Our Network Remediation Team Manager, Andrew Leiterman, flagged a suspicious email in the early afternoon on Wednesday, August 9th. We now know that this was part of a large malware campaign utilizing phishing emails to distribute a new variant of Locky Ransomware.
We immediately set about sandboxing the file to observe just what it was. Our initial review did not yield any results via any signature databases. Live detonations were needed.
The email included a compressed attachment containing a VBS script.
Included in the script were URLs for downloading a file:
Upon download the file executed and encrypted files on our test machine. Files were encrypted with a .diablo6 file extension.
It also included an HTML file with instructions on how to pay the ransom and obtain a decryption key.
We first tested against Cylance running an older agent version:
It should be noted that CylancePROTECT Version 1400 was release in October of 2016. By comparison Version 1450 is the latest and was just released last month. So, the agent used for our testing purposes is older and outdated (but still effective).
The policy on this machine was set for execution control, file watcher, and script control alerting. The initial attempt to open the script was alerted by script control:
Had this policy been set to block malicious scripts, prevention would have occurred right here, before any execution could have been performed.
We were interested to see if Cylance would detect this using the File Watcher service, and it did not disappoint:
Once again Cylance prevented a zero-day threat using even older AI models. The File Watcher service quarantined the malicious files pre-execution.
We next performed the same test behind a SonicWall with a Capture ATP subscription.
We were also pleased that SonicWall Capture ATP detected the file as malicious and prevented the download:
Before any signatures could be pushed by vendors SonicWall was able to actively protect customers with a Capture ATP subscription.
At the time of this writing the only known way to decrypt these files is by paying the ransom. Otherwise, files will need to be restored from backup.
Our customers utilizing CylancePROTECT and Capture ATP with our best practice settings are protected from this new form of ransomware. In previous posts on this blog we have warned that ransomware distribution via zero-day threats will continue to increase and is the new normal. Please see our other posts that discuss best practices and countermeasures you can employ to protect your valuable assets.