Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 5 subscribers
  • Views 2963 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TeslaCrypt Variant MP3

JonasAgius

Hey Guys,

today our very important customer was infected by a Ramson with MP3 Variant. We were able to identify very quickly and restored everything. Its a Server/Client Network with UTM and the internal IT formated the infected PC directly and deleted the Server Profile so that i wasnt able to check.

Now iam analyzing how the infection was able to get in the network. I checked the UTM everything looks fine with IPS, Web Protection (transparent), FW Rules and Mail Protection. Mail Protection is only POP Proxy ( internal IT specification) so i looked in the mailbox and explorer of Exchange too. Everything looked fine too, nothing shady.

Good thing is that i already covinced the IT that we are going to change Mail System to an own MX with Configuration of SMTP Proxy and implement Sandstorm when it is released ;)

So i could eliminate Mail and removable Mediums (Policy), so there is only the concern of Web.

Maybe someone has any advice for me what i could check to identify how the infection was getting in the system...
Thanking in Anticipation and Regards from Germany



This thread was automatically locked due to age.
Parents
  • 0

    I get lots of spam email with malware attachments. Whenever I check them at VirusTotal.com (recommended!) immediately upon receipt, very few antivirus products detect them as malware. Sad to say, Sophos is never on the list that detects the malware when I first receive it in email. It takes time for antivirus vendors to update their signatures to detect the new malware, and malware authors have learned how to take advantage of this inherent delay.

    In previous research that I did for an antivirus vendor many years ago, I found that it took 1-3 days for a typical antivirus signature update to detect malware in broad distribution email phishing attacks. I suspect that the delays are shorter now, but they still exist and malware authors depend on them.

    My guess is that the malware in your case got through undetected because it was fresh and new, and the Sophos protections had not caught up with it yet. 

Reply
  • 0

    I get lots of spam email with malware attachments. Whenever I check them at VirusTotal.com (recommended!) immediately upon receipt, very few antivirus products detect them as malware. Sad to say, Sophos is never on the list that detects the malware when I first receive it in email. It takes time for antivirus vendors to update their signatures to detect the new malware, and malware authors have learned how to take advantage of this inherent delay.

    In previous research that I did for an antivirus vendor many years ago, I found that it took 1-3 days for a typical antivirus signature update to detect malware in broad distribution email phishing attacks. I suspect that the delays are shorter now, but they still exist and malware authors depend on them.

    My guess is that the malware in your case got through undetected because it was fresh and new, and the Sophos protections had not caught up with it yet. 

Children
No Data