A reminder that follow-up discussion of this security vulnerability - or any other - should only be carried out on the following (private to UCB IT staff) mailing list:
https://security.berkeley.edu/resources/mailing-lists-workgroups/ucb-security-mailing-list Thanks! Aron Roberts Research IT On Thu, Apr 28, 2016 at 5:01 PM, Josh Kwan <jkwan...@berkeley.edu> wrote: > SUMMARY > === > Information Security and Policy has received confirmed reports of recent > attempts to deliver the "Locky" family of Ransomware via malicious email > attachments. [1] [2] > > The most recent attempts come from forged @berkeley.edu email addresses > (such as from the recipient's own email address) with Subject lines like > (note that they vary greatly): > > * Document80 > * Scan381 > * Document5 > * Doc242 > * Scan0 > > Accompanying these emails are .ZIP file attachments (e.g. Document80.zip) > containing malicious JavaScript, Office documents with macros, or other > payloads. > > The bConnected team is working closely with ProofPoint and Google to > quarantine these malicious emails before they reach campus email accounts. > However, there are many Locky variants and delivery methods used by > attackers, and sometimes these malicious emails will inevitably reach their > target. > > Campus users are advised to be vigilant as Ransomware like Locky can be > extremely destructive. See the Recommendations section for guidance. > > Supervisors are encouraged to circulate this Security Alert to their > departments. > > > IMPACT > === > Locky and other similar Ransomware will rename and scramble (encrypt) > files including videos, images, documents, and Office files rendering them > unreadable by their owner. > > Only the criminal attackers that delivered the Ransomware will have the > decryption key necessary to unscramble your data, demanding payment > ("ransom") in exchange for unlocking and returning your data to you. > > These families of Ransomware can be particularly destructive if you do not > have secure and recent backups of your important files. Locky will also > crawl mounted network file shares and scramble any files it finds. > > > VULNERABLE > === > * Locky Ransomware can be delivered in a variety of different ways. > * Users that have enabled auto-execution of macros in Microsoft Office > documents are at significant risk as malicious Office documents is a > primary delivery method used by attackers dropping Locky. > * Systems that have unpatched software such as out-of-date web browsers or > Adobe Flash can also be susceptible to compromise as unpatched > vulnerabilities can be exploited to deliver the Ransomware. > > > RECOMMENDATIONS > === > Per the Sophos security article on Locky referenced below, here is what to > do to protect yourself against Locky and other Ransomware threats: > > * Backup regularly and keep a recent backup copy encrypted on a separate > system. There are dozens of ways other than Ransomware that files can > suddenly vanish, such as fire, flood, theft, a dropped laptop or even an > accidental delete. Encrypt your backup and you won’t have to worry about > the backup device falling into the wrong hands. > * Don’t enable macros in document attachments received via email. > Microsoft deliberately turned off auto-execution of macros by default many > years ago as a security measure. A lot of malware infections rely on > persuading you to turn macros back on, so don’t do it! > * Be cautious about unsolicited attachments. The crooks are relying on the > dilemma that you shouldn’t open a document until you are sure it’s one you > want, but you can’t tell if it’s one you want until you open it. If in > doubt, leave it out. > * Don’t give yourself more login power than you need. Most importantly, > don’t stay logged in as an administrator any longer than is strictly > necessary, and avoid browsing, opening documents or other “regular work” > activities while you have administrator rights. > * Review network file share permissions. System administrators should use > this as an opportunity to review file share permissions for users and > groups, using the principle of least privilege. Damage to network file > shares (e.g. departmental share) can sometimes be limited using strict > permissions. [3] > * Consider installing the Microsoft Office viewers. These viewer > applications let you see what documents look like without opening them in > Word or Excel itself. In particular, the viewer software doesn’t support > macros at all, so you can’t enable macros by mistake! > * Patch early, patch often. Malware that doesn’t come in via document > macros often relies on security bugs in popular applications, including > Office, your browser, Adobe Flash and more. The sooner you patch, the fewer > open holes remain for the crooks to exploit. > * Learn how to spot suspicious emails by visiting our Phishing resources > page. [4] > > REFERENCES > === > [1] https://en.wikipedia.org/wiki/Ransomware > [2] > https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/ > [3] https://en.wikipedia.org/wiki/Principle_of_least_privilege > [4] https://security.berkeley.edu/resources/phishing > > A web version of this Security Alert is available at: > > > https://security.berkeley.edu/news/locky-ransomware-delivered-email-attachments > > Regards, > > Josh > == > Josh Kwan <jkwan...@berkeley.edu> > Security Analyst > Information Security and Policy > University of California, Berkeley > https://security.berkeley.edu > > > ------------------------------------------------------------------------- > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and > the list's archives can be browsed and searched on the Internet. This > means these messages can be viewed by (among others) your bosses, > prospective employers, and people who have known you in the past. > > ANNOUNCEMENTS: To send announcements to the Micronet list, please use the > micronet-annou...@lists.berkeley.edu list. > >
------------------------------------------------------------------------- The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
