Ran Combofix After Some Weird Behavior.
Emil Hopkins Philip Morris International Inc. If you have decided to reinstall the programs you removed, let me know and don't run the script. That still provides good protection against Locky style attacks. I paid, after some hours and refreshing the page multple times, I could download some file named lockyDecoder_F8DE44E44FE.... .exe. check my blog
The .doc file has macro virus (surprise surprise) and a trojan downloader later (and after about 2 hours) the desktop background changes to a picture with payment instructions. Office 365's AV system did not catch nor did desktop AV. But today, when I check that PCs RegEdit, and every hour or so .locky folders still pop up in there. By the time we discovered who's machine it was, it did a nice job of searching out all the file shares that had poor permission sets on them. :( permalinkembedsaveparentgive gold[–]winstonw0w 11
permalinkembedsaveparentgive gold[–]GantryZ 2 points3 points4 points 11 months ago(0 children)Had a client get this yesterday, encrypted desktop/documents and a bunch of folders on a network share. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Thanks permalinkembedsaveparentgive gold[–]Jessica721 0 points1 point2 points 10 months ago(0 children)Like other types of ransomware, Locky ransomware is mainly spread via spam emails. No loss except some miscellaneous gibberish.lockys on the infected workstation (Must have been dog pictures, otherwise it would be on the home drive, right?).
The business owner launched the virus, so owner eats the blame and pays the bill. If you are not this user, do NOT follow these directions as they could damage the workings of your system.* Please open Notepad (Click Start -> Run -> type notepad in erase all temporary files. permalinkembedsaveparentgive gold[–]DeejayCa 0 points1 point2 points 10 months ago(1 child)A client of mine got in via email as a ZIP attachment containing a .JS file.
I killed the process, shut down her session the infection stopped. permalinkembedsaveparentgive gold[–]beachbumz 1 point2 points3 points 10 months ago(0 children)It would be nice if ransomware targeted companies that were deserving of this kind of karma. I'm digging through a shared mailbox she uses, which includes hundreds of legit attachments from people all over the world, so their English is often broken in the message body. C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\atiesrxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\atieclxx.exe C:\Windows\system32\svchost.exe -k NetworkService
- PS: the .doc file (the same invoice thing, perfect english in the email body) appears safe when scanned with antivirus or malwarebytes.
- permalinkembedsaveparentgive gold[–]disc0mbobulated 0 points1 point2 points 11 months ago(0 children)Yeah that's about how encrypting goes too, apparently random locations, no logic.
- permalinkembedsaveparentgive gold[–]ratz12 0 points1 point2 points 11 months ago(0 children)Good to know.
I'm trying to figure out how it got in. 148 commentsshareall 148 commentssorted by: besttopnewcontroversialoldrandomq&alive (beta)[–]lawrenceabrams 13 points14 points15 points 11 months ago(12 children)Put up an article on Locky here. McAfee knew nothing about it outside of hearsay... Users were not local administrators not by a long shot :) permalinkembedsaveparentgive gold[–]disc0mbobulated 1 point2 points3 points 11 months ago(1 child)Damn.. Go figure.
http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/ I am pretty sure Fabian of Emsisoft is taking a look and seeing it can be cracked. Thanks. Yes, my password is: Forgot your password? news The zipped file contained UUE1234567890.js (number sequence hidden).
this frustrates me I dont know if its because I have movies or music or I just use my computer a lot that keeps doing this but I just cannot figure Oddly, Microsoft Endpoint Protection shut it down while it was executing. I was outside much of the day as well as running errands.The purpose of the following ComboFix script is to clean up the leftovers after you ran the Adobe cleanup tool.
Instructions shown here.
Sophos is now detecting it finally. I am therefore unable to create an AVP file as the program will not launch. permalinkembedsaveparentgive gold[–]Alexbeav 5 points6 points7 points 11 months ago(9 children)I had to deal with a Locky infection today, so here is my report, hopefully this helps someone: At 08:28, I received an e-mail No infection of the files.
No infection of the files. I know this is stupid question but should we consider paying that 1.00 bitcoin to those "hackers" or (if there is any) search for another option ? Closed word, and all of his documents were suddenly renamed to hex format file names. More about the author The odd thing was that It did not go over the whole C-drive at first.
grrrr! The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 2/16/2016 3:34:43 AM Pacific Time. The computer itself will be formatted and returned to User 2. Those shares can be encrypted by Locky also, even if they're not mapped to a drive letter (like H:\ or some such).
Exchange server malware scan - passed. Once the infected computer was removed from the network, the virus stopped encrypting any more files. Some people claim the virus deletes itself from the infected machine after the first reboot, I'm tempted to believe that since I found no trace of it and was suspecting the Sign Up This Topic All Content This Topic This Forum Advanced Search Browse Forums Guidelines Staff Online Users Members More Activity All Activity My Activity Streams Unread Content Content I Started
WARNING: From what I gather, it comes disguised as an invoice, ours came with the subject Subject: ATTN: Invoice It says there is a bill to pay... This is what i did. Although Sumatra is now my default pdf reader, the problem I refered to in a previous topic, with some images formated in Word, makes me think that it should be good It requested him to enable macros.
Attach it to your next post.Attach a Combofix log, please review and follow these instructions carefully.Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from Please do not re-run any programs I suggest. permalinkembedsavegive gold[–]Slvrwrx02 7 points8 points9 points 11 months ago(7 children)My company got hit bad yesterday. I was more interested from an RE perspective on if there were other artifacts in the sample.
hjsetime at gmail permalinkembedsaveparentgive gold[–]kumarakhil1608 0 points1 point2 points 11 months ago(2 children)many computers are hit in organization with this virus.