shaneh wrote:
Umm...W32/Locky.worm...Description Added 2004-04-20(?). I thought it was ransomware, and a lot more recent than 12 years ago
In addition to what I said earlier, if one reads the links provided in the thread...........
From this page https://www.virustotal.com/en/file/17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2/... at VirusTotal dated: 2016-03-17 I see:
Antivirus Result Update
McAfee Ransomware-Locky 20160317
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.ch 20160317
Meanwhile I suggest the OP responds to Safeboot's post.
If you have the appropriate admin rights, you could try the powershell Get-RegistryKey cmdlet and search for the existence of the key HKCU:\Software\Locky. It's what Locky does just after it has managed to make an internet connection. Interestingly, it creates this key even before any files get locked up or it gets its encryption key. No internet = no registry key, even though the binary has fired.
If your version of PS doesn't have that cmdlet, then the "Get-ChildItem HKCU:\software" will work as well. Since it's not doing a recursive search for files ending in .locky, rather looking for the specific registry key, it would run quicker across a collection of computers. You could set a variable $result=Get-ChildItem HKCU:\software | where {$_.name -match "locky"}, and if $result.Name = "HKEY_CURRENT_USER\software\Locky"...you have a hit. The lack of the key doesn't necessarily mean locky didn't fire (not in the case of the sample I have), it just hasn't been able to get an encryption key. It's also not proxy aware, so blocking non-proxy outbound http requests can be a saviour (just have to whitelist legit services that do) No key = no encrypt.
You are calling the correct number for McAfee Business support in Singapore.
The http://service.mcafee.com/promise Link is indeed for consumer products - as it says at the top of the screen.
The main business customer support site can be found at https://support.mcafee.com
If you let me know your case number I will track it down for you.
4-13749695178 - Malware SR |
i opened this case on 23rd and no one replied
I assume you mean submitting a malware sample to the labs? If submitted correctly, i.e., zipped and password-protected using the word infected an auto-response should be received almost immediately and then it can be up to 10 days for a final response, in my experience.
If it's the Corporate Support Portal you mean, then I would give them another call or post in your other thread:
I have tried to zip and password it with the password "infected" and was unable to upload. the virus file.
i do not know why which is why i open a case and posted an question.
but no one bother to see or reply.
10days? by the time the update is done my company data would be long gone just one part.
i have having extreme difficultly to contact McAfee for tech support
1 ) i can be on hold just to contact with mcafee for like 1 hour and then transfer call waits another 2 hours. or more most of the time i just give up.
2) i have like 2 open cases and mcafee tech don't even bother to follow up and i have yet to get any call backs from them either.
resulting in needing to format my users PC (for first case) and restore my server using backups. ( current case)
worst is some of my backups are infected resulting in 1 month data lost and of course the management isn't happy about it at all.
mcafee still picks up nothing and prevented nothing from happening
i am using VSE 8.8 by the way and i have always kept it updated at least on the server side.
the support provided is absolutely unacceptable for enterprise/corporate users.
before it got merge with intel i thought it was ok. now it's totally worst than Symantec.
at least Symantec is slow in resolving the issue but at least someone is there it listen to your problems and tries to help.
mcafee don't even bother picking up the phone
and now they still don't bother picking up.
anyone try to call?
I don't see that Support could do much for you anyway.
I'm not on the Corporate side so I have no knowledge of procedures but would assume, as Locky encrypted files can't be decrypted anyway, that you must format the drives of infected machines and reinstall.
Remind the users of said machines to be more careful in future as to what they click on. No amount of protection can stop infections being allowed in by careless users' deliberate actions.
As far as not being able to submit the file, you could try GetSusp and hopefully it would do it for you. That is listed in the link I gave in my post here:
That link also explains what to do when such a problem is first encountered....do NOT touch any keys or your mouse, power off immediately - at the power switch. Then power on and boot into Safe Mode and try to wind back the clock using System Restore.
If successful, then temporarily disable System Restore to delete the infected restore point.
But in your cases it is too late for that. Format and reinstall is the only way. Encrypted files will be lost.
thanks for posting that, it may protect machines in the future. But users should take care as I mentioned earlier.
hi andyng,
we are also faced this problem in some other customer places.The McAfee people told noway to retrieve that encrypted files .there some rules to protect for further i am attaching the file that means accessprotection rule
PFA
thanks®ards
jagadeesh.
I'm sorry you've had such a roller coaster of an experience with this ransomware. If it's any consolation, you aren't alone, thousands of people are victims of this everyday.
The situation with this type of malware, was pointed out above, to where you have to have prevention in place BEFORE you get the virus. And you can't do this with a DAT based scanner. Detecting it with a DAT, happens AFTER we get a sample, and add detection. (for the most part) (I don't want to belittle the hard work that goes behind the scenes to proactively detect unknown samples, but it's VERY difficult to do, without creating false detections that can sometimes be worse than the virus)
All that said, we do want you to submit any samples that aren't detected, but understand it will be after the affects of the malware in your environment.
To get ahead of it, you have to stay on top of any preventative measures you can take. There are many moving parts to this, including: Access Protection rules to prevent certain registry/file based actions from happening.
Blocking unknown network traffic with a firewall (both end point and network based firewall).
User education!! This one is one of the best ways, but least reliable. If your users don't click on random stuff they get via email, or web popups, you will drastically reduce your infection rates. You might consider our webprotect product (previously Siteadvisor), that can help dissuade users from clicking on stuff they shouldn't. (I'm sure there is a free version, as well as paid, but I'm no salesman.)
Remember, the malware authors test their viruses against current AV companies, to ENSURE they aren't detected before they try to "deploy" it to the world, so traditional DAT based AV, is limited in what it can do for these rapidly changing variants of ransomware.
Hope that helps, at least a little.
- David
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA