Hello, welcome to the Tuesday, September 5th, 2017 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and I am recording from New York, New York.

We've got a couple of diaries to catch up here from this long weekend.

The first one actually is from Friday about a new variant of Locky. Now, Locky has been back the last

couple of weeks. The latest variant is in particular tricky in the way it sort of tricks

users into installing the ransomware. It arrives as a fake Dropbox message that's actually

done quite well. If you click on it, you're then asked

to open an update notification, which then instructs you to install what it calls a Heffler font.

So essentially, the user here believes that in order to read the message, they have to install

this font. Fonds, of course, are usually not considered to be executable or malicious, but what you

are actually downloading is an executable that will then download additional malware, including

the actual ransomware.

So nothing really fundamentally new as far as exploits go, but really sort of a new social

component to this particular version of Locky.

Now, Brad tried to run it in different browsers, and it appears to adjust itself to

different browsers, but he had some mixed results here.

It didn't actually always run all the way to install the ransomware.

But again, then this may be just the fact of one or two of the domains that are being involved here

being already shut down by the time that he ran this particular sample.

Now, one of the most difficult parts in security is to figure out if a particular system is not infected or a particular file is not malicious.

Didier is taking a stab at this task and he is now two parts into his, I believe, three-part diary.

First two parts, he hasn't really found anything yet in this particular PDF.

...