So one of your users got an email from a supposed vendor with an attached invoice. The invoice wasn’t a PDF, word doc, or even an excel sheet. It was a zip file, and the user opened it as well as opening the “.js” attachment. Now they called you explaining that they can no longer open any files on their computer or their network share. The files have all been renamed and the user has no idea what the heck happened. You already have a good idea that they downloaded some type of crypto ransomware. But how did it get through?? You thought you had adequate protection with antivirus as well as web/email filtering. After chatting with the user, you were able to obtain the original email that she opened unfortunately there wasn’t much you could get from it. The email address it came from was most likely compromised, so you added it to your anti-spam black list. You noticed a bunch of files in the zip but when you tried to look at them in notepad it was just a big blob of code that didn’t make sense.
At this point you can examine other systems for possible infection by looking for the executable file in the temp directory. You can also take the URL and add it to your web filter block list. You should also check your email service to ensure you can block such files from making it to your users. Google Apps does a pretty good job at blocking these types of messages. Microsoft Exchange requires a bit of magic with Transport rules as it’s default Exchange Online Protection service doesn’t block .js files nor does it look inside zip files. If you have some form of anti-spam or email gateway security solution in place, it should prevent these as well. But if you are a small business, you may not be so lucky to have a budget for such things. Good luck and happy hunting!!