9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

Locky is new encryption ransomware utilising macro scripts in malicious attachments (initially Word documents) to deliver the malware payload1 2. The payload proceeds to encrypt almost all local files as well as files on network shares. Instructions for purchasing the decryption key using bitcoins are then presented (originally 0.5 – 1 bitcoin(s) [~R3000-R6500 (03/16)])3. Paying the “ransom” seems to result in successful recovery of files though this reportedly isn’t always the case.

See references and further reading for more information including samples.

Means of infection

Macros in malicious email attachments, particularly Word files4. The emails are sent in the guise of invoices, but other variants have been seen. Various email addresses are used including spoofed ones.

Detection

“If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.”2

Recovery

Disconnect the infected PC immediately from the network. Unfortunately, besides from paying the ransom (which we don’t advocate), there is no known (to us) method of recovering encrypted files. Clean the malware and restore from backups. In the case where no backups are available (or backups appear infected – local/network share) some alternative approaches may work5.

Recommendations

  1. Backup local and shared drives regularly (daily/weekly?) and store backups off-line/off-net
  2. Educate users on spam and particularly not opening suspicious attachments
  3. Flag emails using spoofed addresses (inconsistent “source” and “from”)
  4. Disable macros by default. Only enable on trusted documents if required
  5. Make sure anti-virus and email security (if applicable) product definitions are constantly updated
  6. Verify that backups can be restored (i.e. are usable and working correctly)

Further reading

References

1PhishMe: Locky – New Malware Borrowing Ideas From Dridex and Other Ransomware

2Medium: Locky ransomware virus spreading via Word documents [Kevin Beaumont]

3Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

4Symantec: Locky ransomware on aggressive hunt for victims

5Comments @ Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]