An Israeli defence contractor using a combination of ReSec Technologies and IronScales has managed to spot and defeat an attempt to infect computers with the Locky ransomware. The story came to light when IronScales issued a press release detailing what had happened.
According to the release cybercriminals launched a well-planned and sophisticated spear phishing attack against the domain administrators of one of Israel’s largest defence contractors. The attack was crafted to hit the files of a single individual and then use their network privilege and connections to find and encrypt as many machines and files as possible.
Dotan Bar Noy, CEO and Co-founder of ReSec said: “This attack was meticulously planned by professionals for some time now. However, once it was flagged by an IronScales user, we disarmed it. Our client’s preparation and internal security policies, as well as integration between ReSec and IronScales, kept the organization secure and prevented the potential encryption of extremely sensitive information.”
Locky success down to well crafted spear phishing
The success of Locky is its ability to use spear phishing with very believable attachments that persuade users to allow macros to run. The security policies would have caught the request for macros and as a network administrator the user would also have had a much higher awareness of the threat. Had the target been a user in accounts or someone in sales then the result may have been different.
This news that Locky was detected and blocked will come as welcome news for many companies. However, the devil is in the detail of this release. While the security companies concerned are busy high-fiving themselves read carefully and this is as much about the preparation and internal security policies as it is the security products in use. It also relied on the user getting suspicious about the email and activating IronScales.
In the press release Rami W., the organization’s CISO made the point: “As one of Israeli’s largest defence system manufacturers and developers, employee awareness training is a routine part of our cyber security procedures. The employee had a minor suspicion that caused him to act as required, activating the IronScales solution by using the built-in phishing report button.
“That action snatched the email and sent it to the ReSec platform that was able to send back a clean version of the file without the risk and identify the threat. The IronScales solution, in turn, initiated an immediate mitigation process to make sure the malicious attachment no longer resided in other employees’ mailboxes. This is a perfect example when a complete circle of protection worked.”
At the end of February Forcepoint published a list of domains that Locky would use during March and disclosed the Domain Generating Algorithm that the authors were using. It would be interesting to know whether IronScales or ReSec Technologies were already tracking the DGA or whether they detected Locky through other mechanisms.
Is Locky ransomware infection rate hype?
The effectiveness of Locky is something that has everyone worried. This is why news of a successful mitigation will appeal to everyone. However, some of the numbers around the rate of Locky infections are being questioned.
Earlier this month there were claims that there could be as many as 3m Locky infections. This is based on numbers from McAfee and Fortinet. However, as this story shows Locky attacks tend to be very well crafted and that requires time and research and not the shotgun approach the numbers suggest.
According to Steve Ward at iSIGHT partners: “While Locky ransomware infections have affected a significant number of devices, the estimate of three million is almost certainly not an accurate representation. This figure appears to be based on a beacon count rather than the actual number of Locky infections, potentially multiplying the infection count several times.
“We have observed the delivery methods reported, as well as deliveries by Neutrino Exploit kit. Locky is likely operated by the same actors managing Dridex botnets and, barring law enforcement intervention, will highly likely remain a significant threat for the long-term.”
What is important is that while security companies are disputing the spread of Locky, those affected by it are having no option but to pay up.
It is not often that security companies release joint press releases and this one shows the benefit of using solutions that are properly integrated. The fact that the two solutions were able to pass the infected email and document between them, clean it and then resolve the threat without requiring complex work by the customer is good news