In our last post we discussed the evolution of ransomware, and we covered some of the reasons why ransomware was spreading so quickly right now. In this post we'll go into more detail on that, with emphasis on what makes Locky so dangerous to potential victims.
Locky was identified in mid-February, and within 2 weeks had become the second most prevalent version of ransomware around the world. Locky has been spread primarily through spam email with Word attachments. The attachment contains a malicious macro and is usually presented as an invoice. When the user attempts to open the Word document, the text is scrambled and the user is instructed to enable macros. Enabling the macros will allow the virus to contact a remote server, download an executable, and run the file. This executable is the Locky ransomware that will execute immediate and begin to encrypt the files on the computer and unmapped network shares.
Locky has also used .js and .zip file attachments to infect PCs.
Locky uses the AES encryption algorithm to encrypt files. It will not encrypt certain types of system files, but it will encrypt all user data, which it identifies based on extension. It also changes the file names on encrypted files, making it more difficult to restore data. Locky will also delete all Shadow Volume copies of data so that the user cannot use those files to avoid paying the ransom. Finally, Locky creates a ransom note and copies it to every directory where files have been encrypted. The ransom note includes links to a decrypter page, which provides instructions on “how to buy Locky decrypter.”
Security experts say there are several reasons why Locky is spreading so quickly:
- Information gleaned from social media research has been used to customize the email, making it easier to gain the victim's trust. This research is automated with advanced scraping software that scans profiles and then delivers the malicious email messages to victims.
- It appears that Locky is being distributed by the criminals associated with Dridex banking trojan, which has been a dominant threat for over a year. This means the criminals are experienced with malware and have an established botnet infrastructure and spam operation to manage and distribute the Locky attacks.
- Locky uses both AES-128 and RSA encryption software. There is currently no way to decrypt Locky encrypted files without the decrypter key.
- Locky developers have the ability to change domains every day. This means that the public cannot block Locky simply by blocking the domains used to host the software.
- Rather than targeting a single enterprise for a large ransom, the Locky attacks have pursued smaller ransoms on a global basis. Organizations of all sizes are targets.
Like all ransomware, protection from Locky requires a comprehensive security and storage strategy. Network firewalls, email security and web filtering can prevent spam from getting through to the users and will prevent downloads of compromised attachments. A good backup system and disaster recovery plan will help you restore your data in the event that you are compromised.
For more information on ransomware, follow our blog series here. For more on Barracuda solutions that can help protect you from attacks like Locky, visit these product sites:
Barracuda Email Security Gateway and Barracuda Email Security Service: Barracuda email security products feature comprehensive spam and virus protection, link protection, Advanced Threat Detection, and more. These solutions are designed to stop email borne threats before they arrive at the network. In the event that the threat is already inside the network, these solutions include outbound protection, to prevent corporate resources from sending data to an attacker or being used as part of a botnet.
Barracuda Web Security Gateway and Barracuda Web Security Service: Barracuda web security solutions protect users from drive-by downloads and ‘phone home' activity. Both of these techniques are used in successful ransomware attacks.
Barracuda NextGen Firewall: Barracuda network security solutions are suitable for networks of any size. These next-generation solutions feature advanced security capabilities, including integrated Intrusion Prevention (IPS), URL filtering and antivirus to identify and block evasion attempts that would trick traditional systems. Barracuda’s security extends beyond your network to Barracuda’s Advanced Threat Detection (ATD) cloud for both statistical and sandboxing analysis of zero-day and targeted threats that routinely bypass signature-based IPS and antivirus engines.
Barracuda Essentials for Office 365: Barracuda offers a complete suite of security for Office 365 customers. Barracuda Essentials provides multi-layer security, archiving, and backup for Microsoft Office 365. This allows organizations to prepare, migrate, and operate faster, safer, and more efficiently in Office 365.
Barracuda Backup and Barracuda Message Archiver: In the event of data loss due to ransomware or another incident, Barracuda data protection solutions can help you restore data quickly and securely. Barracuda Backup is a unified, cost-effective data protection solution for protecting physical, virtual, SaaS, and cloud-hosted environments. The Barracuda Message Archiver is a powerful yet simple platform for archiving, storage, eDiscovery, and compliance.
Barracuda Web Application Firewall: Barracuda website security solutions are designed to protect your web applications from data breaches and defacement. Because Locky and other ransomware is being spread through drive-by downloads and other web-borne attacks, servers without application firewall protection are potentially part of the ransomware infrastructure. The Barracuda Web Application Firewall provides application attack and DDoS protection, URL tamper prevention, data loss prevention, and more.
We offer a risk-free, 30-day evaluation of our security and storage products. Visit our corporate site here to learn more.