nigelbeatson
asked on
.locky files appeared in our server
we have a single sbs2011 server running exchange with around 25 users.
all seems to be well, but I have noticed some files which have appeared in various folders.
these are usually a long hex string with the .locky extension
I have avg and malwarebytes installed on our clients and had avg installed on our server too.
I have just installed malwarebytes on the server and carried out a full scan, which found nothing.
obviously I am concerned about the possibility of our server being encrypted and held to ransom, so what can I do.
do I just identify and remove the .locky files?
none of our protection software seems to identify a threat, but with dozens of the .locky files appearing I need to do something.
can anyone advise what I should do?
thanks
all seems to be well, but I have noticed some files which have appeared in various folders.
these are usually a long hex string with the .locky extension
I have avg and malwarebytes installed on our clients and had avg installed on our server too.
I have just installed malwarebytes on the server and carried out a full scan, which found nothing.
obviously I am concerned about the possibility of our server being encrypted and held to ransom, so what can I do.
do I just identify and remove the .locky files?
none of our protection software seems to identify a threat, but with dozens of the .locky files appearing I need to do something.
can anyone advise what I should do?
thanks
How many PC's have access to the folders on the server where the .locky files were found? Most likely you had an infected PC that caused that, and since then the malware may have been removed. If you have backups of your data, you may want to check and see what got encrypted and then restore it.
ASKER
do I delete the .locky files?
how can I verify that it's still not active?
thanks
how can I verify that it's still not active?
thanks
ASKER
fortunately, I can see that we have 1176 .locky files on our server, and they are all in the downloads folder which is not important.
all of this data can be deleted.
what concerns me is, how can I confirm that it has been removed, and why our defences did not identify it?
it seems so easy, for this horrific extortion to take place, so is there anything else we can do to protect from this in the future.
any help much appreciate
thanks
all of this data can be deleted.
what concerns me is, how can I confirm that it has been removed, and why our defences did not identify it?
it seems so easy, for this horrific extortion to take place, so is there anything else we can do to protect from this in the future.
any help much appreciate
thanks
The best way to protect against this is user education. You can have all the latest software, but guess what? So do the people sending this stuff out. They write code to work around the current scanners until an update goes out.
Locky is spread mainly by email attachments that entice users into opening them. Teach your people not to open anything that looks suspicious and how to identify junk senders and it'll keep you much safer than relying on some app to do it for you.
Locky is spread mainly by email attachments that entice users into opening them. Teach your people not to open anything that looks suspicious and how to identify junk senders and it'll keep you much safer than relying on some app to do it for you.
ASKER
ok William thanks and noted.
because the number of .locky files seems to be static, can we assume the agent that was running this is removed.
I'm worried that this seems to have happened totally undetected, other than my noticing the .locky files.
what is also strange is that it seems to have stopped, before it hit the payload. have we just been lucky?
if this is the case, something must have stopped it? any ideas?
thanks
because the number of .locky files seems to be static, can we assume the agent that was running this is removed.
I'm worried that this seems to have happened totally undetected, other than my noticing the .locky files.
what is also strange is that it seems to have stopped, before it hit the payload. have we just been lucky?
if this is the case, something must have stopped it? any ideas?
thanks
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
all very helpful. many thanks to all
ASKER
I'm really worried and confused.