Have you opened any invoice attachments lately? Now, there's a new ransomware called Locky that's joined the ranks of viruses like CryptoLocker and CryptoWall. This latest malware threat was detected just last week and already, IT service providers and MSPs have discovered that it's spread at an alarming rate, employing sophisticated social engineering tactics and bypassing antivirus (AV), spam filtering and web filtering solutions. According to Dark Reading, Kevin Beaumont, one of the first security researchers to unearth Locky, revealed he had seen "around 4,000 new infections per hour, or roughly 100,000 per day."
How does Locky work? What does it reveal about the state of ransomware and next generation cyber threats? What do you need to know to protect clients? Answers to all this and more!
What is Locky?
Locky is the latest strain of ransomware that uses two forms of social engineering to encrypt files, filenames and unmapped network shares.
How is Locky Installed?
Like its ransomware predecessors, Locky relies on email phishing to successfully install. So far, experts report that hackers email victims a fake invoice, hoping they'll download the malicious attachment. Bleeping Computer has already warned readers to watch out for emails with subjects similar to ATTN: Invoice J-98223146. As we know, hackers use social engineering to convince targets they're trustworthy by appearing legitimate when communicating online or over the phone. For now, Locky can't be successfully launched without getting the victim to comply. After examining the sophistication of the text in the body of the Locky email, it's easy to see how attackers are able to gain buy-in. See the following screenshot of the email message taken from Lawrence Abrams's incredibly helpful article:
The attack doesn't end there, however. Locky must get past another security layer. Once the attached document is opened the text appears illegible, and its reader is prompted to enable macros "if the data encoding is incorrect." Yet again, the criminal mastermind(s) depend upon user error to carry out their deviant mission. Be sure to instruct end users never to enable macros without first consulting you. Remember that when it comes to security awareness training and preventing malware, they don't know what they don't know. In other words, the only way they'll learn not to click malicious links, open false files or enable ransomware downloading macros is if you teach them how and why it is dangerous to do so.
What Happens When Locky is Installed?
I encourage you to check out the references linked at the bottom of the post for full technical details on Locky, but consider the following summary. Essentially, by enabling macros, users run code that saves the ransomware file to their disc and executes it. Once they do so, Locky then encrypts data and changes filenames to be indecipherable. It's worth noting that a wide array of file extensions are compromised in the process, including videos, images, documents and source code. Not only that, but as a Naked Security by Sophos article explains, Locky "scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux." The takeaway here is that you should only log in as a domain administrator when it's absolutely necessary to. Otherwise, you give attackers more power, should you get hit with ransomware while logged in.
Locky wouldn't be classified as ransomware if it didn't demand some form of Bitcoin payment to decrypt the affected files. Once infected, victims' desktop wallpapers are changed, displaying the following ransom payment process instructions:
How Does Locky Behave Like Previous Ransomware?
In reviewing the details of this malware attack, it should be evident that you're not dealing with a whole other cybercrime creation. Hackers don't reinvent the wheel everytime they deploy a new threat, but rather find new ways to conceal their attack and extend its impact. Besides using email phishing as an attack vector, certain aspects of Locky should already be familiar to you. Recall when we first reported on CryptoWall 4.0. Unlike previous versions that just encrypt files, CryptoWall 4.0 also encyrypts filenames, making it impossible to know which files are locked. We suggested that perhaps attackers did this to make victims even more frustrated and desperate to pay the ransom. Well, it seems that the creators of Locky pursued the same strategy because, as we learned above, the ransomware picks up where CryptoWall left off by also scrambling filenames.
One of the more disquieting features of Locky is that it encrypts data on network shares even when they aren't mapped to a local drive. As Bleeping Computer reports, Locky takes its cue from DMA Locker in this regard. Because we've seen this occur more than once, encrypting data on unmapped network shares may be a new trend in ransomware that IT solutions providers, system administrators and MSPs need to watch out for.
How Many Security Layers Must Locky Get Past?
We've already addressed the human error component of a successful attack, but let's not forget that the email has to make it to recipients' inboxes for Locky to be installed (at least in its current version). For a clearer picture of the various security layers the ransomware must penetrate, refer to the following attack flow diagram taken from a blog post by security awareness authority, KnowBe4:
What Preventative Steps Must All MSPs Take?
1. Work with the right AV and antimalware vendor for endpoint security so that you can catch Locky and other ransomware early.
2. Restrict access and use of your domain administrator login. Avoid risky actions such as browsing the Internet and opening files while logged in.
3. Update systems and patch regularly. While this may not directly stop Locky, it's a best practice for malware prevention in general because it corrects vulnerabilities in desktop applications that hackers can exploit.
4. Use your client communication channels to warn users about Locky and what to look for. Remind them not to trust or open any emails that appear suspicious or are unexpected. Instruct them to alert you if they believe they've been targeted and to never pay ransom that's demanded of them. Remind them of the various social engineering tactics hackers employ in an attempt to get them to click links and open attachments. Additionally, inform them to never enable macros without first running it by you.
5. Think about installing Microsoft Office viewer applications to let clients preview documents before opening them. This next step isn't mandatory, but is a useful suggestion from the same Naked Security by Sophos article referenced above, since the software doesn't support macros.
6. Most importantly, leverage the right backup and disaster recovery (BDR) solution and back up regularly.
What Role Does Backup Play in Locky Risk Mitigation?
This last preventative step is a point we can't emphasize enough! The only way to get corrupted data back without paying the ransom, which currently ranges from 0.5 to 2 Bitcoins ($208 to $800), is through your most recent backup. If you don't already recognize the absolute necessity of backup to protect and restore client data from all instances of data breaches and data loss, consider the fact that Locky deletes any existing Volume Snapshot Service (VSS) files and encrypts network-based backup files. Evade this trap, and choose a business grade BDR solution that lets you efficiently back up encrypted data offsite to a secure, trusted public cloud. It's your only failsafe when ransomware like Locky strikes.
For more information, check out:
By Lily Teplow
By Brian Downey
By Dave LeClair