Hi all,
One of my clients just got hit with the latest and greatest crypto-locker variant which has the very cute name of "Locky" and is very effective. It does the same thing as previous iterations and more. It attacks more file types, and it will attack network shares, even UNCs. Yes. Which it did, but luckily didn't get too far, not sure why yet. It also will attempt to kill any shadow copies used by VSS in order to prevent restore from shadow copy.
In this instance it arrived from "admin@clientsdomainname.com" with the typical "Your files are attached" nonsense as a zip file. The dummy opened and ran the JavaScript. However, latest and greatest AV didn't stop it. This was ThreatTrack Vipre Business which generally is excellent at catching things others don't. This one client had their own domain name on their trusted senders list, which must have contributed to the email bypassing certain filters, but that's just bad luck to some degree as if it were from a legit account somewhere it would have passed.
I grabbed a copy of the malicious code from the message archive and have it sitting on my desktop. Avast doesn't consider it a virus either. Seems that until one executes the code, most AV has nothing to say about it.
So, at the server, I can't really block all zip attachments but is there away to have SmarterMail look inside the zip and if a file extension which is on the block list is detected, then block it? What security settings do other admins use at mail server to reduce these exploits from getting through?
Matt