Security Trends/Attacks
Arctic Wolf Networks

Locky Is Back With a Vengeance

There are few strains of ransomware that have the name recognition of Locky. In its heyday back in 2016, the prolific strain of encryption malware was infecting up to 90,000 computers every day, according to Forbes, many of which were inside health care institutions.

However, the strain seemed to be waning in early March, or as BleepingComputer put it “slowly fading away.” In reality, Locky was just setting the stage for its dramatic, if not entirely disconcerting, encore.

Like a cockroach that refuses to die, Locky returned in mid-August, this time using the encryption extension .lukitus, which means “locked” in Finnish. The strain resurfaced in a series of spam email campaigns. Recipients received a message that appeared to be sent from their organization’s printer or scanner. These messages were crafted using the model numbers of some of the most commonly used printers, adding an additional layer of authenticity to the scam.

Setting the stage for round two

“More than 23 million malicious emails were dispersed within 24 hours.”

Unfortunately, the mid-August campaign was just round one of Locky’s resurgence. The second wave arrived on Aug. 28. According to ZDNet, more than 23 million emails containing the malware were dispersed within a 24-hour time period, making this “one of the largest malware campaigns of this half of the year.”

Many of the subject lines were left intentionally vague, and included phrases like “please print,” “documents,” “photos,” “images,” “scans,” and “pictures,” according to Tech Republic. A ZIP attachment was included with each message, and within that was a second ZIP file containing a Visual Basic Script (VBS) file. Once the user clicks on that file, a downloader reaches out to “greatesthits[dot]mygoldmusic[dotcom].” At this point, the malware is delivered, and the encryption begins.

Any infected user will subsequently receive a ransom message demanding 0.5 bitcoin, which equates to $2,150.

According to BankInfoSecurity, other users received a different variant of the phishing campaign that mimicked a message from Dropbox, and used the email address “no-reply@dropbox.com.” The message included a link asking users to verify their email address. When selected, that link leads to any number of legitimate websites that have been compromised by hackers, and altered to look like the Dropbox site. Visiting that site can result in infection either through a zipped attack file or through a malicious JavaScript file that attempts to download the payload.

As of this writing, there is no available estimation for how many people were affected.

Prevention is the only protection against Locky

Also as of this writing, there are no known public decryption methods for this strain of Locky ransomware. Once a computer is locked down, there is no way to salvage the data short of paying the ransom.

This means that the only true defense against Locky’s newest iteration (called IKARUSdilapidated), is prevention. First and foremost, know what to look for. Any emails with the aforementioned subject headers (vague file references, print documents or Dropbox email verifications) should immediately be brought to the attention of IT personnel.

Further, because there is no public decryption method available, it’s almost a guarantee that there will be more waves to come. Therefore, it is extraordinarily important to instruct all lines of business not to open any file attachments that do not have context in the body of the email – even if those attachments were sent from a known contact. There is always a possibility that a contact’s email address has been compromised, and is being used to disseminate Locky. And, given what we know about this new strain of Locky, it is much better to be safe than sorry.

Other crucial steps to defend against Locky include:

  • Backup all critical data files, and airgap those backups.
  • Use strong anti-malware or anti-virus software on your mission-critical endpoints.
  • Keep Macros disabled, and do not enable them upon request unless you are absolutely certain that the sender is trustworthy, and is in fact who they claim to be.

For the time being, do all of these things and you’ll have a strong change of avoiding infection and recovering quickly should you become one of Locky’s victims.

AWN_GARTNER_MDR_CTA_BANNER