Locky ransomware was discovered in early February and is very similar to other ransomware available in that it encrypts victims’ files and demands a payment through bitcoins. The malware depends on a rather low-tech installation method to encrypt files, and it arrives through a malicious macro in a Word document.
Locky arrives via email, claiming to be a random invoice; apparently starting with the letter J. If you open the Word document and have your Office macros turned on, the malware installation begins immediately. Should your macros be turned off, your document will consist of random text shown below with, “Enable macro if the data encoding is incorrect.” If you follow the instructions, Locky will then be installed as well.
Once installed, Locky starts scanning for attached drives, including computers connected to the same network, and encrypts documents, music, videos, images, archives, databases, and Web application-related files. Like all other ransomware available, once it has encrypted your files, it will demand payment in order for you to recover your data.
As of late February, Locky has been picked up by most malware scanners. However, this malware depends on victims who are using older versions of Microsoft Office and individuals who neglect to update their anti-virus software.
“The old Office macros from the nineties have not gone away, and the bad guys are combining this old technology with clever social engineering,” said Stu Sjouwerman, the CEO of security awareness training company KnowBe4. “If you trust anti-virus software and your users not clicking ‘Enable macros’ you are going to have a problem. You can’t just disable all macros across the whole company because a lot of legacy code relies on macros. Telling all users to sign their macros will also take months.”
As soon as the IT staff at Methodist Hospital caught the attack, they shut down desktop computers as well as Web-based systems in an effort to stop the ransomware from spreading. Locky arrived as an attachment to a spam email and attempted to spread across the network after it had infected the trigger computer. Once the ransomware was installed, a message appeared demanding four bitcoins or about $1,600.
It appears that the Methodist Hospital got extremely lucky as the cybercriminal who sent out the ransomware did not do their research. Hollywood Presbyterian had a similar attack where the hackers demanded 9,000 bitcoins (about $3.6 million). However, they ended up only paying about $17,000 to recover their files.
WatchPoint can help keep your company safe from ransomware. WatchPoint uses an early warning system to detect any potential ransomware threats to your system. The collective intelligence of millions of endpoints, captured through the Carbon Black surveillance and intelligence security system, stops ransomware in its path before it hits your system. Should you be unlucky enough to still get hit by ransomware, WatchPoint’s SWAT team of security experts is on hand, instantly reacting to the attack, quarantining the infected system to protect your extended network. The SWAT team can deal with the security breach, contain the problem and remove the malicious software.