Views:

TREND MICRO PRODUCT SOLUTIONS

Below are the available Trend Micro product solutions for Lukitus/Locky Ransomware:

Email Solution

All related samples are detected by AS Full Pattern 3300.

Messaging products such as IMSVA and SMEX can block spam mails related to this ransomware. It checks for email reputation and web reputation of the embedded links, file attachments, as well as macros in MS Office documents.

Enabling the Ransomware Protection feature in InterScan Messaging Security Suite (IMSS) or InterScan Messaging Security Virtual Appliance (IMSVA)

Smart Scan and Conventional Scan

Files related to this ransomware are detected as the following:

Downloaders (detected using OPR 13.603.00)
- Mal_Cerber-JS03d
- TROJ_FRS.0NA004I117
- JS_NEMUCOD.TH822
- JS_NEMUCOD.ELDSAUJM
Lukitus Ransomware (All samples are now detected using OPR 13.637.00)
- Ransom_LOCKY.DLDTATN
- Ransom_LOCKY.AJA
- Ransom_LOCKY.TH817
Detections were renamed from Ransom_CERBER.SMALY0.

Predictive Machine Learning

Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.

Predictive Machine Learning detects Lukitus ransomware related files as the following:

Downloader.JS.TRX.XXJS447FF006K0001
Troj.Win32.TRX.XXPE002FF018

Web Reputation Service

Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

Web Reputation service already blocks all of the known URLs associated with Lukitus ransomware.

Behavior Monitoring

Behavior Monitoring can detect a specific sequence of events that may indicate a ransomware attack. Thus, Behavior monitoring detects and blocks the file encryption routine of Lukitus ransomware.

Deep Discovery Inspector

DDI is helpful in identifying the impacted machines on the network because it has the following detection rules for this ransomware:

Trend Micro URL Filtering Engine (TMUFE)
- C&C Server URL in Web Reputation Services database - HTTP (Request)
- Dangerous URL in Web Reputation Services database - HTTP (Request)
- Ransomware URL in Web Reputation Services database - HTTP (Request)
Threat Detection Rules
- LOCKY - Ransomware - HTTP (Request) - Variant 2 - Rule ID: 2116
It was previously detected by the following rules:
- CERBER – Ransomware - HTTP (Response or Request) - Rule ID: 2359 and 2338
- CERBER - Ransomware - UDP - Rule ID 2071

Deep Security IPS

Deep Security has an IPS solution that can help detect and block Locky Ransomware-associated network traffic.

Instructions on how to enable this feature can be viewed from this link: Ransomware Detection and Prevention in Deep Security.

Tipping Point

Tipping point has the following ThreatDV to block and prevent threat activity related to Lukitus Ransomware:

26222: HTTP: Locky CnC checkin Nov 21
26223: HTTP: Locky CnC checkin Nov 21 M2
26227: HTTP: Locky CnC Checkin HTTP Pattern

BEST PRACTICES FOR IT ADMIN

Optimize email security. Blocking malicious emails at the gateway level before they can even reach the users will help prevent malware infections.
Review the need for VBS and JS scripting in the machine. If it is not needed, you can disable it to reduce the risk of malware infection.
- Officecan Behavior Monitoring can block wscript/cscript on the machine: Blocking .vbs malware by disabling the Windows Script Host (WSH) in OfficeScan (OSCE)
- Microsoft also provides a guide on how to disable wscript in the computer: Disabling Windows Script Host
Enable file extension in Windows. The default Windows setting has file extensions disabled. This means that you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to identify file types that are not commonly sent, such as JavaScript or VBScript.
Don’t enable macros in MS Office file attachments received via email.
Restrict write permissions on the file server if possible. Ransomware encrypts files for both local and network shares with write permissions.
Back up files. Cybercriminals use the potential loss of important and personal data as a fear-mongering tactic to coerce victims into paying the ransom. Organizations and end users can back up files to remove their leverage. Keep at least three copies, with two stored in different devices, and another in an offsite or safe location.
Do Patch Management. It is highly recommended to keep application patch levels up-to-date as a lot of malware use these vulnerabilities to compromise your machine. Examples of critical applications are Java, Adobe, and your Internet Browser.
Educate users about social engineering attacks. Getting infected by Ransomware is an indication that the user is not security aware. The user may receive spam mail and open the attachment without knowing the risks involved.

Keywords: Lukitus,Lukitus Ransomware,[.]lukitus,Lukitus Ransomware infection chain,Encrypted files by Lukitus Ransomware,Lukitus Ransomware Encrypted files ,Lukitus Ransomware Ransom Notes,Email Solution,Smart Scan and Conventional Scan,Predictive Machine Learning,

Lukitus Ransomware Information

Product / Version includes:

Deep Discovery InspectorAll , Deep SecurityAll , Interscan Messaging Security Virtual ApplianceAll , ScanMail for ExchangeAll

Last updated: 2021/10/10

Solution ID: KA-0007763

Category: Troubleshoot , Remove a Malware / Virus

Summary

THREAT INFORMATION

Lukitus Ransomware is a new variant of Locky Ransomware that encrypts user’s data and appends the [.]lukitus file extension. Lukitus Ransomware encrypts personal photos, videos, and documents of the victim and changes the names of the files into random characters and numbers, followed by the [.]lukitus file extension.

