cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 11 of 19

Re: Locky


shaneh wrote:



Umm...W32/Locky.worm...Description Added 2004-04-20(?).  I thought it was ransomware, and a lot more recent than 12 years ago




In addition to what I said earlier, if one reads the links provided in the thread...........

From this page https://www.virustotal.com/en/file/17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2/... at VirusTotal dated: 2016-03-17 I see:


Antivirus                          Result                                             Update


McAfee                         Ransomware-Locky                          20160317


McAfee-GW-Edition     BehavesLike.Win32.PWSZbot.ch     20160317



Meanwhile I suggest the OP responds to Safeboot's post.

shaneh
Level 7
Report Inappropriate Content
Message 12 of 19

Re: Locky

If you have the appropriate admin rights, you could try the powershell Get-RegistryKey cmdlet and search for the existence of the key HKCU:\Software\Locky.  It's what Locky does just after it has managed to make an internet connection.  Interestingly, it creates this key even before any files get locked up or it gets its encryption key.  No internet = no registry key, even though the binary has fired.

If your version of PS doesn't have that cmdlet, then the "Get-ChildItem HKCU:\software" will work as well.  Since it's not doing a recursive search for files ending in .locky, rather looking for the specific registry key, it would run quicker across a collection of computers.  You could set a variable $result=Get-ChildItem HKCU:\software | where {$_.name -match "locky"}, and if $result.Name = "HKEY_CURRENT_USER\software\Locky"...you have a hit.  The lack of the key doesn't necessarily mean locky didn't fire (not in the case of the sample I have), it just hasn't been able to get an encryption key.  It's also not proxy aware, so blocking non-proxy outbound http requests can be a saviour (just have to whitelist legit services that do)  No key = no encrypt.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 13 of 19

Re: Locky

You are calling the correct number for McAfee Business support in Singapore.

The  http://service.mcafee.com/promise Link is indeed for consumer products - as it says at the top of the screen.

The main business customer support site can be found at https://support.mcafee.com

If you let me know your case number I will track it down for you.

andyng
Level 7
Report Inappropriate Content
Message 14 of 19

Re: Locky

4-13749695178 - Malware SR

i opened this case on 23rd and no one replied

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 15 of 19

Re: Locky

I assume you mean submitting a malware sample to the labs?  If submitted correctly, i.e., zipped and password-protected using the word infected an auto-response should be received almost immediately and then it can be up to 10 days for a final response, in my experience.

If it's the Corporate Support Portal you mean, then I would give them another call or post in your other thread: 

andyng
Level 7
Report Inappropriate Content
Message 16 of 19

Re: Locky

I have tried to zip and password it with the password "infected" and was unable to upload. the virus file.
i do not know why which is why i open a case and posted an question.
but no one bother to see or reply.

10days? by the time the update is done my company data would be long gone just one part.

i have having extreme difficultly to contact McAfee for tech support 
1 ) i can be on hold just to contact with mcafee for like 1 hour and then transfer call waits another 2 hours. or more most of the time i just give up.

2) i have like 2 open cases and mcafee tech don't even bother to follow up and i have yet to get any call backs from them either.

resulting in needing to format my users PC (for first case) and restore my server using backups. ( current case)
worst is  some of my backups are infected resulting in 1 month data lost and of course the management isn't happy about it at all.

mcafee still picks up nothing and prevented nothing from happening
i am using VSE 8.8 by the way and i have always kept it updated at least on the server side.

the support provided is absolutely unacceptable  for enterprise/corporate users.

before it got merge with intel i thought it was ok. now it's totally worst than Symantec. 
at least Symantec is slow in resolving the issue but at least someone is there it listen to your problems and tries to help.
mcafee don't even bother picking up the phone

and now they still don't bother picking up.
anyone try to call?

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 17 of 19

Re: Locky

I don't see that Support could do much for you anyway.

I'm not on the Corporate side so I have no knowledge of procedures but would assume, as Locky encrypted files can't be decrypted anyway, that you must format the drives of infected machines and reinstall.

Remind the users of said machines to be more careful in future as to what they click on.   No amount of protection can stop infections being allowed in by careless users' deliberate actions.

As far as not being able to submit the file, you could try GetSusp and hopefully it would do it for you.  That is listed in the link I gave in my post here: 

That link also explains what to do when such a problem is first encountered....do NOT touch any keys or your mouse, power off immediately - at the power switch.   Then power on and boot into Safe Mode and try to wind back the clock using System Restore.

If successful, then temporarily disable System Restore to delete the infected restore point.

But in your cases it is too late for that.   Format and reinstall is the only way.   Encrypted files will be lost.

thanks for posting that, it may protect machines in the future.  But users should take care as I mentioned earlier.

Re: Locky

hi andyng,

we are also faced this problem in some other customer places.The McAfee people told noway to retrieve that encrypted files .there some rules to protect for further  i am attaching the  file that means accessprotection rule

PFA

ransomeware.png

thanks&regards

jagadeesh.

Highlighted
McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 19 of 19

Re: Locky

I'm sorry you've had such a roller coaster of an experience with this ransomware. If it's any consolation, you aren't alone, thousands of people are victims of this everyday.

The situation with this type of malware, was pointed out above, to where you have to have prevention in place BEFORE you get the virus. And you can't do this with a DAT based scanner. Detecting it with a DAT, happens AFTER we get a sample, and add detection. (for the most part)  (I don't want to belittle the hard work that goes behind the scenes to proactively detect unknown samples, but it's VERY difficult to do, without creating false detections that can sometimes be worse than the virus)

All that said, we do want you to submit any samples that aren't detected, but understand it will be after the affects of the malware in your environment.

To get ahead of it, you have to stay on top of any preventative measures you can take.  There are many moving parts to this, including: Access Protection rules to prevent certain registry/file based actions from happening.

Blocking unknown network traffic with a firewall (both end point and network based firewall).

User education!! This one is one of the best ways, but least reliable.  If your users don't click on random stuff they get via email, or web popups, you will drastically reduce your infection rates.  You might consider our webprotect product (previously Siteadvisor), that can help dissuade users from clicking on stuff they shouldn't. (I'm sure there is a free version, as well as paid, but I'm no salesman.)

Remember, the malware authors test their viruses against current AV companies, to ENSURE they aren't detected before they try to "deploy" it to the world, so traditional DAT based AV, is limited in what it can do for these rapidly changing variants of ransomware.

Hope that helps, at least a little.

- David

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community