Sandstorm does not recognize Locky?

I'm wondering, why Sandstorm does not recognize and block Locky.

Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.

The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.

On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF

Parents

0 PeterM over 8 years ago

Hi rsc,

Do you still have the zip? can you send a copy of it to samples@sophos.com and CC in support@sophos.com and we can take a look for you.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rsc over 8 years ago in reply to PeterM

Peter,

just sent 2 samples, which are not recognized by UTM 9.4 Sandstorm. Case # is #5809716.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rsc over 8 years ago in reply to rsc

Mail Security with Sandstorm on UTM 9.400-9 still does not recognize Locky JS-Downloaders, although the behavior is obvious.

https://www.virustotal.com/de/file/76609f82340106c12d42fe176c632d5153a1a6a1e4b75f80cf4b0c1579efdc66/analysis/1458600681/

https://www.virustotal.com/de/file/554b28a723610b61544f58369df6bcb62416796b904516af53a6c147f420f94f/analysis/1458602994/

I submitted the 2 files under the same case #5809716

BTW: The submission form https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx misses UTM series in selection list:
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Ben over 8 years ago in reply to rsc

really not what we are looking for than if sandstorm doesn't even detect locky ...

to be fair, alot of scan engines and sandboxes do not detect it, but all you heard on the cebit was locky talk and how sandstorm will detect it etc. - guess not

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 NewImage over 8 years ago in reply to Ben

Strange, yeah thought that is what it is specifically made to do. I wonder if Sandstorm has a MS office framework to check office macros, or if Locky has some logic to act differently in virtualized environments.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 PeterM over 8 years ago in reply to NewImage

Hi everyone,

We just wanted to let you know that we are working with this customer at the moment to understand exactly what happened. This is still an ongoing investigation and could have been caused by many reasons. We do know that Sandstorm can and has stopped variants of ransomware including Locky in the past. Once we have more information regarding this issue we will post an update.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 PeterM over 8 years ago in reply to NewImage

Hi everyone,

We just wanted to let you know that we are working with this customer at the moment to understand exactly what happened. This is still an ongoing investigation and could have been caused by many reasons. We do know that Sandstorm can and has stopped variants of ransomware including Locky in the past. Once we have more information regarding this issue we will post an update.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 lferrara over 8 years ago in reply to PeterM

Peter,

do you have any update on that?

Thanks.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel