Ransomware-Locky

Ransomware-Locky

Virus Type: Ransomware

Ransomware-Locky is a ransomware that scramble the contents of a computer or server (associated network shares ,both mapped and unmapped and removable media) and demands payment to unlock it “usually by anonymous decentralized virtual currency BITCOINS”.

Locky features:

  • Domain Generation Algorithm (DGA)
  • Mapped / Unmapped Network share discovery
  • Restore point deletion

The contents of the original files are encrypted (renamed to .locky) using an RSA-2048 and AES-1024 algorithm.The compromised user has to pay the attacker to get the files decrypted.

Propagation Methods

The primary modus operandi of Locky is via spammed emails that come with an attachment in the form of a MACRO ENABLED Microsoft Office document file with catchy subjects similar to ATTN: Invoice J-98223146 / invoice_J-12345678.doc / Rechnung-54-110090.xls

Ransomeware locky

Once MACROS are trick to be enabled, the embedded downloads Locky, stores it in the Temp folder and executes it. Once installed Locky scraps the file systems (and unmapped shares also), with certain extensions (.pptx, .pptm, .dotm, .dotx, .docm, .docx, .RTF,. DOC, .pem,.crt, .key, wallet.dat,.pdf, .XLS, .PPT,,tar.bz2, .bak, .tar, .tgz, .rar, .zip, .bmp, .png, .gif, .jpeg, .jpg, .tif, .tiff, .bat, .class, .jar, .java, .asp, .vbs,.cpp, .php,.sql etc) and scrambles it and renaming it to [unique_id][identifier].locky As part of the initial infection process, Locky deletes the volume shadow copy files hence preventing restoring the system to an earlier steady state by “vssadmin.exe Delete Shadows /All /Quiet”

Major File System Changes

Files created %temp%.exe
%user Desktop%/\_Locky_recover_instructions.bmp
%user Desktop%/_Locky_recover_instructions.txt

Presence of registry keys

HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run “Locky” = “LOCKY PATH”


HKCU\Software\Locky\id – The unique ID assigned to the victim.
HKCU\Software\Locky\pubkey – The RSA public key.
HKCU\Software\Locky\paytext – The text that is stored in the ransom notes.
HKCU\Software\Locky\completed – Whether the ransomware finished encrypting the computer
HKCU\Control Panel\Desktop\Wallpaper “%UserProfile%\Desktop\_Locky_recover_instructions.bmp”

Ransomeware- locky-extortion-msg

Locky [leverages Domain Generation Algorithm (DGA] is reported as making network connection to the following :

185.14.30.97, 195.154.241.208, 195.22.28.196, 195.22.28.198, 31.41.47.37, 95.181.171.58, avp-mech.ru, bebikiask.bc00.info, cgavqeodnop.it, cms.insviluppo.net, dltvwp.it, kqlxtqptsmys.in, neways-eurasia.com.ua, premium34.tmweb.ru, pvwinlrmwvccuo.eu, sso.anbtr.com, test.rinzo.biz, tramviet.vn, uponor.otistores.com, uxvvm.us, wblejsfob.pw

A detailed list of Indicators of compromise including domains, IP’s, Malware HASH listed IOC 

Recommendations

  • Block connections to the IPS/ domains aforementioned.

Note:

  • Blocking IP addresses should always be carefully considered and only when subject to the business needs.
  • Connection to unexpected domains should be categorically monitored /blocked since Locky employs DGA
  • Create SRP rules to block execution of the executables listed in the IOC section.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Disable Macro in Microsoft Office applications. Macros can run in Office applications only if Macro Settings are set to “Enable all macros” or if the user manually enables a macro. By default, it will be in a disabled state. The recommended setting is to select the option “Disable all macros with notification” in “Macro Settings”.
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.
  • Practice and Enforce Least privilege Policy. Lock down all open network shared to the lowest permissions.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with best practices.
  • Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths
  • Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
  • Disable remote Desktop Connections, employ least-privileged accounts.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications.
  • Enable personal firewalls on workstations.
  • Strict External Device (USB drive) usage policy.
  • Employ data-at-rest and data-in-transit encryption.
  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
  • Keep your operating system, browsers, browser plugins & Antivirus Software up-to-date with the latest patches.

