NetFort Tips & Tricks - Monitoring Locky Ransomware on your network

  • 1
  • Idea
  • Updated 4 days ago
  • (Edited)
Towards the end of last week, a Locky Ransomware campaign sent more than
23 million messages out across the US in one of the largest attacks in
the second half of 2017, according to a post from AppRiver.

LANGuardian has a number of mechanisms which will help you identify possible Locky Ransomware on your network. 
1. Use E-mail Monitor to quickly identify all users who received a message with any one of these subject lines:
  • please print
  • documents
  • photo
  • images
  • scans
  • pictures
Run the E-mail :: Emails by Subject report using the subject lines above.

2. Use Email Monitor/DPI decoder for SMTP messages to report on any .ZIP attachments.

To check for specific Email attachments use the Attachment Name field of the E-mail :: SMTP Events (Emails with Attachments) report. By looking at the attachment fields you can pretty quickly identify if a .zip attachment was detected or not.
3. Monitor DNS traffic for queries relating to Ransomware domains.
Run the report Services :: Network Events (DNS Lookups) and customize the report further to filter the results by Domain to show any clients trying to access this domain.

If you have any questions about Locky Ransomware, or indeed any aspect of LANGuardian, please contact us on at any time.

To view all of our archived tips & tricks emails, visit our community forum here.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes

Posted 2 years ago

  • 1
Photo of Lizz Furnitures

Lizz Furnitures

  • 1 Post
  • 0 Reply Likes