Hello, welcome to the Friday, October 28th, 2016 edition of the Sandtonet Storm Center's

Stormcast. My name is Johannes Orich, and I'm recording from Jacksonville, Florida.

The Locky Ransomware is making continuous changes to the emails that deliver its downloader today I actually saw two

different changes first of all they changed the content type to application

octet stream not the usual application sip and then actually a few hours

later they went with application X compressed.

All of this will have the same effect on the user that they'll be offered a compressed file to download.

And then when they run it, of course, the ransomware will be downloaded next.

But I think the goal here is to bypass some of the mail filters

that will look for specific content types

and then not filter some of these less common content types.

So make sure that you cover them all in.

If you see some of these downloaders make it

past your mail filter, then it's probably because of these new content types. Overall,

the basic scheme here still remains the same, where what you will be offered is a compressed

visual basic script or JavaScript or something along these lines

that will then download additional parts.

Now on the plus side here for the defenders, it looks like antivirus is getting a little bit better

in detecting these compressed downloaders.

Softos, for example, today got every single one of them as soon as I received them.

Symantec and Megafi still seem to have a little bit issues with the downloaders,

but I didn't do a complete run to see what happens when I actually ran these downloaders.

...