Explorer

Solved

“Locky” ransomware

Forum|Forum|10 years ago
February 18, 2016
6 replies
40701 views

Hi guys

I'm definitely not paranoid, but I'm a bit scared of the new "Locky" ransomware. Fortinet has published yesterday a blog post about Locky, but I can't find anything in the AV signature database nor in the IPS for this Locky bastard. Does anyone know which scan engine is able to detect Locky or Dridex?

Thx

Wayne

Best answer by Carl_Wallmark

My old collegue is sitting with a customer as we speak, they got Locky in a word document containing a macro, encrypted 400000 files. He is going to be there all night.... I also want a signature now ;)

Carl_WallmarkAnswer

New Member

My old collegue is sitting with a customer as we speak, they got Locky in a word document containing a macro, encrypted 400000 files. He is going to be there all night.... I also want a signature now ;)

Troubleshooter_73

Explorer

http://blog.fortinet.com/post/a-closer-look-at-locky-ransomware-2

Carl_Wallmark

New Member

Sweet, but cannot find it in my lists. Anyone found it ?

Carl_Wallmark

New Member

I have a custom IPS rule for Locky provided by FortiGuard IPS Team,

If anyone is intressted, please PM me.

But be aware, it´s not a public signature yet, it could produce false positives.

SecurityPlus

Explorer III

I too am curious. I also search for Locky after reviewing this article:

https://blog.fortinet.com/post/a-closer-look-at-locky-ransomware-2

From the tone of the article I assumed that the protection was already in place but I can't find that users are protected. Does anyone know more about this.

Thanks

mm729p

New Member

Does anyone know the update version this was pushed out in? I am trying to narrow down in our manager the exact signature. I read somewhere that it was under Application Control, but I was not able to verify it there. Any help would be appreciated.

hanmyoehtet

New Member

Hi all,

I cant find locky.botnet IPS signature in my IPS signature list. The latest update for IPS is 29/3/2016. How can I verify if that signature is installed or not. Thanks.

MrSinners

New Member

hanmyoehtet wrote:
Hi all,
I cant find locky.botnet IPS signature in my IPS signature list. The latest update for IPS is 29/3/2016. How can I verify if that signature is installed or not. Thanks.

It's not available in the IPS list, it's listed under Application Control. Choose 'Application Override' within an AC profile and search for Locky.

Fahad

New Member

its under botnet check my screenshot attached

locky.jpg

finjoe

New Member

Might be an easier way of doing this but here's what worked for me:

[ol]

Install letsencrypt on a box with tcp/80, tcp/443 open.

Temporarily point the DNS A record of your SSL VPN at the box you're going to run letsencrypt on.

Run letsencrypt-auto -d vpn.yoursite.com and when prompted choose the standalone server option.

Undo step 2 by pointing your DNS A record back at your SSL VPN IP

Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com

[/ol]

FortiGate:

[ol]

System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

VPN -> SSL -> Settings. Change Server Certificate.

Repeat process every 90 days

[/ol]

Here is the VPN Encryption Guide if you need any other configuration.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded