Locky is the latest ransomware discovered in a string of various attacks on several businesses. As mentioned in the title of the article, this ransomeware goes beyond the typical destruction of user mapped drives, and encrypts data on unmapped network shared files too. Like many other ransomeware, Locky completely changes the filenames for encrypted files, making it more difficult to restore a select amount of data to the pre-attack state. At this time, there is not a known method to decrypt files encrypted by Locky.
How is this distributed?
Most of the victims attacked received an email that contained a Word document attached with a malicious macros embedded. The email message will contain a subject similar to ATTN: Invoice ##### and a message such as “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice”. Here is an example:
FIG. 1 Locky ransomeware is often disguised in an email containing a Word document attachment.
When the Word document is opened, the text will be scrambled and the document will display a message stating that you should enable the macros (Enable Editing) if the text is unreadable.
FIG. 2 Request to enable the Word document. DO NOT ENABLE
Once the victim enables the macros through Word, the macros will download an executable from a remote server and execute it.
FIG. 3 Visible evidence that the executable file will begin downloading.
The downloaded file is stored in the %Temp% folder and executed. If the user has made it through all these steps, the Locky ransomware will begin to encrypt the files on their local computer and network.
As part of the destructive encryption process, Locky will:
- Encrypt files on network shares even when they are not mapped to a local drive
- Delete all of the Shadow Volume Copies on the machine so that the backups cannot be used to restore the victim’s files.
- Create .txt ransom notes throughout the folder structures (Fig. 4)
- Change the local desktop to a .bmp image with the same ransom instructions (Fig. 5)
FIG. 4 Text file with ransom instructions. Following these instructions will not guarantee a solution.
FIG. 5 Local desktop image with ransom instructions. Again, following these instructions will not guarantee a solution.
As a first means to protection, it is highly recommended that all System Administrators lock down all open networks to the lowest permissions possible. Additional steps can be taken within your organization to minimize the vulnerability you face from ransomware like Locky. Ask your System Administrator what line of defense best suits your network from these types of attacks.
Already attacked? Contact us to help you proceed to hopefully restoring your network.