Locky, the new Ransomware on the Block

Awe, Locky….doesn’t that name sound so cute and unassuming?

Before you go and decide to change your dog’s name from Ginger to Locky, maybe we should tell you what Locky is first. Locky is a brand spankin’ new ransomware that locks all your files with the file extension .locky at the end. It scrambles your files, it goes after any external hard drives attached to your PC and demands payment in .0-1.0 Bitcoin, which is roughly between 200-400 USD. And at the rate it’s going, it’s locking over 90,000 PCs. A DAY.

Not so cute any more, huh?

Security firms KnowBe4, Palo Alto Networks and ProofPoint have all disclosed that it seems that the creators of Russian banking trojan Dridex are behind Locky. The ransomware strain is distributed via Word Doc email attachments. The recipient has to open the attachment, which, if they take the bait and open, appears to be encoded. Then a “helpful” message pops up that lets the recipient know that he or she should enable the macros to read the message. If the user chooses to enable the macros, the malware begins to download to their computer.

Macros Malware, major problem

Malware that comes via macros is one of the oldest malware-infecting schemes in the book. You might remember macros for the role it played in the infamous Melissa Virus back in 1999 which ended up infecting more than 20% of computers worldwide at the time. Macro viruses typically use applications like Microsoft Word and Excel to spread. It infects the application and then when the user clicks a link or downloads a file, it triggers a chain reaction which makes the malware pass the infection from the link to the computer or device.

After their heyday in the late 90’s and early 2000’s, macros malware took a back seat to meaner, more complex malware, a la Stuxnet and stealthy banking trojans. Its fall was also in no small part due to precautions taken in Office 2007 when macros were disabled by default. Macros infections mostly dropped of the cyber security radar until 2014 when cyber criminals started using the method again to distribute various banking trojans like the aforementioned Dridex and Vawtrak trojans.

Hackers favorite tool – You!

Why have criminals resorted to using an execution method that’s just so 1999?

The reason is simple – it’s because people don’t use their brains. Macro viruses as they are used today, are a brilliant example of Social Engineering 101. As we have mentioned right here on this very blog, Social Engineering is the act of using psychological means to manipulate people. This means that rotten, corrupted code is just one part of the equation – the other part is human-based. According to IBM, 95% of data breaches involve human error – which includes opening attachments and links that shouldn’t have been opened, revealing passwords that shouldn’t have been revealed and losing devices that shouldn’t have been lost.

Security experts, your techie friends and almost every article here on the RCS blog IMPLORE you to stay away from shady attachments and links. But do people listen?…. .No sir-ee, they don’t. And this is why things like macro viruses are still effective, even after all these years.

And now, back to Locky.

Clicking on that rotten attachment will trigger a domino effect that will set the Locky-ball ‘a rolling. Then the victim will get a popup that says that their victim’s files have been locked and tells them how to pay the unlock fee. Once the victim has paid up, their files are restored.

One interesting aspect of note is that there is actually a chance to stop the virus from installing itself – according to security guru Graham Cluley, if the computer gets disconnected from the internet as the encryption process is taking place, that will stop the malware in its tracks. Still and all, not something you want to do lunch with.

Meanwhile here are a few things you can do to keep safe from Locky and other ransomware:

Backup, Backup, Backup!
Backing up to an external hard drive or to a cloud backup service is probably the only 100 percent definitive way to make sure you don’t end up paying hackers to unhack you. It’s also a good idea as you never know when your computer might crash or experience some other cataclysmic event. So just back up already, okay?

Stay away from shady attachments…

If we had a penny for every time we begged you to stay away from weirdo attachments and links… If you aren’t expecting something or something else about an attachment or link appears “off”, even if seems legit overall, do yourself a favor and stay away.

Install strong antivirus and antimalware software
Antivirus keeps you protected from legacy (ie, older, more widely known) threats like macro viruses. Antimalware like RCS keeps you secure from zero-day exploits and unknown threats. Together, along with a nice dose of education and behavior modification, you can create a multi-layered security set up – which is by far the most effective means to achieving real security.

Ransomware is stinky. What’s worse is making yourself the perfect victim. So be proactive and use your brain. Your PC and your wallet will thank you.

Leave a Reply