Hi guys
I'm definitely not paranoid, but I'm a bit scared of the new "Locky" ransomware. Fortinet has published yesterday a blog post about Locky, but I can't find anything in the AV signature database nor in the IPS for this Locky bastard. Does anyone know which scan engine is able to detect Locky or Dridex?
Thx
Wayne
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
I have a custom IPS rule for Locky provided by FortiGuard IPS Team,
If anyone is intressted, please PM me.
But be aware, it´s not a public signature yet, it could produce false positives.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
I too am curious. I also search for Locky after reviewing this article:
https://blog.fortinet.com/post/a-closer-look-at-locky-ransomware-2
From the tone of the article I assumed that the protection was already in place but I can't find that users are protected. Does anyone know more about this.
Thanks
still I cant find locky at my IPS
"Locky.botnet" is an AppControl signature in the Botnet category.
It's probably based on IPS signatures.
Ok Got it
Thanks!
If using firmware version 5.4.0 it appears that Lockey.Botnet will be blocked provided we do the following:
1. Security Profile / Application Control, select to block Botnet Category
2. Under the respective Policy & Objects / IPv4 Policy / Policy, activate Application Control Security Profile
Am I missing anything?
Yes that would do the trick. However adding Locky.bonet as signature override enables you to perform a specific action to this signature instead of blocking the whole botnet category (altough blocking the whole category isn't bad either).
I saw a site get infected with Locky on Monday. They had the Fortigate Application Control setup to block the Botnet category just as SecurityPlus described in post #16. This blocked Locky from retrieving it's encryption key so it didn't encrypt any files.
mmclaren@oneit.ca wrote:I have this rule set up also, but I've had several instances get through. Does this rule go on inbound or outbound traffic? (Running on an inherited config...)I saw a site get infected with Locky on Monday. They had the Fortigate Application Control setup to block the Botnet category just as SecurityPlus described in post #16. This blocked Locky from retrieving it's encryption key so it didn't encrypt any files.
terry.miesse wrote:
mmclaren@oneit.ca wrote:I have this rule set up also, but I've had several instances get through. Does this rule go on inbound or outbound traffic? (Running on an inherited config...)I saw a site get infected with Locky on Monday. They had the Fortigate Application Control setup to block the Botnet category just as SecurityPlus described in post #16. This blocked Locky from retrieving it's encryption key so it didn't encrypt any files.
My coworker has experienced the same. App Control & AV Enabled on LAN to WAN with botnet blocked.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1029 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.