In the context of a customer project, we examined a new variant of the Locky ransomware. As in the meantime stated by a law enforcement agency, this has been part of a large wave of attacks hitting various enterprises in the night from Tuesday (2016-07-26) to Wednesday.
As an initial attack vector, the attackers use emails with an attachment that probably even uses a 0day exploit, that enables the payload to be executed already when displayed in the MS Outlook preview.
The ransomware encrypts accessible documents and threatens victims to pay a ransom in order to be able decrypt the files. Further, the malware uses accessible network shares/drives for further spreading.
Further information is following in the next section.
It might help to create filtering rules based on the mentioned file names, hash values, URLs, and IP addresses that are named in the rest of this report.
In this article, I want to provide a concise sum-up of the (to me) most interesting talks of this year’s DFRWS EU (http://www.dfrws.org/2016eu/).
Eoghan Casey, one of most famous pioneers in digital forensics, and David-Olivier Jaquet-Chiffelle, professor in police science at University of Lausanne, gave a keynote that emphasized the need for theoretical fundamental basis research in the field of digital forensics, which I fully agreed on, as this was exactly what I addressed in some of my former research.
We just presented our Paper “Generic RAID Reassembly using Block-Level Entropy” at the DFRWS EU 2016 digital forensics conference (http://www.dfrws.org/). The article is about a new approach that we developed for forensic RAID recovery. Our technique calculates block-wise entropy all over the disks and uses generic heuristics on those to detect all the relevant RAID parameters such as stripe size, stripe map, disk order, and RAID type, that are needed to reassemble the RAID and make the data accessible again for forensic investigations (or just for data recovery).
We developed an open source implementation of our approach that is freely available at https://www1.cs.fau.de/content/forensic-raid-recovery/. The tool is able to recover RAID 0, RAID 1 and RAID 5 volumes from the single disks or disk images.
It is also able to recover a missing or failed disk in case of RAID 5 systems from the RAID redundancy information.