Hello, welcome to the Friday, September 16th, 2016 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Las Vegas, Nevada.

Let's start with a couple of updates regarding the old favorite Lockhears Ransomware.

Apparently it no longer now connects back to a command and control server in order

to retrieve an encryption key and register the infected system. That's now all done on the system itself.

Of course with that there's less infrastructure to maintain for the bad guys and also detection becomes slightly more

difficult. Now there are also some reports that Locky may be moving to a different

downloader but so far I'm really still just seeing the SIPT office documents with

some kind of visual basic or other script that then does the download.

Anti-malware detection is still pretty mixed here. In particular, anti-malver has a hard time

with the downloader. Often it misses the downloader, but then later does detect the actual malware being downloaded.

The problem with this is like yesterday I was playing with some malware,

it just keeps trying different versions of the malware until it finds one

that actually then slips past the detection and I've seen it try like about a dozen different versions here.

One of the problems here of course is that the user may actually believe then that

the anti-mal resolution is effective and the exploit got stopped but the user will

still end up with an encrypted system in this case because one of the ransomware samples does make it past the check.

And Cisco released a critical patch for its WebEx meeting server.

So this only affects the server component if you're just run declined.

You don't have to worry about it or if you're

using Cisco's own servers in order to hold your meetings.

The problems here is that the meetings server suffers from an unauthenticated remote code

...