- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
“Locky” ransomware
Hi guys
I'm definitely not paranoid, but I'm a bit scared of the new "Locky" ransomware. Fortinet has published yesterday a blog post about Locky, but I can't find anything in the AV signature database nor in the IPS for this Locky bastard. Does anyone know which scan engine is able to detect Locky or Dridex?
Thx
Wayne
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a custom IPS rule for Locky provided by FortiGuard IPS Team,
If anyone is intressted, please PM me.
But be aware, it´s not a public signature yet, it could produce false positives.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I too am curious. I also search for Locky after reviewing this article:
https://blog.fortinet.com/post/a-closer-look-at-locky-ransomware-2
From the tone of the article I assumed that the protection was already in place but I can't find that users are protected. Does anyone know more about this.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
still I cant find locky at my IPS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Locky.botnet" is an AppControl signature in the Botnet category.
It's probably based on IPS signatures.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok Got it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
If using firmware version 5.4.0 it appears that Lockey.Botnet will be blocked provided we do the following:
1. Security Profile / Application Control, select to block Botnet Category
2. Under the respective Policy & Objects / IPv4 Policy / Policy, activate Application Control Security Profile
Am I missing anything?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that would do the trick. However adding Locky.bonet as signature override enables you to perform a specific action to this signature instead of blocking the whole botnet category (altough blocking the whole category isn't bad either).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I saw a site get infected with Locky on Monday. They had the Fortigate Application Control setup to block the Botnet category just as SecurityPlus described in post #16. This blocked Locky from retrieving it's encryption key so it didn't encrypt any files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mmclaren@oneit.ca wrote:I have this rule set up also, but I've had several instances get through. Does this rule go on inbound or outbound traffic? (Running on an inherited config...)I saw a site get infected with Locky on Monday. They had the Fortigate Application Control setup to block the Botnet category just as SecurityPlus described in post #16. This blocked Locky from retrieving it's encryption key so it didn't encrypt any files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
terry.miesse wrote:
mmclaren@oneit.ca wrote:I have this rule set up also, but I've had several instances get through. Does this rule go on inbound or outbound traffic? (Running on an inherited config...)I saw a site get infected with Locky on Monday. They had the Fortigate Application Control setup to block the Botnet category just as SecurityPlus described in post #16. This blocked Locky from retrieving it's encryption key so it didn't encrypt any files.
My coworker has experienced the same. App Control & AV Enabled on LAN to WAN with botnet blocked.