: “Locky” ransomware 2016/03/16 07:03:39 (permalink)
0
Yes that would do the trick. However adding Locky.bonet as signature override enables you to perform a specific action to this signature instead of blocking the whole botnet category (altough blocking the whole category isn't bad either).
#17
MattM
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/09 14:51:37
  • Status: offline
Re: “Locky” ransomware 2016/03/16 16:27:52 (permalink)
0
I saw a site get infected with Locky on Monday.  They had the Fortigate Application Control setup to block the Botnet category just as SecurityPlus described in post #16.  This blocked Locky from retrieving it's encryption key so it didn't encrypt any files.  
 
#18
mm729p
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/28 17:13:25
  • Status: offline
Re: “Locky” ransomware 2016/03/28 17:17:43 (permalink)
0
Does anyone know the update version this was pushed out in?  I am trying to narrow down in our manager the exact signature.  I read somewhere that it was under Application Control, but I was not able to verify it there.  Any help would be appreciated.
#19
hanmyoehtet
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/28 07:34:14
  • Status: offline
Re: “Locky” ransomware 2016/03/28 21:04:49 (permalink)
0
Hi all,
I cant find locky.botnet IPS signature in my IPS signature list. The latest update for IPS is 29/3/2016. How can I verify if that signature is installed or not. Thanks.
 
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2017 APG vNext Commercial Version 5.5