Phishing Installs Locky Ransomware

The Network: A leading branded merchandise agency with several locations in the U.S. This problem was at a specific location on the U.S. East Coast.

The Expectation: Prevention defenses are working (Antivirus, Vipre) and monitoring is in place to catch anything that slips through the prevention layer.

The Catch: EventTracker identified a Locky Ransomware infection on a user machine, which could have potentially spread out to the file servers. It also could have spread across the network, leading to downtime on business critical systems and costing the company money.

The Find: The system was targeted with a phishing email containing an attached document. The document advised the recipient to enable macros, which allowed the ransomware to gain access and encrypt files (Infection). A code started to run the moment the user enabled the macros. The Vipre Antivirus package did not catch the infection. The SIEMPhonic analyst proactively checked for Ransomware file extensions at regular intervals and found 13 instances of files with the Locky infected extension (Osiris). The customer was impacted previously with the same variant of ransomware, which had encrypted a large number of files on his file server propagated from a user machine. Fortunately, the customer was able to avoid a similar impact which had previously cost him a lot of time and effort to get the systems back online.

The Fix: Quarantine the infected laptop with an anti-malware tool Rogue Killer. Also re-image the infected laptop before returning to service.

The Lesson: Phishing attacks as a means of installing dynamic ransomware variants remain extremely popular. Make sure your employees are aware and that your team is continuously monitoring for these types of attacks.