Firewall Block Will Not Stop Ransomware

We're blocking a new Zepto (Locky) campaign for our customers. This one gets around firewall blocking that some thought would be a silver bullet against ransomware. That technique is so last week.

Looks Like Previous Campaigns

This week's Locky / Zepto campaign looks, at least on the surface, much like previous ones we've blocked for our customers and blogged about. It's a new combination of subject, message, attachment type, file naming. etc. Here's a partially-redacted example:

From
voicemail@<yourdomain>
Subject
[Vigor2820 Series] New voice mail message from xxxxxxxxxxx on 2016/09/08 18:50:39
Message Body
Dear support : There is a message for you from xxxxxxxxxxx, on 2016/09/08 18:50:39 . You might want to check it when you get a chance.Thanks!
Attachment
Message_from_xxxxxxxxxxx.wav.zip

Obviously, the attachment is not a zipped WAV (audio) file. It is a zipped Windows Script File (WSF) that downloads a DLL which, in turn, runs the Zepto / Locky executable and encrypts files on your system, possibly others on your network.

"xxxxxxxxxxx" is a series of random characters that changes with each email.

No Command & Control Server

What's different about this Locky / Zepto variant is that it no longer needs to communicate with a Command & Control (C&C) server to start the encryption process. It's all done on your local machine, so you can’t defeat it by using your firewall to block communication with known C&C servers.

Instead, the executable generates a random AES key that encrypts your files and an RSA key embedded in the executable encrypts that AES key.

The server that receives your ransom payment supposedly has the matching RSA key that decrypts your unique AES key so you can recover your files.

Don't Whitelist Your Own Domain

Note the envelope FROM address uses the recipient's email domain. This is another example of why it is dangerous to whitelist entire domains, especially your own. Spammers know that's a common practice and take advantage of it. If the recipient had whitelisted their own domain, this dangerous email would have bypassed spam filtering entirely and been delivered.

For more on that topic, see our blog about Whitelisting Dangers