Yes Locky is back. One of the most prolific ransomware of our time that pretty well cornered the ransomware market in the first half of 2016. Locky suddenly dropped off the face of the earth in June 2016, and the thought was that it’s gone.
Recently a few thousand spam emails with a new version of Locky, deemed the “Double Zipped Locky,” has begun distribution. Hidden in a zip file with the hopes that an unknowing victim will think they have a document and open it.
The email itself is a basic format with an attachment; it is thought that these few thousand are just a test run before hammering out a full blown campaign.
When users enable macro settings in the zip file, an executable file (the ransomware) is downloaded.
Various files are then encrypted. Note that Locky changes all file names to a unique 16-letter and digit combination with .aesir, .shit, .thor, .locky, .zepto or .odin file extension. Thus, it becomes virtually impossible to identify the original files. All are encrypted using the RSA-2048 and AES-1024 algorithms and, therefore, a private key (stored on remote servers controlled by cyber criminals) is required for decryption. To decrypt the files, victims must pay a ransom.
After the files are encrypted, Locky creates an additional .txt and _HELP_instructions.html (or _WHAT_is.html) file in each folder containing the encrypted files. Furthermore, this ransomware changes the desktop wallpaper. Both text files and wallpaper contain the same message that informs users of the encryption. It states that files can only be decrypted using a decrypter developed by cyber criminals and costing .5 BitCoin (at time of research, .5 BTC was equivalent to $207.63). To proceed, the victim must install the Tor browser and follow a link provided in the text files/wallpaper. The website contains step-by-step payment instructions. Locky deletes all file shadow volume copies. Currently, there are no tools capable of decrypting files affected by Locky – the only solution to this problem is to restore your files from a backup.
So how do you protect yourself against Locky:
First of all education, train your staff to recognize and understand the consequences of clicking on an unidentified file.
Back up, and keep your backups current.
A good endpoint software that recognizes malicious code before it gets in.
Keep your OS updated always.
Stay vigilant.
