The New Crimeware Mafia Wants You to Get ‘Locky’

Like in a Francis Ford Coppola film, three major crimeware families are at the forefront of technological crime. Like the mafia, the families shake down their victims for ransom money, operate through a sinister black market, and pose a threat to businesses worldwide. They are the ransomware families: CryptoWall, CryptoLocker and TorrentLocker. Now, a new family is clawing its way to the top, and has already affected close to half a million victims: Locky Ransomware.

What is ransomware?

Using exploit kits and fake emails to target victims, ransomware renames files so they cannot be accessed unless a ransom is paid to the hackers via the ‘dark web’, the Internet’s black market. The ransom money, which must be paid in bitcoins (the dark web’s currency), effectively purchases a decryption key to unscramble and retrieve the files.

Locky: a frightening new frontier

As if the existing ransomware families weren’t bad enough, Locky employs new techniques to expand its target base and hone ransomware technology.

Locky victims are typically targeted through a fake email containing an attached document (Troj/DocDl-BCF). The document’s contents appear to be gibberish, so the victim is invited to enable macros to correct the text encoding. Once macros are enabled, the code inside the document saves a file to disk and runs it, allowing the Locky malware to be downloaded to your computer.

Locky then does the following:

• Scrambles all files matching a long list of file extensions (including images, videos, Office files, bitcoin wallet files, and source code), and replaces the extensions with ‘.locky’.
• Removes all Volume Snapshot Service (VSS) files or ‘shadow copies’ from your PC.
• Scrambles files on your C: drive, along with files on any removable drives plugged into your computer.
• Scrambles any accessible network shares, including servers and other people’s computers.

Your desktop wallpaper is then transformed into a ransom note, giving instructions on how to pay the ransom.

Ransomware protection

Ransomware can wreak havoc on businesses – particularly if domain administrators are hit – putting operations on hold and costing a considerable amount of money to rectify. To stay protected, we recommend the following measures:

• Back up frequently and store your files in a secure offsite data backup centre. Visit our Backup and Data Recovery page to learn more.
• Never enable macros for documents received as email attachments, as this can facilitate endless malware infections.
• To ensure a file is safe, use a viewer application to see a document’s contents without having to download it or enable macros.
• Engage a reliable IT security service provider to patch your system when needed and deliver layered preventive security controls.
• As a domain administrator, only give yourself the admin powers you need, and make sure to log out before browsing the web or opening unknown documents.

For more information on how to protect your personal and business files, contact us at LSA Systems—we’ve got the IT muscle to keep you safe from even the most notorious crimeware families.