As TrendMicro predicted, hackers are increasingly using ransomware to encrypt businesses’ files and hold them for ransom. As a result, headlines about these attacks abound in print and electronic media, making them seem almost routine.

However, the ransomware known as Locky warrants attention. It encrypts just about every commonly used file type, including PDF, text, image (e.g., JPG, PNG, TIFF), and Microsoft Office (e.g., DOCX, XLSX, PPTX) files. Equally important, Locky encrypts files not only on local drives but also on any network shares it can find, even if they are unmapped. This means that the ransomware is able to reconnect to a network share if it is disconnected.

The Locky assault started on February 16, 2016. On that day alone, Palo Alto Networks observed more than 440,000 instances of this threat, 54 percent of which targeted the United States. Canada and Australia were the next most-targeted countries, accounting for 9 percent combined.

Security experts believe that Locky is being distributed by the group behind the Dridex banking malware because of the similarities. Like Dridex, Locky uses phishing emails and Microsoft Word macros to infect systems.

How Locky Works

The phishing emails being used to distribute Locky usually have the subject line “ATTN: Invoice J-xxxxxxxx” (where “xxxxxxxx” is a string of numbers) and a message that tells you to see the attached invoice and remit payment according to the terms listed in the invoice. The attachment is a Word document that is fittingly named “invoice_J-xxxxxxxx.doc” (where “xxxxxxxx” is the same string of numbers used in the subject line).

If users open the document and Word macros are disabled (the default), the security warning “Macros have been disabled” accompanied by the “Enable Content” option appears. As long as users do not click the “Enable Content” option, their computers will not be infected with the Locky ransomware. However, if someone clicks that option, the macro’s malicious commands will run. The commands will also run if a user opens the document and Word macros are enabled. In this case, there will not be any security warning.

The macro’s commands download an executable from a remote server onto the computer and then execute it. This executable is the Locky ransomware.

The ransomware scans the local drives and network shares (both mapped and unmapped), looking for more than 130 types of files to encrypt. After it encrypts each file, it changes the filename, including the extension. The new extension is “.locky”.

Locky deletes any shadow copies made by Windows’ Volume Shadow Copy Service so that the victims’ files cannot be recovered. It also makes changes in the registry.

Finally, Locky creates a ransom note on the Windows desktop and in each folder where a file was encrypted. The ransom note tells victims that their files have been encrypted and the only way to decrypt them is to get the private key. To obtain it, the victims need to click one of the links provided. The links lead to the Locky Decrypter Page, which specifies the ransom and where to send it. The ransom is typically 0.5 or 1 bitcoin. (The exchange rate varies, but a bitcoin is usually worth over $400 USD.) After victims send the ransom, the Locky Decrypter Page provides the private key.

How to Avoid Giving in to Hackers’ Demands

To avoid having to pay a ransom, you need a defense strategy that addresses the different facets of the Locky attack. By implementing multiple security measures, you improve the odds that your business will not be extorted by hackers.

For starters, you need to educate users on how to spot phishing emails. While email spam filters and anti-malware software can catch a lot of phishing emails, some can still get through. When telling users about the Locky phishing emails, emphasize the importance of not opening unexpected email attachments. Even if the email is from someone they know, have them check with that person first before opening the attachment.

Hackers are getting quite skilled at creating phishing emails, so users might fall for one, despite phishing training. The next line of defense is to make sure that Word macros are disabled on any computer running that application. By default, the macro setting is configured to “Disable all macros with notification”. If desired, you can change this setting to “Disable all macros without notification”. That way, users will not be given the option to enable a macro if a document includes one.

If you keep the default setting of “Disable all macros with notification”, you need to educate users about the dangers of enabling macros. Let them know that if the “Enable Content” option appears when they open a document that was emailed to them, it is best to close and delete the file since it is probably part of a macro-based attack. Unless macros are regularly used in work files, receiving a legitimate file that contains a macro is rare, according to security experts.

Finally, you should be prepared in case the Locky ransomware somehow makes it onto one of your computers. You need to regularly back up your files and make sure they can be successfully restored. If you have good backup and restore processes, you will not have to pay the ransom to get your files back.

A Dangerous Threat

Locky is not to be taken lightly. Like all ransomware, it can paralyze your business. It can also be costly. Contact us for more advice on how to protect your business from Locky and other types of ransomware.