JCry ransomware is designed to encrypt data and append filenames with a ".jcry" extension. Once data is encrypted, JCry opens a pop-up window and generates the HTML file, "JCRY_Note.html", then drops a copy in every existing folder. The HTML file delivers a message informing victims about the encryption and ransom demand. This activity was observed in the Information Technology Sector.

*******************************IOC*****************************
Analysis:

Host
IPv4: 172.81.182[.]63
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Command and Control
Characterization: IP Watchlist

Host
URL: http://185.163.47[.]134/flashplayer_install.exe
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Delivery
Characterization: URL Watchlist
[MD5:C86C75804435EFC380D7FC436E344898].

Host
URL: http://76.74.177[.]236/flashplayer_install.exe
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Delivery
Characterization: URL Watchlist
MD5: C86C75804435EFC380D7FC436E344898].

Host
FQDN: kpx5wgcda7ezqjty[.]onion
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Actions on Objectives
Characterization: Domain Watchlist

Host
FQDN: weserenawilliams[.]online
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Command and Control
Characterization: Domain Watchlist

File
Filename: flashplayer_install.exe
Size: 1782579
MD5: C86C75804435EFC380D7FC436E344898
SHA1: 9AAB879DB9AA96683FEB1BE7F741AFAF7099C665
SHA256: D7E118A3753A132FBEDD262FDF4809A76CE121F758EB6C829D9C5DE1FFAB5A3B
SSDEEP: 49152:GIgXEThdDy39yKPSvXfatTt4opKw28qPtH7zPjuO3NF:GIsQ1KavXit3pn2VzPjuy
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

File
Filename: dec.exe
MD5: 6B4ED5D3FDFEFA2A14635C177EA2C30D
SHA1: 50B8940981D51CEA6BAC3A6849F7DF3008A43ACE
SHA256: F2F4323DF1A065CDE9269B1C801FA912B296E36D08452E038778BA16B05DCBA9
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

File
Filename: enc.exe
MD5: 5B640BE895C03F0D7F4E8AB7A1D82947
SHA1: 3F2B30D3E72DF24632FDF505A194E3027723240F
SHA256: 22488ABDDBD4A61BB32BB7C2883B56E2F97541F85125F8D4C1593F65853A1D48
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

File
Filename: msg.vbs
MD5: EAE8D08312FBBB511EFFA07E71EBF73E
SHA1: F55B9028098BBA49FA87DFA7412B52869CFDFB79
SHA256: AE3E856A3A707E9ED600A988A3855CDB5375DE93C2C54619741225404D2EDAD1
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

*****************************END***************************

CERT-IN General recommends:
• Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
• Restrict execution of Power shell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
• Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly
through browser.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.

I'd like to have the possibility to overwrite the whole configuration of a firewall with the content of an SFM template. Currently when applying a template from SFM the firewall rules merge with the ones configured locally.
I´d like to have the possibility of replacing, instead of merging and have full control of the firewall from SFM, like others vendors have from their management server.
This is to avoid human errors by a local administrators. For example someone can log locally on the firewall and configure an any any permit, then you apply your template and that any any remains.
Having the option to overwrite will give you full control from SFM and will make sure the firewall has the exact rules that you want to have. Instead of having to review the rules firewall by firewall later.

With the integration started with Sophos Central, it would be great if the last x number backups could be pushing into Sophos Central. This would provide a few capabilities. One - It could be backed centrally up without the required MR4 password affix to it, so no prior knowledge would be required to restore that backup if hardware failed. Two, it would create snapshots of the configs in time for audit / discover purposes, hopefully eventually leading into a change log of all UTM config changes. Three, in DR scenarios it exists outside of all company systems and people, so it could be recovered and used to facilitate recovery both internally or with Sophos partners brought in to assist.

YouTube uses categories for the videos and it would be quite valuable to block/allow based on those.

Sample categories for the US:

1 - Film & Animation
2 - Autos & Vehicles
10 - Music
15 - Pets & Animals
17 - Sports
19 - Travel & Events
20 - Gaming
21 - Videoblogging
22 - People & Blogs
25 - News & Politics
26 - Howto & Style
27 - Education
28 - Science & Technology
29 - Nonprofits & Activism
30 - Movies
33 - Classics
34 - Comedy
35 - Documentary
36 - Drama
39 - Horror
43 - Shows
44 - Trailers

The category of a video can be queried via the YouTube API, or perhaps also via a content filter as the details are embedded in the HTML.