Locky Virus – Blew Past Vipre – Malwarebytes Ransomware Detected it.

One of our clients got hit with the locky tojan virus. It came in an email with a .zip file attached. A couple of employees opened the zip and within an hour their systems were unresponsive. Below is what the email looked like.

locky_virus_screenshotsuspicious_email_2

^ – This was a .zip                                                      ^- This was a .rtf

There is Vipre premium antivirus on all the machines, but it didn’t detect anything. We submitted the .zip file to Vipre to improve their definitions. Vipre’s Website to submit virus’s

http://www.vipreantivirus.com/support/submissions/missed-threat.aspx

The virus encrypted the files and left a ransom text file with instructions on who to pay to unlock the files. The following page has good info on what to look for.

Locky Virus File Encryption Removal

We found Malwarebytes Ransomware was able to detect it, but not stop it. Here are some things we learned.

  1. When a user opened the .zip file and the virus started, any file or directory that user had permission to got it’s contents encrypted.
  2. They had an intranet and the root directory’s permissions were set to “Everyone” so the applications worked, and that root directory got all of its contents infected/encryped.
  3. One Drive for Business – The files infected the shared local folder, jumped to the cloud storage and encrypted those file. Plus went to the person’s home machine that also synced with that one drive and infected their home machine.
  4. Malwarebytes Ransomware detected but did not stop it.

What saved them was a few things

  1. In Active Directory put user’s into groups and give those groups permissions to the directory.
  2. Back ups that ran twice a day. When the virus hit a 12:05pm we were able to recover the files from 7:00am.

I hope this helps someone else out there…

 

This entry was posted in Security, Tech Support. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *