Educause Security Discussion mailing list archives
Re: Spam with malicious document attachments
From: Alex Keller <axkeller () STANFORD EDU>
Date: Wed, 24 Feb 2016 05:12:16 +0000
Hi Tony, We too have observed an uptick in ransomware campaigns but haven't had the chance to study a documented case until recently. On 12-1-2015 we had an undetected Dridex style compromise of a Windows 7 x64 host via infected Word document INVOICE_34347320.doc*. On 2-19-2016 at 5:01AM the same host executed the Locky payload, dumping volume shadow copies, encrypting the vast majority of user files, and leaving behind only the Locky desktop background, decryption instructions, and a registry key. These could be two independent compromises, but we can find no vector for the latter, and are left to speculate that this victim host may have been part of a beta test for Locky, or was initially rooted with Dridex and then retro-fitted with the Locky payload. Unfortunately we have not been able to isolate any netflows to the CNCs that might shed further light on what happened, but suffice to say there is growing evidence to suggest the team behind Dridex unleashed Locky on Monday 2-15-2016 and has enjoyed impressive propagation success in the last week. Kevin Beaumont with a timely analysis: https://medium.com/@networksecurity/you-your-endpoints-and-the-locky-virus-b49ef8241bea#.splkknxn4 Palo Alto Networks write-up: http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/ Currently the best defense against ransomware is offline or indelible archive backups (a decidedly uncomfortable and de-leveraged position). Beaumont offers some additional defense tactics focused on disabling macros, application whitelisting, and EMET: https://medium.com/@networksecurity/it-s-time-to-secure-microsoft-office-be50ec2797e3#.ny89ikdyd Best, Alex *https://www.virustotal.com/en/file/358f442f3d9b318ffcda1942e1e57b9f607a483400b26d91f7973dc753f61a08/analysis/ Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu<mailto:axkeller () stanford edu> (650)736-6421 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lambert, Tony M Sent: Tuesday, February 23, 2016 12:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Spam with malicious document attachments Hi folks, My institution has seen a sharp uptick of SPAM campaigns in the last three months with the intent to infect systems through MS Office document macros. In our case, we've seen many fake invoice documents with malicious macros triggering <5 alerts on VirusTotal.com. These attempts have been consistent with the infection vectors for Dridex and Locky malware variants. How have other institutions tried mitigating this threat? Thus far we've looked at the following: * Make MS Office Protected View enabled through GPO * AppLocker configurations to limit execution of binaries from user security context Thanks, --Tony Tony M Lambert Jr. Systems Administrator, Information Technology Volunteer State Community College X4832, tony.lambert () volstate edu<mailto:tony.lambert () volstate edu>
Current thread:
- Spam with malicious document attachments Lambert, Tony M (Feb 23)
- Re: Spam with malicious document attachments Alex Keller (Feb 23)
- Re: Spam with malicious document attachments Lambert, Tony M (Feb 24)
- Re: Spam with malicious document attachments Alex Keller (Feb 23)