NetFort Tips & Tricks - Monitoring Locky Ransomware on your network

  • 1
  • Idea
  • Updated 10 months ago
  • (Edited)
Towards the end of last week, a Locky Ransomware campaign sent more than
23 million messages out across the US in one of the largest attacks in
the second half of 2017, according to a post from AppRiver.

LANGuardian has a number of mechanisms which will help you identify possible Locky Ransomware on your network. 
 
1. Use E-mail Monitor to quickly identify all users who received a message with any one of these subject lines:
  • please print
  • documents
  • photo
  • images
  • scans
  • pictures
Run the E-mail :: Emails by Subject report using the subject lines above.

2. Use Email Monitor/DPI decoder for SMTP messages to report on any .ZIP attachments.

To check for specific Email attachments use the Attachment Name field of the E-mail :: SMTP Events (Emails with Attachments) report. By looking at the attachment fields you can pretty quickly identify if a .zip attachment was detected or not.
 
3. Monitor DNS traffic for queries relating to Ransomware domains.
 
Run the report Services :: Network Events (DNS Lookups) and customize the report further to filter the results by Domain greatesthits.mygoldmusic.com to show any clients trying to access this domain.

If you have any questions about Locky Ransomware, or indeed any aspect of LANGuardian, please contact us on support@netfort.com at any time.

To view all of our archived tips & tricks emails, visit our community forum here.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 390 Posts
  • 8 Reply Likes

Posted 10 months ago

  • 1

Be the first to post a reply!