Since 25 August 2017 our SonicWallGateway Anti-Virus has blocked the "Ransomware.FIN_3 (Trojan)" about 15 times. Trying to figure out if these are genuine or some kind of false positive.
Only seen on ~5 clients (up to now). Detection is of the format:
UTC 08/29/2017 08:49:41 - 809 - Security Services - Alert - 2.21.75.67, 80, X2 - xxx,xxx,xxx,xxx, 58763, X0 - tcp - Gateway Anti-Virus Alert: Ransomware.FIN_3 (Trojan) blocked.
(I've obfuscated our internal client IP.)I've seen several different source IPs, some of which don't have any reverse DNS lookup, but those that do are all of the form:
nnn-nnn-nnn-nnn.deploy.static.akamaitechnologies.com
...Where the "nnn" are the digits of the source IP address.
I've not been able to find any other references to this online, nor can I see any correlation with something obvious like anti-virus client...