 

Reference by cert-in.org.in

Getting rid of spoofers: Digitally sign your Gmail messages with 2048-bit DKIM keys

Back in 2011, we launched the ability for any Google Apps administrator to set up DomainKey Identified Mail (DKIM). DKIM is a way to digitally sign messages so that recipient servers can verify that the message really comes from your domain and hasn’t been changed along the way. Additionally, when you sign your messages with DKIM, they become less likely to get caught up in recipients’ spam filters.

The fight against spoofers still continues today, and as spoofer’s tools have gotten more powerful, 1024-bit DKIM keys are no longer as secure. For that reason, we’re pleased to announce that Google Apps customers can now digitally sign their messages with 2048-bit DKIM keys, and we strongly recommend making this the standard for all email messages sent from your domain going forward.

Recommendations

  • If you are currently not using DKIM to protect your Gmail messages, set up 2048-bit DKIM in the Admin console. See the Help Center articles below for instructions.
  • If you are already using DKIM with 1024-bit keys, check with your DNS provider to see if they support 2048-bit keys. If so, update your domain keys to 2048-bit for the best protection.

Important: Some domain registrars do not yet support 2048-bit DKIM keys, even though this has been available for more than 30 years. For those domains, we still offer the ability to sign messages with 1024-bit keys from a drop-down.
Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

Reference by  Google.com

 

Dial in with ease using the latest Google Calendar app for Android

An update to the Google Calendar app for Android is coming to Google Play. When you dial in to your conference call, Google Calendar can now automatically add the passcode. Simply tap the call-in number from the calendar event and you’ll be prompted to select the relevant pass code for you ─ host or participant.
Tap to Call using google calender
Note: Google Calendar detects the passcode or meeting ID from the location or notes field in the calendar event. If this information is not found, dialing in will be the same as before, where the passcode or meeting ID is dialed manually.

Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Rollout pace:
Full rollout (1-3 days for feature visibility)

Impact:
All end users

Action: 
Change management suggested/FYI

Reference by Google.com

Contact importing now available in the new Google Contacts preview

We recently announced that the new Google Contacts is available for preview from the Admin console. By enabling the preview, administrators can allow their users access to the new Google Contacts, along with the many benefits that come with it, like a new fresh look and improved contact merge features.

One popular request from Google Apps users was the ability to easily import their contacts into Google Contacts. We’re happy to announce that starting today, the ability to import contacts, powered by ShuttleCloud, is now available for Google Apps users.

Getting started for administrators

  • Administrators must first enable the “Contacts Preview” for their users via Apps > Google Apps > Settings for Contacts > Advanced Settings
    Enable Google Contacts Preview
  • Administrators must also enable “User email uploads” in the Gmail User Settings by going to Apps > Google Apps > Settings for Gmail > Advanced Settings
    Enable User Email Uploads

Getting started for users

  • Users can now import contacts from a wide variety of supported mail and contact sources.
  • From the new Google Contacts preview, simply click More > Import > and choose the account that you’d like to migrate from.
  • You will be prompted for that account’s username and password, and your contacts will start transferring once you have successfully granted authorization.
     Import Contacts powered by ShuttleCloud
  • If you do need to import your contacts using a CSV file, click on CSV file in the above dialog box, and then click on Go to Old Contacts to be taken to Contacts Manager.

Launch Details

Release track:
Launching to both Rapid release and Scheduled release

Rollout pace:
Full rollout (1-3 days for feature visibility)

Impact:
All end users

Action:
Admin action suggested/FYI, OR
Change management suggested/FYI

 

Reference by Google.com

Enhanced support for images in the Google Sheets mobile apps

Images—for instance, business logos—can make or break a spreadsheet. With that in mind, we’re launching improved image and drawing functionality in the Google Sheets mobile apps. Starting today, you can:

  • View images and drawings in in the Sheets app on your iPhone or iPad.

 google sheets for ios

  • View images and drawings—even in frozen sections!—in the Sheets app on your Android device (previously these images would not render in frozen cells on Android).

google sheets for android
Launch Details
Release track:
Launching to both Rapid release and Scheduled release

Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

Reference by Google.com

Accept questions from your audience when presenting in Google Slides

Any skilled presenter knows that an interactive presentation is often an effective presentation. Starting today, you can better engage your audience by allowing them to submit questions and vote on them during Google Slides presentations.

To see the feature in action, check out this video in which Google Science Fair winner Shree Bose fields questions from a group of 200 middle school students.

Q&A google slides

A few things to note:

  • The Slides Q&A feature works on desktop computers, Android mobile devices, and iOS mobile devices.
  • You can only use Slides Q&A if you have the edit or comment access to that Slides presentation.
  • By default, any user in your domain can submit a question. If your organization permits external sharing, you can allow external users to submit questions as well.

For more information on how to accept, submit, and view audience questions in Google Slides, check out the Help Center.

Bonus! Allowing your audience to ask questions isn’t the only way we’re improving the presentation experience on Slides today. We’re also making the following possible:

  • Use your mouse as a laser pointer in Slides on the web. Just choose the laser pointer option from the toolbar and move your mouse, and a red laser-like dot will appear in the same place on screen, helping your audience know where to look and when.
  • In the Slides iOS app, present to a new Hangout or to a Hangout selected from a meeting on your Google Calendar. For more information, check out the Help Center.

Launch Details
Release track:
Launching to both Rapid release and Scheduled release:

  • All mobile features
  • All audience features on mobile and desktop

Launching to Rapid release, with the Scheduled release coming in two weeks:

  • Ability for a presenter to enable Q&A on desktop

Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

Reference by Google.com

 

Google Calendar for Android: Find a time for my meeting

Smartphones have made productivity portable. You no longer have to be at your desk to catch up on meeting notes, dial into a conference call, or send an email. But scheduling meetings on the go is still difficult, as you have to open your laptop to check everyone’s calendar and find a time that works.

Starting today, if you use Google Apps for Work or Edu, you can schedule meetings from anywhere with “Find a time” in Google Calendar for Android.

With a single tap, “Find a time” helps you find meeting times that work for everyone—even if they’re in different time zones—based on their availability and the times they usually have meetings. If there are no times that work, Calendar will look at which conflicting meetings can most easily be rescheduled. Designed specifically for organizations where sharing your calendar with colleagues is the norm, here’s how it works:

 

Google Calendar for Android

“Find a time” makes suggestions, but you’re still in control. You can tap to see everyone’s schedule at a glance—perfect for making sure the timing works for all. And if you manage someone else’s calendar, you can use the feature to schedule meetings on their behalf as well.

Download Google Calendar for Android to get easy, on-the-go scheduling. And yes, we’re also working on bringing “Find a time” to iPhone, as well as easier ways to schedule on the web.

Launch Details
Release track:  
Launching to both Rapid release and Scheduled release
Rollout pace: 
Full rollout (1-3 days for feature visibility)
Impact: 
All end users
Action:
Change management suggested/FYI
Reference by Google.com

Configure Your Email Address On Your Email Client Microsoft Outlook 2010

Steps to Configure Your Email Address On Your Email Client Microsoft Outlook 2010

Adding a new account:

  • Select the File menu
  • Select Info
  • Click the Add Account button

Account info- Microsoft Outlook 2010

  • Choose Manual configure server settings

outlook_2010_manually_configure

  • Click Next
  • Choose Internet E-mail

outlook_2010_manually_configure

  • Click Next

Account Settings

outlook_2010_account_settings

 

  1. Enter your name as you want it to appear on your outbound email messages
  2. Enter your full email address
  3. Enter your full email address also as the User Name
  4. Enter your email password.
  5. Your mail server is mail.yourdomainname.com(where yourdomainname.com is your own domain name)

The Outgoing Mail Server is the same as your incoming mail server.

