LOCKY Ransomware

LOCKY Ransomware

LOCKY Ransomware: Everything you want to know

After WannaCry and PETYA, another ransomware seems to be sreading like wildfire taking of hold of systems all over the globe, this time its called LOCKY Ransomware with spam emails.

It scrambles the contents of a computer and servers (both mapped and unmapped) and demands payment to unlock it.

The important thing to take care is stop opening attachments which is not required.

It strikes when the system least expects it. Locks your computer system and unlocks when the ransom demand is honored.

Propagation methods:

The primary mode of spreading of Locky is via spam emails. The email contains common subjects like ‘documents’, ‘please print’, ‘photo’, ‘images’, ‘pictures’ and ‘scans’ which may change depending on the target audience. Once you open this email, and click on the attachment variants of the ransomware automatically get downloaded to your computer.

As soon as the variants are downloaded, your desktop background is changed with instructions to be followed and shows a ‘.htm’ file named “Lukitus[dot]htm”.
Once the system is infected by Locky, all files are encrypted and string with random numbers with extension ” [.]lukitus” or “[.]diablo6” is appended to the encrypted files. Lukitus is French for ‘locking’.

The instructions contain installation of TOR browser (Onion Router Network) and visiting “.onion” sites. The users are then demanded to pay 0.5 Bitcoins to avail this decryption service that’s equivalent to almost Rs. 1.5 lakh (INR).

Furthermore, it has been reported that a spam campaign showing links to fake dropbox sites is being used to spread Locky variants. If the pages are viewed in Chrome or Firefox, they show a fake notification stating “you don’t have the HoeflerText font”. These fake notifications had an “update” button that returns a malicious JavaScript (.js) file. [1]

In a nutshell, what it does is this:

  1. You receive an email, with an attachment that when opened is a scrambled mess of words.
  2. At the top are the words, ‘Enable Macros if the data encoding is incorrect.’
  3. The moment you enable macros, instead of correcting the document, your system gets encrypted and Locky ransomware is activated and Windows ability to take live backup called Shadow copies is also compromised.
  4. Your wallpaper changes to ‘How to decrypt’ message displaying image.

Recommendations against Locky:

Here is a list of recommendations advised to the users to prevent Locky from compromising your computer.

  • The foremost recommendation to users is to not to open any spam emails, or attachments as well as update anti-spam and block lists.
  • Block malicious IP addresses.
  • Do not download or open attachments which contains Zip files.
  • Perform regular backup of your data, and store it on some other devices most preferably offline.
  • Disable Macro in Microsoft Office applications ‘Disable all macros with notification’. Macros can run in Ms. Office applications only if the Macro settings are set to ‘Enable all macros’ or if the user manually enables it. This is done so because the email attachment comes in Macro Enabled form.
  • Have an updated Antivirus installed on your personal as well as office systems.
  • Don’t click on unnecessary popups while visiting websites which may contain Embedded JavaScript (.js) file which can download the ransomware.
  • Don’t use administrative accounts for carrying out Business as Usual activities, which limits the rate of installation. Also disable remote Desktop Connections.
  • Don’t visit malicious websites or blocked websites listed on the advisory at least.
  • Update your operating systems, third party applications like browser, browser plugins and anti-virus software for latest security patches.

Reference:
http://www.cyberswachhtakendra.gov.in/alerts/locky_ransomware.html

About the Author