In the latter part of 2015 and throughout the beginning of this year the rise of Ransomware has been both phenomenal and apprehensive. This malicious software takes over a user’s computer, effectively locking them out until a ransom is met – usually in the form of a Bitcoin payment. Over the last few months one piece of ransomware in particular has become very prominent. It is called Locky and has apparently been developed by the same criminals behind the notorious Dridex.
Locky arrives within a malicious macro in a Word document that is usually delivered as an email attachment. As Word disables macros a small note appears in the document that explains macros need to be turned on to read this. Since most Word users have no idea what a macro is many will turn them on without realising the harm it can cause. This is a low-tech delivery method but has been very effective.
After macros have been enabled, Locky sets to work on encrypting every file on the computer. There are very few file extensions that it cannot encrypt. It also replaces file extensions with ‘.locky’ which is where the name comes from. It will open Notepad in order to display a ransom message which is mirrored on the desktop. This instructs readers on how to decrypt their files.
Victims will be directed to a Tor site on which there will be a Bitcoin wallet address. From here they will be expected to pay a ransom of either 0.5 or 1 Bitcoin before being given a download of the encryption key and the software to decrypt files. There are no easy shortcuts to decrypt this data but there are some ways that a Locky attack can be prevented and damage limited.
While it cannot be easily decrypted, there are several ways in which the effectiveness of Locky can be dramatically limited. These may mean some extra time preparing systems but this will pay off in both time and money if the systems are attacked.
Backup everything on a regular basis and store a copy securely off site. Encrypting these backups can reduce the harm caused if they were to fall into malicious hands.
Don’t turn macros on in documents. Microsoft deliberately suspends them and makes them ask for permission because most malware relies on them.
Scrutinise every attachment before downloading it and certainly before opening it. Using a viewer application will allow the body of the document to be checked before opening it.
Avoid logging in as an administrator because it allows more access than a regular user permission.
Patch early and often. Malware that doesn’t come in on document macros relies heavily on security flaws in software. Patching will close this back door.