As an IT professional, you know how relentless ransomware attacks have become in today’s landscape. Recently, a variant of the notorious Locky ransomware has become part of a large-scale email-based campaign managing to slip past the defenses of some unsuspecting companies.
On August 9, the first campaign of a massive, worldwide ransomware attack was detected—and 62,000 phishing emails related to the attack have been identified as of last week. This new Locky-variant continues to unfold, powered from more than 11,625 distinct IP addresses in 133 different countries (the top five being Vietnam, India, Mexico, Turkey and Indonesia). As an MSP, here’s what you need to know about this new Locky-variant ransomware and how you can ensure you and your clients can remain protected against it.
Looking Out for Locky
Locky is a common type of ransomware that emerged in 2016 and has since been utilized in a wide range of cyber attacks. However, this new variant is one we have not seen before. So, how exactly does this variant work and what should MSPs be aware of from a cybersecurity standpoint?
The main way this Locky-variant is spread is by social engineering. Through phishing emails, users are tricked or induced into opening a docx, pdf, jpg, zip or other file containing the ransomware called “IKARUSdilapidated,” after a phrase that appears in the code string. If the user follows through and opens the attached file, the ransomware then takes over.
From here, all files that match particular extensions are encrypted and filenames are converted to a unique 16 letter and number combination with the .locky file extension. After the files are completely encrypted, users are given instructions for downloading a Tor browser and directed to a site on the dark web where the cyber criminals demand a ransom payment of up to one bitcoin (which equates to over $4,000).
Many endpoint protection solutions have been updated to detect Locky ransomware, however, this variant is able to slip past certain tools because it is so new. Thus, as a new ransomware variant, it is read as an “unknown file” and is allowed entry by organizations not using a “default-deny” security posture (which denies entry to all unknown files until it is verified that they are safe to enter the IT infrastructure), making it more difficult to detect and remediate.
On the Pulse of Ransomware as an MSP or MSSP
For MSPs offering security services to small- and medium-sized businesses (SMBs), or those looking to make the transition to MSSP, it is vital that you properly educate your clients and provide the right tools to minimize the serious risk at hand. While antivirus and firewalls are incredibly effective in reducing risk, your clients need a more robust security solution in place to defend against the increasingly dangerous threat landscape. For this particular type of ransomware attack, an effective security posture is needed to detect and respond to threats, as well as block all unknown files from the IT infrastructure until they are verified as safe.
Unfortunately, no matter how strong the security solutions, attacks will continue to slip through the cracks. Therefore, MSPs and MSSPs who are looking to fully-protect their clients must implement a proper, reliable backup and disaster recovery (BDR) solution with online and offline backup solutions as the ultimate failsafe against successful attacks.
Continuum Partners: Webroot already protects against these attacks. Additionally, they use real-time anti-phishing capabilities to protect against initial phishing emails and phishing sites. Should you have any further questions about ensuring protection against this new variant, you can get in touch with us here.
By Lily Teplow
By Brian Downey
By Dave LeClair