The rate new ransomeware Drops in currently and the fact that it's getting more aggresive will turn around IT-security in 2016 complete.
People who denied to spend money in protection and new technology will suffer. CIO/IT-mangers who are afraid of managment will have to learn to stand up and defend their position.
Dridex: Tidal waves of spam,pushing dangerous financial Trojan, Dick O'Brien, February 16, 2016
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf
Locky Cryptlocker
https://medium.com/@networksecurity/locky-ransomware-virus-spreading-via-word-documents-51fcb75618d2#.a1el4mxd4
https://medium.com/@networksecurity/you-your-endpoints-and-the-locky-virus-b49ef8241bea#.cuh2e0i6m
Lock down Office for Locky with Gpo
https://medium.com/@networksecurity/it-s-time-to-secure-microsoft-office-be50ec2797e3#.9rqk0ehho
Users will cry but will even more if it hits you
http://www.heise.de/security/meldung/Krypto-Trojaner-Locky-wuetet-in-Deutschland-Ueber-5000-Infektionen-pro-Stunde-3111774.html
http://www.faz.net/aktuell/technik-motor/computer-internet/erpresser-virus-locky-verbreitet-sich-rasant-in-deutschland-14080201.html
http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky.A
Communication is via h00p://195.64.154.14/main.php
This threat can create files on your PC, including:
- _Locky_recover_instructions.txt
- _Locky_recover_instructions.bmp
- %temp%\svchost.exe - locky ransomware
- [ID][identifier].locky (encrypted files)
It modifies the registry so that it runs each time you start your PC, as part of its installation routine For example:
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "id"
With data: "8C05983C8B06FC65" --> ID of the victim
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "pubkey"
With data: hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00 … -->RSA public key
It encrypts files with the following extensions:
.123
| .djvu
| .mml
| .ppsm
| .tgz
|
.602
| .DOC
| .mov
| .ppsx
| .tif
|
.3dm
| .docb
| .mp3
| .PPT
| .tiff
|
.3ds
| .docm
| .mp4
| .pptm
| .txt
|
.3g2
| .docx
| .mpeg
| .pptx
| .uop
|
.3gp
| .DOT
| .mpg
| .psd
| .uot
|
.7z
| .dotm
| .ms11
| .qcow2
| .vb
|
.aes
| .dotx
| .ms11 (Security copy)
| .rar
| .vbs
|
.ARC
| .fla
| .MYD
| .raw
| .vdi
|
.asc
| .flv
| .MYI
| .rb
| .vmdk
|
.asf
| .frm
| .NEF
| .RTF
| .vmx
|
.asm
| .gif
| .odb
| .sch
| .vob
|
.asp
| .gpg
| .odg
| .sh
| .wav
|
.avi
| .gz
| .odp
| .sldm
| .wb2
|
.bak
| .h
| .ods
| .sldx
| .wk1
|
.bat
| .hwp
| .odt
| .slk
| .wks
|
.bmp
| .ibd
| .otg
| .sql
| .wma
|
.brd
| .jar
| .otp
| .SQLITE3
| .wmv
|
.c
| .java
| .ots
| .SQLITEDB
| .xlc
|
.cgm
| .jpeg
| .ott
| .stc
| .xlm
|
.class
| .jpg
| .p12
| .std
| .XLS
|
.cmd
| .js
| .PAQ
| .sti
| .xlsb
|
.cpp
| .key
| .pas
| .stw
| .xlsm
|
.crt
| .lay
| .pdf
| .svg
| .xlsx
|
.cs
| .lay6
| .pem
| .swf
| .xlt
|
.csr
| .ldf
| .php
| .sxc
| .xltm
|
.CSV
| .m3u
| .pl
| .sxd
| .xltx
|
.db
| .m4u
| .png
| .sxi
| .xlw
|
.dbf
| .max
| .pot
| .sxm
| .xml
|
.dch
| .mdb
| .potm
| .sxw
| .zip
|
.dif
| .mdf
| .potx
| .tar
| wallet.dat
|
.dip
| .mid
| .ppam
| .tar.bz2
|
|
.djv
| .mkv
| .pps
| .tbk
|
|