Security Market Segment LS
Wednesday, 17 February 2016 15:00

Dridex diversifies into Ransomware Featured

By

The operators of the virulent financial Trojan Dridex have branched out into Ransomware – they hope to get ‘Locky’.

Proofpoint, a next-generation security company, found the malware on 16 February. Its researchers found new ransomware named ‘Locky’ being distributed via MS Word documents containing malicious macros.

It stands out because it is being delivered by the same actor behind many of the Dridex campaigns (iTWire report here) tracked over the last year.

In this campaign, messages from random senders with the subject "ATTN: Invoice J-12345678" deliver an attachment "invoice_J-12345678.doc". The attachments are MS Word documents containing macros which download and install the Locky ransomware. The botnet (a group of infected machines running a spam bot) delivering the spam is the same botnet that distributes the vast majority of messages bearing the Dridex banking Trojan.

The ransomware encrypts files based on their extension and uses notepad to display the ransom message. It also replaces the Desktop background with the ransom message. If the user visits the onion (or tor2web) links specified in the ransom message, they are instructed to buy Bitcoins, send them to a certain Bitcoin address, and then refresh the page to wait for the decryptor download. There is no guarantee that the key will be provided if you pay.

At this stage antivirus company coverage is limited and once encrypted you will lose your files unless you have recent backup.

It is mainly aimed at corporate targets. Sysadmins should check to see if there are .locky extension files on network shares. If so, look at the owner in the on_Locky_recover_instructions.txt file in each folder. Then lock the owners Active Directory user and computer account immediately and take them off the network. The only cure is to rebuild the PC from scratch.

Sysadmins should disable Microsoft Office running macros by default. This will also protect against Dridex.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Ray Shaw

joomla stats

Ray Shaw [email protected]  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments