Locky Attack

[Thess Bermudez <th...@gmail.com>]

Hi,

Has anyone been attacked by a ransomware named Locky? Our company was hit
with the encryption of the js files running in our Apache Tomcat 7.0. Good
thing that we have daily app backups that made us not give in to the
"ransom" requirement. We also reinstalled everything in our server..
Databases are intact but the corrupted/encrypted webapp files were replaced
by files with .locky extension.

Would appreciate if anyone can share similar experience and how you've
dealt with it.

Thank you,

Thess

Re: Locky Attack

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johan,

On 5/2/16 9:50 AM, Johan Compagner wrote:
> How did they get in? what security hole was used there?

Most likely the usual: a raw meat vulnerability.

Someone opened a document they shouldn't have trusted and enabled
macros and let it do whatever dastardly thing it wanted to do.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcqJVoACgkQ9CaO5/Lv0PBXzwCeKpAluJ5FxR5PDLzoFsN7n+3a
SYsAn3Z2fUiMW2n2Sic6y01B3DAlFcZQ
=IC7C
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Locky Attack

[Johan Compagner <jc...@servoy.com>]

How did they get in?
what security hole was used there?


On 2 May 2016 at 15:18, Thess Bermudez <th...@gmail.com> wrote:

> Hi,
>
> Has anyone been attacked by a ransomware named Locky? Our company was hit
> with the encryption of the js files running in our Apache Tomcat 7.0. Good
> thing that we have daily app backups that made us not give in to the
> "ransom" requirement. We also reinstalled everything in our server..
> Databases are intact but the corrupted/encrypted webapp files were replaced
> by files with .locky extension.
>
> Would appreciate if anyone can share similar experience and how you've
> dealt with it.
>
> Thank you,
>
> Thess
>



-- 
Johan Compagner
Servoy

Re: Locky Attack

[Olaf Kock <to...@olafkock.de>]

I can't say how I "have dealt" with it. Only how I plan to in case it
hits: Restore backups, educate colleagues. If it hasn't hit yet, there's
an argument to have watchdogs that watch out for suspicious massive file
changes on file servers. But I'm not sure if they already exist, and if
they're able to signal the infected client to shut down immediately.

The time is over where people can be ignorant about attacks - "What
would they want from me?" - the answer nowadays is: "Your money". And
it's real.

As I like to state when I'm in system administration trainings: You are
only allowed to call something a backup, if you've *recently*
*demonstrated* that you're able to *restore* to a totally new system
with what you intend to call a backup. Otherwise it's a random set of
data, copied from your live system, not a backup.

Olaf

Am 02.05.2016 um 15:18 schrieb Thess Bermudez:
> Hi,
>
> Has anyone been attacked by a ransomware named Locky? Our company was hit
> with the encryption of the js files running in our Apache Tomcat 7.0. Good
> thing that we have daily app backups that made us not give in to the
> "ransom" requirement. We also reinstalled everything in our server..
> Databases are intact but the corrupted/encrypted webapp files were replaced
> by files with .locky extension.
>
> Would appreciate if anyone can share similar experience and how you've
> dealt with it.
>
> Thank you,
>
> Thess
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org