Businesses beware "Locky" is the next evolution in ransomware and it just keeps getting worse, make sure you're protected!

Security
Written By Josh Davis
Ransomware-Featured.png

There's a new ransomware called Locky that was just detected only a couple of weeks ago but it's spreading like wildfire. It joins the ranks of other ransomware viruses like Cryptolocker and Cryptowall that basically work by encrypting all of your important data and then demanding you pay a ransom in order to get the key that then unlocks the encryption.  If you end up catching the infection, in a best case scenario you're down for a few hours, worst case, you're out thousands of dollars and hoping that the money will actually turn into a vaild key that can be used to get you access to your files. With the current infection rates being seen at around 100,000 new infections per day, it's important to know how it works and what you can do to protect yourself.

What is Locky?

Locky is the latest in a string of ransomware viruses that uses two forms of social engineering to encrypt files, filenames and unmapped network shares. While these viruses have become extremely popular over the last couple of years, this is the first one we've seen that can actually encrypt unmapped network shares, which means that any and all folders that a user/computer has access to can and will be encrypted.

How Does Locky Get Installed?

Like most viruses these days, Locky relies mostly on email phishing. Taking advantage of social engineering tricks that inexperienced or untrained users will not be aware of. Infected websites are also another common vector of attack, especially when using vulnerable applications like Adobe Flash, Java and unsupported browsers like Internet Explorer 8, 9 and 10. Experts are reporting that the current form of attack is mainly coming from hackers emailing victims a fake invoice, and then counting on an a user to download a malicious attachment. Bleeping Computer has put together a good article about what to watch out for, mainly emails with subjects similar to ATTN: Invoice J-98223146. Fortunately, for now, Locky can't be successfully launched without getting the victim to comply.  The following screenshot of the email message taken from Lawrence Abrams's incredibly helpful article shows how legit an email from such a scheme can look: locky-email-message-taken-from-bleeping-computer.png The email represents just the first part of the attack. Locky must get past another security layer before it's actually installed on a system. If a user downloads the attached document and opens it, the text appears illegible, and its reader is prompted to enable macros "if the data encoding is incorrect." Here again, the criminals are depending on user error to carry out their mission. This extra step shows why it's so important that users understand that enabling macros can lead to serious issues and that it's extremely important that they fully understand what it is they're doing and where the document is from before ever taking such a step. This virus also further highlights why it's so important that employees are trained in security awareness and the part they play in protecting their systems.  You can have layer upon layer of security in place but all it takes is one such social engineered attack, and the impact can be devastating.

So What Actually Happens When Locky is Installed?

Essentially, by enabling macros, users run code that saves the ransomware file to their computer and executes it. Once they do so, Locky then encrypts data and changes filenames to be indecipherable. It's worth noting that a wide array of file extensions are compromised in the process, including videos, images, documents and source code. Not only that, but as a Naked Security by Sophos article explains, Locky "scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux." The takeaway here is that it's important to limit access to your files based upon the true need of accessing them. If you have the ability to work on a file, then the virus has the ability to encrypt it. So if an entire company works out of and shares a single shared drive and no specific folder permissions are in place, then only one person getting infected will bring everyone else down.Of course, Locky wouldn't be classified as ransomware if it didn't demand some form of Bitcoin payment to decrypt the affected files. Once infected, victims' desktop wallpapers are changed, displaying the following ransom payment process instructions: locky-wallpaper-640.png

image source: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/

 

What Preventative Steps Can be Taken?

1. A good antivirus and malware solution are important so that you can hopefully catch Locky and other ransomware early. No solution is perfect, but any solution is an additional layer that a virus must penetrate.2. Restrict access and use of your domain administrator login and be stringent on making sure end users do not have administrator rights on their local machines. Many users will feel limited by such action, but when they realize it's meant to protect, not limit, it becomes easier to enforce.3. Update systems and patch regularly. This is incredibly important. Any and all software should be updated regularly and obsolete software like Internet Explorer 8, 9, and 10 should not be used! Hackers routinely use vulnerabilities in unpatched software to gain access to and exploit systems.4. Another incredibly important step is to educate your users. A little training now can go a long way towards protecting your systems and data in the future.5. While all of the above steps are important. The single most important step you can take is to implement a solid backup program that is secure and multi layered. If you are infected with any kind of ransomware, this is your only hope of recovery without paying out the ransom.

What Role Does Backup Play in Locky Risk Mitigation?

This last preventative step is a point we can't emphasize enough! The only way to get corrupted data back without paying the ransom is through your most recent backup. If you don't already recognize the absolute necessity of backup to protect and restore your data from all instances of data breaches and data loss then this should prove as one more stepping stone to realization. A good backup recovery solution involves more than just backups. It means knowing your recovery times, testing your backups and securing them so that when disaster strikes you'll be well positioned to respond. Want Bellingham IT blog updates to hit your email? Click here to subscribe

Josh Davis
Next

How much does it cost to hire internal IT staff?