How to Block Today's Locky Ransomware Email Virus

There is a massive wave of emails this morning that will download the Locky virus ransomware. We are seeing unprecedented volumes, like 150 times more than other malware.

As a global hosted antispam provider, we have a sophisticated staff of threat analysts and programmers who work 24/7 doing most of the blocking and filter tuning for our customers - including our zero-hour protection against threats like Locky, Cryptowall, Cryptolocker and other malware. Given the danger this threat poses globally, we're sharing how we are blocking it.

How to Block Today's Locky

The vast majority of ransomware emails so far today match a special anti-virus filter we wrote to handle these massive campaigns for our global customers. It is very fast and efficient, and blocks malicious email before hitting out sequential spam filters. Most we believe were Locky, with maybe some Dridex (not ransomware) or Teslacrypt (we see them a lot).

Here are the expressions that have been blocking many of the messages. You'll probably have to make changes for it to work with your spam-filtering, if you can add custom filters at all (see the caution, below, before attempting to use these).

There was a short campaign this morning of .rar/.zip files. The filename started with FC_ and had 7 to 9 digits before the .zip/.rar extension. Here is the filter expression:

$filename =/^FC_\d{7,9}\.zip$/

This one was active for while. File attachments were zip or rar files. Sometimes the extensions were just .jpg, .doc, etc, and other times ended with .jpg.zip, .docx.rar, etc:

$filename =~ /^(?:doc|docu?ment|file|image|img|list|scan|sheet|pdf)[-_ ]?\d+\.(?:docx?|gif|jpe?g|pdf|rar|tiff|xlsx?)\.(?:rar|zip)$/i

The following two patterns were matching earlier in the week, and we've kept up with them almost daily::

$filename =~ /^(account|bill|copy|deposite|details|document|e-bill|invoicecopy|invoices|pdf|receipt)[-_][-a-zA-Z\d\.]+_[A-F\d]{6}\.(?:rar|zip)$/
$filename =~ /^[-_a-zA-Z\d\.]+[-_](account|bill|condition|copy|deposite|details|document|e-bill|invoicecopy|invoices|payment|pdf|receipt|request)_[A-F\d]{6}\.(?:rar|zip)$/

This expression is matching most recently, now that the big wave has died down:

$filename =~ /^[-_a-zA-Z\d\.]+[-_](account|bill|condition|copy|deposite|details|document|e-bill|invoicecopy|invoices|payment|pdf|receipt|request)_[A-F\d]{6}\.(?:rar|zip)$/

This expression also matches some of the most recent traffic:

$filename =~ /^[A-F\d]{5}_[-_a-zA-Z\d\.]+_[A-F\d]{6}\.(?:rar|zip)$/ 

Blocking Spam and Malware Yourself

Today's traffic, sometimes hundreds of times beyond normal, illustrates why it's so difficult for individual IT admins to maintain their own spam filtering. Not only is it time and labor intensive, you're liable to make mistakes. Even the best IT admins have trouble keeping up with campaigns like this.

Given the serious danger posed by today's ransomware, phishing, harvesting and other threats, aren't you better off spending around $1-2/user/month to have trained professional, like our threat analysts, blocking new spam and viruses 24/7/365?

Transform your Working Day - Try SpamStopsHere FREE

Try SpamStopsHere FREE for 30 days and see just how amazing and inexpensive premium hosted spam filtering with zero-hour threat protection can be. 24/7/365 live support and many other features are included with every edition.