ARRIVAL AND INSTALLATION

Lukitus Ransomware infection chain

The infection chain of Lukitus Ransomware begins with a socially-engineered email that contains a malicious MS Office file or a ZIP/RAR attachment with embedded malicious JS/VBS scripts. It may also arrive as a spoof drop box notification email.

When the malicious file is executed, it connects to a URL hosting the main ransomware file (Lukitus) and downloads it. Then, it encrypts the files as well as the network shares on the machine. The main binary of the ransomware then self-destructs after executing its payload.

Encrypted files by Lukitus Ransomware

Lukitus Ransomware Ransom Notes

TREND MICRO PRODUCT SOLUTIONS

Below are the available Trend Micro product solutions for Lukitus/Locky Ransomware:

EXPAND ALL

Email Solution

All related samples are detected by AS Full Pattern 3300.

Enabling the Ransomware Protection feature in InterScan Messaging Security Suite (IMSS) or InterScan Messaging Security Virtual Appliance (IMSVA)

Smart Scan and Conventional Scan

Files related to this ransomware are detected as the following:

Downloaders (detected using OPR 13.603.00)
- Mal_Cerber-JS03d
- TROJ_FRS.0NA004I117
- JS_NEMUCOD.TH822
- JS_NEMUCOD.ELDSAUJM
Lukitus Ransomware (All samples are now detected using OPR 13.637.00)
- Ransom_LOCKY.DLDTATN
- Ransom_LOCKY.AJA
- Ransom_LOCKY.TH817
Detections were renamed from Ransom_CERBER.SMALY0.

Predictive Machine Learning

Predictive Machine Learning detects Lukitus ransomware related files as the following:

Downloader.JS.TRX.XXJS447FF006K0001
Troj.Win32.TRX.XXPE002FF018

Web Reputation Service

Web Reputation service already blocks all of the known URLs associated with Lukitus ransomware.

Behavior Monitoring

Behavior Monitoring can detect a specific sequence of events that may indicate a ransomware attack. Thus, Behavior monitoring detects and blocks the file encryption routine of Lukitus ransomware.

Deep Discovery Inspector

DDI is helpful in identifying the impacted machines on the network because it has the following detection rules for this ransomware:

Trend Micro URL Filtering Engine (TMUFE)
- C&C Server URL in Web Reputation Services database - HTTP (Request)
- Dangerous URL in Web Reputation Services database - HTTP (Request)
- Ransomware URL in Web Reputation Services database - HTTP (Request)
Threat Detection Rules
- LOCKY - Ransomware - HTTP (Request) - Variant 2 - Rule ID: 2116
It was previously detected by the following rules:
- CERBER – Ransomware - HTTP (Response or Request) - Rule ID: 2359 and 2338
- CERBER - Ransomware - UDP - Rule ID 2071

Deep Security IPS

Deep Security has an IPS solution that can help detect and block Locky Ransomware-associated network traffic.

Instructions on how to enable this feature can be viewed from this link: Ransomware Detection and Prevention in Deep Security.

Tipping Point

Tipping point has the following ThreatDV to block and prevent threat activity related to Lukitus Ransomware:

26222: HTTP: Locky CnC checkin Nov 21
26223: HTTP: Locky CnC checkin Nov 21 M2
26227: HTTP: Locky CnC Checkin HTTP Pattern

BEST PRACTICES FOR IT ADMIN

Optimize email security. Blocking malicious emails at the gateway level before they can even reach the users will help prevent malware infections.
Review the need for VBS and JS scripting in the machine. If it is not needed, you can disable it to reduce the risk of malware infection.
- Officecan Behavior Monitoring can block wscript/cscript on the machine: Blocking .vbs malware by disabling the Windows Script Host (WSH) in OfficeScan (OSCE)
- Microsoft also provides a guide on how to disable wscript in the computer: Disabling Windows Script Host
Enable file extension in Windows. The default Windows setting has file extensions disabled. This means that you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to identify file types that are not commonly sent, such as JavaScript or VBScript.
Don’t enable macros in MS Office file attachments received via email.
Restrict write permissions on the file server if possible. Ransomware encrypts files for both local and network shares with write permissions.
Back up files. Cybercriminals use the potential loss of important and personal data as a fear-mongering tactic to coerce victims into paying the ransom. Organizations and end users can back up files to remove their leverage. Keep at least three copies, with two stored in different devices, and another in an offsite or safe location.
Do Patch Management. It is highly recommended to keep application patch levels up-to-date as a lot of malware use these vulnerabilities to compromise your machine. Examples of critical applications are Java, Adobe, and your Internet Browser.
Educate users about social engineering attacks. Getting infected by Ransomware is an indication that the user is not security aware. The user may receive spam mail and open the attachment without knowing the risks involved.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Lukitus Ransomware Information

TREND MICRO PRODUCT SOLUTIONS

Email Solution

Smart Scan and Conventional Scan

Predictive Machine Learning

Web Reputation Service

Behavior Monitoring

Deep Discovery Inspector

Deep Security IPS

Tipping Point

BEST PRACTICES FOR IT ADMIN

Lukitus Ransomware Information

Product / Version includes:

Summary

THREAT INFORMATION

ARRIVAL AND INSTALLATION

TREND MICRO PRODUCT SOLUTIONS

Email Solution

Smart Scan and Conventional Scan

Predictive Machine Learning

Web Reputation Service

Behavior Monitoring

Deep Discovery Inspector

Deep Security IPS

Tipping Point

BEST PRACTICES FOR IT ADMIN