Locky Ransomware

Locky is new encryption ransomware utilising macro scripts in malicious attachments (initially Word documents) to deliver the malware payload^1 2. The payload proceeds to encrypt almost all local files as well as files on network shares. Instructions for purchasing the decryption key using bitcoins are then presented (originally 0.5 – 1 bitcoin(s) [~R3000-R6500 (03/16)])³. Paying the “ransom” seems to result in successful recovery of files though this reportedly isn’t always the case.

See references and further reading for more information including samples.

Means of infection

Macros in malicious email attachments, particularly Word files⁴. The emails are sent in the guise of invoices, but other variants have been seen. Various email addresses are used including spoofed ones.

Detection

“If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.”²

Recovery

Disconnect the infected PC immediately from the network. Unfortunately, besides from paying the ransom (which we don’t advocate), there is no known (to us) method of recovering encrypted files. Clean the malware and restore from backups. In the case where no backups are available (or backups appear infected – local/network share) some alternative approaches may work⁵.

Recommendations

1. Backup local and shared drives regularly (daily/weekly?) and store backups off-line/off-net
2. Educate users on spam and particularly not opening suspicious attachments
3. Flag emails using spoofed addresses (inconsistent “source” and “from”)
4. Disable macros by default. Only enable on trusted documents if required
5. Make sure anti-virus and email security (if applicable) product definitions are constantly updated
6. Verify that backups can be restored (i.e. are usable and working correctly)

Further reading

• Medium: You, your endpoints and the Locky virus [Kevin Beaumont]
• IOCs @ Palo Alto Networks: Locky: New Ransomware Mimics Dridex-Style Distribution
• What to do? @ Naked Security by Sophos: ‘Locky’ ransomware – what you need to know
• Malwarebytes: Look Into Locky Ransomware
• Avast: A closer look at the Locky ransomware

References

¹PhishMe: Locky – New Malware Borrowing Ideas From Dridex and Other Ransomware

²Medium: Locky ransomware virus spreading via Word documents [Kevin Beaumont]

³Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

⁴Symantec: Locky ransomware on aggressive hunt for victims

⁵Comments @ Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]