MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt

KhesarW
Conversationalist

MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt

Hi everyone, 

New to Meraki and the community forum 😊

 

We've been seeing this malware-cnc (MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt) for a few weeks with the snort-rule Sid 1-4967. The MX Events show IDS Alert with the actions "blocked". When checking the source IP's they all appear to be affiliated with Microsoft. Events also transpired around the same time we pushed out Win 11 upgrades. 

 

I was wondering if anyone else has been seeing these security events in their security center/affected by this and what actions were done to resolve this issue. 

 

Any help greatly appreciated. 

 

Sincerely, 

Khesar

5 REPLIES 5
alemabrahao
Kind of a big deal
Kind of a big deal

Have you opened a case with support?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi @alemabrahao Yes we haveand awaiting response currently. 

 

Thanks, 

Khesar

BlakeRichardson
Kind of a big deal
Kind of a big deal

I'd consider MS Windows malware as well 😂  Were you successful in your windows upgrades because if the log is reporting that the traffic was blocked I would assume that you had issues upgrading. 

 

 

It's a good reminder to make sure your client devices run some form of antivirus software as well. 

KhesarW
Conversationalist

Hi @BlakeRichardson- Thanks for your response. Yes, when we blocked the IP addresses the Win 11 upgrade stopped. Are you guys running Win 11 as well?

 

Thanks, 

Khesar

 

Only because MS are forcing it. Yes you can stop the upgrades by editing GP or registry but 98% of the devices on my network are Mac so it's not a big issue for me. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels