Diablo6 Locky Ransomware In The Wild: Unable to Evade Next-Generation Security

Discovery

Our Network Remediation Team Manager, Andrew Leiterman, flagged a suspicious email in the early afternoon on Wednesday, August 9th. We now know that this was part of a large malware campaign utilizing phishing emails to distribute a new variant of Locky Ransomware.

Detection of Diablo6

We immediately set about sandboxing the file to observe just what it was. Our initial review did not yield any results via any signature databases. Live detonations were needed.

The email included a compressed attachment containing a VBS script.

Phishing Email Containing Ransomware

Included in the script were URLs for downloading a file:

Script Links to Malicious Download

Upon download the file executed and encrypted files on our test machine. Files were encrypted with a .diablo6 file extension.

Desktop background for Diablo6 Locky Varient

It also included an HTML file with instructions on how to pay the ransom and obtain a decryption key.

HTML file with instructions on how to pay the ransom and obtain a decryption key

Prevention Testing

At this point we knew what we had and needed to test against the two defense controls we are currently recommending to our customers for zero-day prevention: Cylance and SonicWall Capture ATP.

We first tested against Cylance running an older agent version:

CylancePROTECT Version 1.2.1400.39

It should be noted that CylancePROTECT Version 1400 was release in October of 2016. By comparison Version 1450 is the latest and was just released last month. So, the agent used for our testing purposes is older and outdated (but still effective).

The policy on this machine was set for execution control, file watcher, and script control alerting. The initial attempt to open the script was alerted by script control:

Script Control

Had this policy been set to block malicious scripts, prevention would have occurred right here, before any execution could have been performed.

We were interested to see if Cylance would detect this using the File Watcher service, and it did not disappoint:

Cylance File Watcher Quarentine

Once again Cylance prevented a zero-day threat using even older AI models. The File Watcher service quarantined the malicious files pre-execution.

We next performed the same test behind a SonicWall with a Capture ATP subscription.

We were also pleased that SonicWall Capture ATP detected the file as malicious and prevented the download:

Capture ATP Malicious File Alert

Before any signatures could be pushed by vendors SonicWall was able to actively protect customers with a Capture ATP subscription.

Conclusions

At the time of this writing the only known way to decrypt these files is by paying the ransom. Otherwise, files will need to be restored from backup.

Our customers utilizing CylancePROTECT and Capture ATP with our best practice settings are protected from this new form of ransomware. In previous posts on this blog we have warned that ransomware distribution via zero-day threats will continue to increase and is the new normal. Please see our other posts that discuss best practices and countermeasures you can employ to protect your valuable assets.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s