“Locky” Ransomware virus / Importance: HIGH

A new ransomware named “Locky” has been spreading to users around the globe. Because this virus relies on downloading and installing the Tor browser, we recommend proactively blacklisting the following URL if you have not done so already: https://www.torproject.org/download/download-easy.html

We also recommend backing up regularly, minimizing the use of administrator privileges, patching early and often, and advising your clients/users to be cautious about unsolicited attachments/emails.

Learn more about the “Locky” virus here

Here are some additional steps for proactively protecting your devices against this dangerous malware.

According to recent reports, massive volumes of JavaScript attachments are being spammed out that contain dangerous ransomware. We recommend taking the following additional precautions to protect your install base:

  • Make sure your mail protection solution is blocking macro-enabled documents and .js scripts
  • Ensure that you have blocked user access to downloading Tor by blacklisting the following URL:https://www.torproject.org/download/download-easy.html (the Locky virus in particular relies on downloading and installing the Tor browser and some versions may use Tor to contact the command and control servers)
  • Block any items falling under the category of “proxy avoidance” or “anonymizers.” If you use Web Protection, this can be done by going to “Settings > Web Protection > Protection Policy > [select applicable policy] Edit > Web Security > Proxy Avoidance and Anonymizers > Block”
  • Disable Java in client browsers (for more information, see the following links)
  • And we suggest that access to the following IPs be completely blocked at the firewall:
    • 5.34.183.195
    • 51.254.19.227
    • 185.14.29.188
    • 31.184.197.119
    • 91.219.29.55

Add your review

Your email address will not be published. Required fields are marked *