Locky is new encryption ransomware utilising macro scripts in malicious attachments (initially Word documents) to deliver the malware payload1
See references and further reading for more information including samples.
Means of infection
Macros in malicious email attachments, particularly Word files4. The emails are sent in the guise of invoices, but other variants have been seen. Various email addresses are used including spoofed ones.
“If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.”2
Disconnect the infected PC immediately from the network. Unfortunately, besides from paying the ransom (which we don’t advocate), there is no known (to us) method of recovering encrypted files. Clean the malware and restore from backups. In the case where no backups are available (or backups appear infected – local/network share) some alternative approaches may work5.
- Backup local and shared drives regularly (daily/weekly?) and store backups off-line/off-net
- Educate users on spam and particularly not opening suspicious attachments
- Flag emails using spoofed addresses (inconsistent “source” and “from”)
- Disable macros by default. Only enable on trusted documents if required
- Make sure anti-virus and email security (if applicable) product definitions are constantly updated
- Verify that backups can be restored (i.e. are usable and working correctly)
- Medium: You, your endpoints and the Locky virus [Kevin Beaumont]
- IOCs @ Palo Alto Networks: Locky: New Ransomware Mimics Dridex-Style Distribution
- What to do? @ Naked Security by Sophos: ‘Locky’ ransomware – what you need to know
- Malwarebytes: Look Into Locky Ransomware
- Avast: A closer look at the Locky ransomware