RANSOMWARE – “Locky” ransomware – where is my files?
Note: If you have experienced any ransomware attacks please contact us as soon as possible – the longer you wait the more damage to your data
Locky ransomware on aggressive hunt for victims
Millions of spam emails spread new ransomware variant on the day it first appeared.
Of course, it doesn’t just rename your files, it scrambles them first, and – as you probably know about ransomware – only the crooks have the decryption key.
Locky has been spreading quickly since it first appeared on Tuesday (February 16). The attackers behind Locky have pushed the malware aggressively, using massive spam campaigns and compromised websites.
The attackers behind Locky are continuing to spread the ransomware through major spam campaigns. One of the most recent spam runs observed occurred on Friday (March 11, 2016) and the emails were disguised as coming from an address on the recipient’s network. The subject line of all emails seen was “Scanned Image” while the sender address was in the format of lands[RANDOM NUMBER]@[VICTIM DOMAIN], e.g. “lands371@[VICTIM DOMAIN].com” or “lands4022@[VICTIM DOMAIN].co.uk”.
While spam emails purporting to come from network-connected devices such as scanners and printers are frequently seen, by far the most common tactic is to disguise spam emails as financial statements, particularly invoices. For example, one recent Locky spam campaign to adopt this approach was observed on March 9, 2016. The emails bore the subject line “FW: Invoice 2016-M#[RANDOM SIX DIGIT NUMBER]”, e.g. “FW: Invoice 2016-M#708006”. A wide variety of sender names and addresses were used in the campaign. Most sender addresses were spoofed to make them appear to come from domains registered to real companies.
Example of spam email used to distribute Locky
You receive an email containing an attached document (Troj/DocDl-BCF).
The document looks like gobbledegook
If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).
Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.
Locky even scrambles wallet.dat, your Bitcoin wallet file, if you have one.
In other words, if you have more BTCs in your wallet than the cost of the ransom, and no backup, you are very likely to pay up. (And you’ll already know how to buy new bitcoins, and how to pay with them.)
Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, that you may have made.
Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.
Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:
If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.
Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.
Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.
It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.
If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed.
Giving yourself up front all the login power you might ever need is very convenient, but please don’t do it.
Only login (or use Run As…) with admin powers when you really need them, and relinquish those powers as soon as you don’t.
WHAT TO DO?
Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete.
Always keep your security software up to date to protect yourself against any new variants of malware.
Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
If you have been a victim of a ransomeware attack or need any assistance in removing or preventing ransomeware, please contact Universal Information Technologies. We have a team of experts that can assist you in a full system audit to help prevent attacks or can assist in recovering your data.
Tel: +27 12 345 6172