A new variant of ransomware, known as "Locky", has been impacting environments. The resources below provide information on this new threat, as well as techniques for mitigation. .
Ransomware-Locky Threat Advisory:
Mitigation techniques for other known ransomware variants:
For more resources, visit the McAfee Knowledge Base and search for VSE/Malware related KBs and visit the VSE Community at:
t's not serious all the time add to the AP. And if you think it's also good Why you do not create an package for it. That we can add it automatically?
From my experience it does not detect the new one. Only the recovery massage work but this it to late.
3) many false positive on HIPS rules 6010/6011 AP svchost and more...
you are right, the info is just okay for a specific Locky version and it also generates false positives. But, if you do not have other security mechanism which are not signature based, you will not be able to implement proactive protection.
- Access Protection can help - somewhat
- HIPS can help - somewhat
- Siteadvisor can help - somewhat
- Application control can really help.
And yes, all these mechanism need manpower to implement and support.
We also noticed, that many Locky/Ransomware variants customers discovered, used different files and so on and so on.
There are other options you can do.
- removing Macros with a e-mail gateway
- changing the Macro Security Setting in Office products with GPO or completely deactivate it.
And YES, it is often not easy and a big technical effort.
There are so many situations, where signature based technology is not able to protect. Signature based technology is limited, this is a fact.
At the end of the day you can see this information as a hint about cryptolocker, but never as a guidance to proactively block cryptolocker. Keep in mind, when cryptolocker is activated you missed several infection steps, malicious e-mails and malicious downloads from internet. :-)