1 2 Previous Next 18 Replies Latest reply on Apr 7, 2016 10:41 AM by dmeier Branched from an earlier discussion.

    Locky

    andyng

      I am very unlucky. one of my user opened a ransomeware call locky.
      i been trying very hard to contact mcafee. first time i called 30min first level support opened case
      waited another 30 min no engineer picking up so i hung up and updated the case  whats worst is after 4 hours no one actually borther to reply
      the person log as a SEV 3 case when my company data is almost gone *clap clap* well done when i thought symantec was worst
      it is at least a SEV 2 case thats why i called in right?

       

       

      then when i contacted  http://service.mcafee.com/promise team they said they support consumer product and not enterprise which makes me wonder that which is the more expensive and higher end product.


      the number i called? 800 130 1587  and the useless promise team kept referring me to this number

        • 1. Re: Locky
          Peter M

          Renamed your post "Locky" and moved it to Malware Discussion > Corporate User Assistance as that appears to be the best place for it.

           

          ---

          Peter

          Moderator

          • 2. Re: Locky
            Peter M

            If you call support for assistance with malware then they will naturally direct you to their Virus Removal Service which comes at a premium charge.

            All malware vendors have the same procedures.

            There are other sources if you Google Locky or do a search within this website.

            This for starters:  Intel ProTip for Malware: Combatting Ransomware Locky

            • 3. Re: Locky
              Peter M

              Here's a removal guide from Malwaretips which is a reputable website:  Remove Locky ransomware (Virus Removal Guide)

              • 4. Re: Locky
                catdaddy

                Thanks Mate   I had overlooked this one, I now have in my arsenal !

                • 5. Re: Locky
                  andyng

                  i have tried malware bytes but it doesn't work actually either cause it's free or cause the locky is probably a mutated one.

                   

                  i have found a way to quickly identify users who are infected with locky and stop locky from encrypting and backup the files but for server it will be too late
                  as user might inform us after their files are gone.

                  which is why i wish to request mcafee to update its virus
                  definition but seems like i'm always being ignored.

                  my point of the above post is that how slow is it to get any support from mcafee.


                  to stop locky from encrypting disconnect the PC from internet (duh ? since locky gets it's private key from internet reference :https://blog.malwarebytes.org/intelligence/2016/03/look-into-locky/)

                   

                  once disconnect run this  command on the root drive to check if user has .locky files
                  user an administrator account to avoid miss detection of virus due to folder permissions.
                  dir /a *locky* /s

                   

                  or you can save this as a bat to seach

                  @echo off

                  for %%d in (a b c d e f g h i j k l m n o p q r s t u v w x y z)  do (

                  if exist "%%d:\" (

                  dir /a %%d:\*.locky /s

                  )

                  )

                  1. Pause.

                   

                  it is faster than using GUI search

                   

                  after that backup files that are not encrypted and format the PC since we do not know where it might be hiding.

                   

                  i do not know how well the above from malwaretips does but so far the method i'm doing works..

                   

                  lucky for this case i have my backups which was not encrypted and able to restore for servers, user local data , just save as much as possible.

                  yes half of the company data was encrypted within few hours, if only mcafee works faster maybe can prevented afew more user getting the malware.


                  i emailed open a case with fortimail as i am using that as my email firewall within mins they updated the virus definition and prevented further locky from coming in and spam.

                  • 6. Re: Locky
                    Peter M

                    Malwarebytes can be installed, updated and run all in "Safe Mode with Networking", which should solve the above snag you hit whilst trying it.

                    See if anything here helps:

                    Anti-Spyware/Malware & Hijacker Tools

                    • 7. Re: Locky
                      Peter M

                      Regarding the labs covering it, they did ages ago:  W32/Locky.worm - Malware - McAfee Labs Threat Center

                       

                      See Locky Ransomware DAT?

                      • 8. Re: Locky
                        shaneh

                        If you have the appropriate admin rights, you could try the powershell Get-RegistryKey cmdlet and search for the existence of the key HKCU:\Software\Locky.  It's what Locky does just after it has managed to make an internet connection.  Interestingly, it creates this key even before any files get locked up or it gets its encryption key.  No internet = no registry key, even though the binary has fired.

                         

                        If your version of PS doesn't have that cmdlet, then the "Get-ChildItem HKCU:\software" will work as well.  Since it's not doing a recursive search for files ending in .locky, rather looking for the specific registry key, it would run quicker across a collection of computers.  You could set a variable $result=Get-ChildItem HKCU:\software | where {$_.name -match "locky"}, and if $result.Name = "HKEY_CURRENT_USER\software\Locky"...you have a hit.  The lack of the key doesn't necessarily mean locky didn't fire (not in the case of the sample I have), it just hasn't been able to get an encryption key.  It's also not proxy aware, so blocking non-proxy outbound http requests can be a saviour (just have to whitelist legit services that do)  No key = no encrypt.

                        • 9. Re: Locky
                          shaneh

                          Umm...W32/Locky.worm...Description Added 2004-04-20(?).  I thought it was ransomware, and a lot more recent than 12 years ago

                          1 2 Previous Next