Locky ransomware: Key information
Cyber security experts discovered Locky in February of 2016. At that time, Locky ransomware represented the most significant malware threat in the wild. More than 50,000 threat attempts manifested within a single day. However, the Locky ransomware does not represent an outsized threat at present.
How does Locky ransomware spread?
Locky spreads through the use of social engineering techniques. The targets of the cyber criminals typically receive fraudulent emails. Such emails appear as payment invoices. Past subject lines have included “Upcoming Payment—1 Month Notice.” The fear-based tactic prompts users to click.
In addition, Locky emails commonly arrive with attachments. Opening the attached document prompts the user to enable Word macros. Users then see a window informing them that enabled macros allows content to display correctly. The enabled macros activates a malicious script, which results in the download of the Locky ransomware.
Immediately afterwards, files become inaccessible. A key reason as to why Locky is considered dangerous has to do with the variety of files and code that it can damage. Files are renamed without permission. Source code can be scrambled.
How does an infection with Locky manifest?
Firms exposed to Locky ransomware typically observed a ransom note on an affected computer’s screen. Victims of Locky primarily conducted business in the US. As the Locky campaign took off, victims did also emerge from other geographic locales, but trailed far behind the US in terms of number of attacks.
Encrypted files included extension names such as .aesir, .asain, .diablo6, .locky, .zzzzz and others.
Some Locky-infected systems also contained
- _HELP_instructions.html
- asasin-{random characters}.htm
- DesktopOSIRIS.htm
- diablo6-{random characters}.htm
- HELP_Recover_Files_.html
- ykcol-{random characters}.htm
How has Locky ransomware been distributed?
Past Locky ransomware attack distribution has involved reliance on exploit kits and malspam. When it comes to malspam, the Necurs botnet was responsible for much distribution.
Locky ransomware encryption
Locky encrypts entire networks. Networks that experience ransomware are commonly inoperable. Files may be inaccessible and in some cases, permanently lost.
Organizations that have paid threat actors for file restoration may find themselves targets of future ransomware campaigns. Payments to the threat actors remain largely untraceable due to use of Bitcoin.
Ransomed data may be used for nefarious purposes. Hackers may sell it on the black market or use it to commit fraudulent activities.
Locky downloader variants
All in all, Check Point Research observed over 10 different Locky downloader variants.
Threat detection technologies and Locky ransomware
Appropriate threat prevention technologies can block Locky-infected documents.
- Sandboxing can identify Locky ransomware based on behavior.
- Threat extraction technologies can block suspicious attachments.
- Anti-virus technologies can help.
- Anti-bot technologies can also be of assistance.
Threat prevention and Locky ransomware
In conclusion, several means of preventing this form of ransomware exist.
- Backing up files regularly is a cyber security best practice. Ensure that the stored files are not connected to your network.
- Avoid unverified attachments. Senders often feign association with a known company.
- In the same vein, encourage employees to ask your IT team for guidance if they receive an unsolicited email-based request asking them to open an attachment.
- Ensure that software is up-to-date. Regularly patching your software can help ensure that attacks do not slip through.
- Avoid Locky ransomware by requesting that employees disable macros by default. Employees should then only enable the macros when 100% confident that the document does not contain a threat.
For more on Locky ransomware, ransom malware, ransomware attacks 2020 or ransomware attacks in 2021, visit Cyber Talk.