Last Updated: 2016-10-27 15:13:04 UTC
by Johannes Ullrich (Version: 1)
Just as little as yesterday's order that "proceeded." It Look like today's ransomware subject is "Your Bill is Overdue." But then again, don't bother blocking it. Block ZIP'ed visual basic scripts. This round of Locky makes blocking a tad harder by using "application/octet-stream" as a Content-Type instead of "application/zip."
(and about 2 hrs after publishing this diary, another small update: the Content-Type now changed to application/x-compressed . Makes you wonder if they are reading this ;-) )
It may be safe to strip everything with an "application/octet-stream" attachment.
For the last 30 minutes, I received just about 1,000 attachments like that, and about 4000 total. The first one I received arrived just after 8 am UTC.
Anti-Virus coverage is spotty as usual. Kaspersky and Sophos seem to be doing a rather good job lately detecting the initial downloaders
As usual, Xavier's mime-zip-trojan script does a beautiful job of keeping these attachments out of your inbox: