Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

Sandstorm does not recognize Locky?

I'm wondering, why Sandstorm does not recognize and block Locky.

Yesterday a E-Mail passed the UTM, with attached payment_document_659857.zip, containing *.js scripts.

The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.

On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF

Parents Reply
  • Hi everyone,

    We just wanted to let you know that we are working with this customer at the moment to understand exactly what happened. This is still an ongoing investigation and could have been caused by many reasons. We do know that Sandstorm can and has stopped variants of ransomware including Locky in the past. Once we have more information regarding this issue we will post an update.

    Thanks

Children