Endpoint Protection

One of our computers has been hit with ransomeware. It encrypts only excel files and changed the format to .zepto. it spread to some shares which I was able to restore. The computer is off the network and shutdown awaiting reformat. Our SEPM and clients are up to date. nothing in reports, notifications, logs of client showed any infection that I saw.

It happened by a user accessing Yahoo email (personal) and user clicked on something. Now clearly its better for a workplace not to be able to access external emails I know but I can't change that (even though I'd love to). Anyway as I was saying we've had alot of ransomeware/cryptolocker come through via email and SEP has done a fanatstic job in all of them except this particular one.

Anyone has any ideas? thoughts? tips? for something like this? I realize no AV is perfect and cannot possibly know every single thing out there right away so just wanted to share this.

Thank you

Zero Cheese

Since Symantec didn't have a signature for it, you can submit the file here:

https://www.symantec.com/security_response/submitsamples.jsp

Now with that, do you have all the SEP components enabled? AV itself is pretty much useless against this stuff. In addition, you need SONAR, IPS, and Download Insight enabled. Have you looked into software whitelisting? SEP offers System Lockdown which is a great help. You can also apply application control policies.

There are really great articles here for ransomware prevention with SEP:

https://www.symantec.com/connect/articles/detecting-cryptolocker-activity-symantec-endpoint-protection

https://www.symantec.com/connect/articles/strengthening-anti-virus-security-prevent-ransom-ware-derivative-trojancryptolocker-family-

https://www.symantec.com/connect/articles/how-harden-cryptolocker-file-encoding-attempts-sepm-application-control

Hi Brian,

I didn't have a sample to obtain because I couldn't see the first file (if it was downloaded as a file) user said she clicked on something in her email so it might of been attachment.Would a sample of the .zepto file that encrpyted excel would of been enough?. I was worried to not leave the computer long after discovering it in the morning. We have full features enabled for all clients.

I'll check those links out.

Thanks

You would need either the original file that was executed or what it likely downloaded after the initial execution.Either way, best to get the machine of the network and nuke it or restore from backup.

Brian,

Thanks for your links and your last piece.  It is nuked.

I guess the logging should help now.

Thanks again.

Hello Mr. Cheese,

Zepto is the new version of Locky.  This has been distributed very aggressively via malicious spam emails in recent weeks.  Known samples are detected by Symantec AV signatures as Trojan.Cryptolocker.AF as well as Trojan.Gen and similar broad signatures.

The best defense, really, is user education.  Users need to open the unexpected, oddly-named attachment (a .wsf script file, recently) for the threat to work.  The second best method of stopping it is to secure the mail gateway.  Webmail seems to have avoided those defenses, here.... Signatures for SEP are constantly updated, but using technology to combatthe threat at the endpoint is the last line of defense. 

Anyway, here are some articles and resources that have further info:

Support Perspective: W97M.Downloader Battle Plan
https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

A new white paper:

Special Report: Ransomware and Businesses 2016
https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

A good article:

Ransomware protection and removal with Symantec Endpoint Protection
http://www.symantec.com/docs/HOWTO124710

Planning for recovery against ransomware or any other business disaster is crucial. With recent, accessible backups in place getting sabotaged equipment back into use is little more than an inconvenience. 

Please do keep this thread up to date with your progress, or mark it solved if you have received your answer!

With thanks and best regards,

Mick

We were just affected with this virus. One file server is already showing the affects of encrypted files. Symantec said that they are already aware of this and working on the release of a rapid release if possible.. 

Hi Zero Cheese,

Just a ping to see if you have received your answer or if you have any additional questions?  The thread is still marked "needs solution."

With thanks and best regards,

Mick

We were infected around the 20th July with the zepto variant that Symantec finally identified as W97M.Downloader once we submitted the source files.

For anyone looking to identify the source, we did this by looking at the instructions.html (aka the ransom note) found in all the directories with .zepto files and right clicking > Properties > Details tab and looking at the Owner Filed.  In our case the user identified was the source and had received an email with a word attachment that asked them to enable macros which ran the script that casued the infection.

Once we identified the source files we submitted them to symantec and they release RR defs around the 22nd July to deal with the threat W97M.Downloader.

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions