Locky ransomware is a new threat believed to emanate from the hacking team behind Dridex malware. The new threat is being delivered via spam email and is disguised as a Microsoft Word invoice. If macros are enabled, or if the macro contained in the infected Word file is run, a script will download Locky ransomware: A 32-bit executable file containing a dropper. That dropped malware will run from the %TEMP% folder and will disguise itself as svchost.exe.
Locky ransomware will search for files stored on the infected device and will rename them and add the extension locky. The renamed files cannot be identified by the user. They are given a unique file ID along with a unique ID for each user. Files are locked using RSA-2048 and AES-128 ciphers and all communication between Locky and its command and control server are encrypted.
Once files have been encrypted, a text file will be saved to the desktop detailing the actions that must be taken by the victim in order to restore their files. A bitmap containing the instructions is also set as the user’s wallpaper.
Links are supplied which the user must access via the Tor network and further instructions unique to that user are detailed on a unique webpage for each user. Users are instructed how to buy Bitcoin and how to send the ransom of 0.5 to 1.0 Bitcoin (around $200-$400) to the attackers. Upon paying the ransom the victim will receive a security key which will enable them to unlock their files. Locky ransomware encrypts data stored on local drives, removable media, and ramdisks, although it is also capable of encrypting data on network resources.
Locky ransomware can only be installed if a malicious macro contained in the Word file is run. Opening the infected Word document will not result in the device or network being infected until macros have been enabled. If this happens, the Word document macro will save a file to the device (Troj/Ransom-CGX) which will act as a downloader and will install the ransomware payload.
Once downloaded the payload will start to encrypt a wide range of files. Those files include documents, multimedia files, images, office files, and source code. Shadow copies (VSS files) on the device will also be removed. Even the wallet.dat file is encrypted, leaving Bitcoin users no alternative but to pay the ransom. The ransomware will encrypt files on any connected or mounted drive, and will lock files regardless of the operating system used.
Any user logged in with administrator privileges when Locky ransomware strikes will see a considerable amount of damage caused, leaving them no alternative but to pay the ransom to unlock files. Bear in mind that the above ransom amounts have been seen for individual users. There is no telling what ransom will be demanded if a business user is infected.
How to Protect Against Locky Ransomware Attacks
There are a number of ways that businesses can protect their networks from a Locky ransomware attack. The first is to prevent the malicious word document from being delivered.
- A robust anti-spam filter can filter out malicious emails and quarantine them, preventing phishing and malicious spam emails from being delivered to end users’ inboxes.
- Staff training is essential in case malicious emails find their way into end users’ inboxes. Employees must be warned of the risks of ransomware and other malware, told how the malicious software is delivered, and how to identify potentially malicious emails. End users must be told never to open a file attachment sent from someone they do not know.
- All devices with Word installed should have macros disabled. If users are required to use macros, they should enable them to work on files and disable the macro function when the task has been completed. If macros are set to run automatically, opening an infected Word document will allow malicious code to run automatically.
- Portable drives should not remain connected when they are not in use.
- Users should never log in as an administrator unless it is strictly necessary. Always log in without administrator rights unless they are necessary for a particular task to be performed and log out afterwards.
- Regularly backup important files (daily) and store backups off site.
- Not all malware is delivered via spam email. Hackers are increasingly using FTP sites, file sharing websites, and compromised websites to deliver malware. Blocking these sites using a web filtering solution such as WebTitan is strongly advisable. WebTitan can also block files commonly used to deliver malware (BAT, SCR, and EXE files).
- Patches should be installed promptly and browsers and plugins updated as soon as patches and updates are released. Security vulnerabilities can be exploited via malicious websites and malware and ransomware downloaded without any user action.