BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Lockdown Locky

October 20, 2017

  • Blog
  • Archive

Locky is the latest in an ever increasing range of ransomware threats used by cyber criminals in an expanding and increasingly lucrative market. . What makes Locky special is that it appears to have come from the same group behind several large Dridex campaigns showing that they are possibly diversifying their range of attacks.

The Locky strain has been observed in the Avecto malware labs and by other researchers spreading via Word documents attached to phishing emails. These typically look like invoices and come from a variety of domains. So far, the campaign seems to be very successful and well-orchestrated with a global impact across all industries.

Locky Phishing Email

Figure 1: Locky Phishing Email

When the user enables the macros in the malicious document the Locky malware executable is dropped in the user’s temporary directory and executed. This then renames and encrypts all the users documents, changes their wallpaper to a ransom demand and will also attempt to silently delete backup shadow copies of the filesystem.

Locky Ransom Demand

Figure 2: Locky Ransom Demand

The problem for traditional security solutions trying to prevent threats such as Locky is they are reliant on detecting it to prevent it. Even if a detection solution could detect 99 out of 100 threats it only takes 1 instance of Locky to go unnoticed to inflict serious damage. In the case of Locky it took most AV vendors days to catch up.

So how can Defendpoint help?

Defendpoint is designed to handle unknown, undetectable threats in a straightforward and proactive way. When the user downloads an unknown email attachment, clicks a malicious link or opens a document from the internet the content is seamlessly isolated in a Sandbox. This ensures that the malicious document and exploits are unable to access the user’s private data preventing it being stolen or encrypted.

As well as the secure isolation provided by Defendpoint’s Sandbox it also provides a unique context for Application Control. We know that content originating from untrusted external sources should not be launching new applications or running Windows tools such as PowerShell. This makes it easy to block any payloads or scripts dropped to disk within the Sandbox without limiting the user’s ability to run applications or access these tools.

This is of course all made possible by the fact that Defendpoint provides a least privilege environment with several secure anti-tamper features. This prevents the circumventing of security measures by both malware and rogue users.

What happens when Locky tries to run on a Defendpoint protected endpoint?

It’s stopped dead in its tracks, the payload is contained within the Sandbox and prevented from launching. When the user next logs off the Sandbox is regenerated and all traces of the malware are wiped from the disk.

Application Control Blocks Payload in Sandbox

Figure 3: Application Control Blocks Payload in Sandbox

All of this occurs without detection or analysis, it works just as well for present day attacks as future ones.

So if you want to start getting ahead of malware threats and safeguarding your endpoints start thinking proactively and learn that prevention is possible.

Photograph of James Maude

James Maude,

James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Capabilities to NIST SP 800-207

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.