Phishing Installs Locky Ransomware

The Network: A leading branded merchandise agency with several locations in the U.S. This problem was at a specific location on the U.S. East Coast.

The Expectation: Prevention defenses are working (Anti-Virus, Vipre) and monitoring is in place to catch anything that slips through the prevention layer.

The Catch: Netsurion’s SOC analyst identified a Locky Ransomware infection on a user machine, which could have potentially spread out to the file servers. It also could have spread across the network, leading to downtime on business-critical systems and costing the company money.

The Find: The system was targeted with a phishing email containing an attached document. The document advised the recipient to enable macros, which allowed the ransomware to gain access and encrypt files (Infection). A code started to run the moment the user enabled the macros. The Anti-Virus package did not catch the infection. Netsurion’s SOC analyst proactively checked for ransomware file extensions at regular intervals and found 13 instances of files with the Locky infected extension (Osiris). The customer was impacted previously with the same variant of ransomware, which had encrypted a large number of files on the file server propagated from a user machine. Fortunately, the customer was able to avoid a similar impact that caused downtime and wasted IT resources.

The Fix: Quarantine the infected laptop with an Anti-Malware tool. Also re-image the infected laptop before returning to service.

The Lesson: Phishing attacks as a means of installing dynamic ransomware variants remain extremely popular. Make sure employees are aware and continuously trained on social engineering techniques. Netsurion’s Managed Threat Protection provides comprehensive 24/7 monitoring by cybersecurity experts that add defense-in-depth protection.