More settings:

Click  on More setting button

outlook_2010_more_settings

Click the Outgoing Server tab

outlook_2010_outgoing_server

  1. Check the “My outgoing server (SMTP) requires authentication” checkbox
  2. Check “use the same settings as your incoming mail server”
  3. Click Advance tab

outlook_2010_advanced.jpg

  • If you are using POP3 with SSL, click the checkbox and enter 995 as your port. Otherwise leave the default port at 110
  • If you are using POP3, you may choose when messages are removed from the server
  • If you are using IMAP with SSL, click the checkbox and enter 993 as your port. Otherwise leave the default port at 143
  • If you are using SMTP with SSL, click the checkbox and enter 465 as your port. Otherwise change the non-default port to 26

Click the OK button.

Testing Settings

  • While on the E-mail Accounts screen, click the Test Account Settings button

outlook_2010_test_settings_settings

  • This will both check your settings and send a test email to yourself to confirm that everything is working. If you receive any errors, please check your configuration
  • Click the Close button on the Test Account Settings window
  • Click Next on the E-mail Accounts window
  • Click the Finish button

 

Outlook 2010 is now correctly configured  to send and receive emails.

Navigate documents quickly and easily with the outline tool in Google Docs

It can be difficult, not to mention time-consuming, to navigate lengthy, complex documents. To make that process easier, today we’re launching an outline tool in Google Docs on the web and Android. Displayed in a pane to the left of the page, this outline features headers for each section of your document, making it simple to quickly jump from section to section. If you haven’t manually applied headers, no worries—we’ll do it for you, intelligently detecting the logical divisions within your work. You can then edit or remove these headers as necessary.

google docs

This launch will also allow you to move through documents on your Android phone or tablet at super speeds. When you begin scrolling on your mobile device, a small navigation handle will automatically appear. Touching that handle will display the entire document’s structure, allowing you quickly skip from section to section, instead of slowly swiping up and down.

google docs mobile version

To surface an outline in your document, simply click Tools > Document outline in Docs on your computer or select Document outline from the overflow menu on your Android device. Check out the Help Center article below for more details.

Launch Details
Release track:
Mobile features: Launching to both Rapid release and Scheduled release
Desktop features: Launching to Rapid release, with Scheduled release coming in two weeks

Rollout pace:
Full rollout (1–3 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

Reference by Google.com

Important change in behavior of Google Calendar events with public visibility

On May 16, 2016, the Google Calendar team will change the behavior of calendar events that users have intentionally marked as public to strictly follow a domain’s external sharing options setting for both primary and secondary calendars, set from the Admin console. This change gives domain administrators more control over how users are sharing their calendar events with people outside of the domain.

Note: If your domain external sharing setting is set to Share all information, then there’s no behavior change.

The change will take effect immediately on the web. Calendars and events synced on mobile may remain visible until the device re-syncs. All events created after May 16, 2016, will appear as free/busy on all platforms.

If users want to share calendar events with external users, but keep their primary work calendars private or free/busy, they can still create separate secondary calendars for that purpose.

We recommend the following actions:

  • If you want to continue sharing calendar events with external users but keep primary calendars private, set the access for primary calendars to Only free/busy information, while setting the access for secondary calendars to Share all information. Then, encourage your users to create public events on secondary calendars.
  • Confirm your current Google Calendar External sharing options in the Admin console (Apps > Google Apps > Calendar > Sharing settings). Learn more about how to Set calendar sharing options.

If you have additional questions or need assistance, contact Google Apps Support.

Reference by Google.com