Re: Spam with malicious document attachments

[Alex Keller <axkeller () STANFORD EDU>]

Hi Tony,

We too have observed an uptick in ransomware campaigns but haven't had the chance to study a documented case until 
recently.  On 12-1-2015 we had an undetected Dridex style compromise of a Windows 7 x64 host via infected Word document 
INVOICE_34347320.doc*. On 2-19-2016 at 5:01AM the same host executed the Locky payload, dumping volume shadow copies, 
encrypting the vast majority of user files, and leaving behind only the Locky desktop background, decryption 
instructions, and a registry key.

These could be two independent compromises, but we can find no vector for the latter, and are left to speculate that 
this victim host may have been part of a beta test for Locky, or was initially rooted with Dridex and then retro-fitted 
with the Locky payload. Unfortunately we have not been able to isolate any netflows to the CNCs that might shed further 
light on what happened, but suffice to say there is growing evidence to suggest the team behind Dridex unleashed Locky 
on Monday 2-15-2016 and has enjoyed impressive propagation success in the last week.

Kevin Beaumont with a timely analysis:
https://medium.com/@networksecurity/you-your-endpoints-and-the-locky-virus-b49ef8241bea#.splkknxn4

Palo Alto Networks write-up:
http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/

Currently the best defense against ransomware is offline or indelible archive backups (a decidedly uncomfortable and 
de-leveraged position).

Beaumont offers some additional defense tactics focused on disabling macros, application whitelisting, and EMET: 
https://medium.com/@networksecurity/it-s-time-to-secure-microsoft-office-be50ec2797e3#.ny89ikdyd

Best,
Alex

*https://www.virustotal.com/en/file/358f442f3d9b318ffcda1942e1e57b9f607a483400b26d91f7973dc753f61a08/analysis/



Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu<mailto:axkeller () stanford edu>
(650)736-6421


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lambert, 
Tony M
Sent: Tuesday, February 23, 2016 12:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Spam with malicious document attachments

Hi folks,

My institution has seen a sharp uptick of SPAM campaigns in the last three months with the intent to infect systems 
through MS Office document macros. In our case, we've seen many fake invoice documents with malicious macros triggering 
<5 alerts on VirusTotal.com. These attempts have been consistent with the infection vectors for Dridex and Locky 
malware variants. How have other institutions tried mitigating this threat? Thus far we've looked at the following:


*         Make MS Office Protected View enabled through GPO

*         AppLocker configurations to limit execution of binaries from user security context

Thanks,

--Tony

Tony M Lambert
Jr. Systems Administrator, Information Technology
Volunteer State Community College
X4832, tony.lambert () volstate edu<mailto:tony.lambert () volstate edu>