Sunday, May 1, 2016

Locky Ransomware Analysis - Will my AV help?

Considering there is so much about ransomware in the news and to some extent Locky, I thought I should take the opportunity to take a closer look at it to see if there is anything other than the obvious that someone may be able to do to mitigate the effects of being successfully targeted by a ransomware.

For the purpose of this post, I am using a virtual machine running Windows 10 with all the latest updates.

Additionally, I have some sample documents (.pdf, .txt, .xls, etc) and images,

One of the things I would like to know first up is if my Antivirus Comodo would be able to detect the first stage of the ransomware.

Ensure my Antivirus is up to date

Next up, I copied the ransomware from a USB into my Windows 10 VM. While copying, nothing was detected as malicious. It is quite possible that nothing was detected because Locky is contained in a password protected archive.

Once I extracted the file, it seems like Comodo detected it as a virus as I saw the file being extracted and then it disappeared. When I looked into the Comodo console, I see the file listed there as shown below.

Oh the question in my subject line is "Will my AV help?". The immediate take away from this is that an up-to-date antivirus can help with detecting Locky.

No need for me to do anything else here, time to disable the antivirus to see locky in action.

See you in the next post.


No comments:

Post a Comment