Written by Rob Young, Group Managing Director – 17th August 2017
What is Locky ransomware?
Locky ransomware is a powerful virus, similar in many ways to the Petya, Rapid and WannaCry. It’s called Locky because this type of ransomware renames all a users important files giving them the extension .Locky.
However, Locky does more than just changing a victims file extensions. It corrupts all the files first so you can’t use them and demands a fixed fee (set out by cyber criminals) to decrypt them. This is often the only option to get your files back, however there is no guarantee that after the fee has been paid they will automatically be restored to their original state.
Who is at risk from the Locky virus?
Computers without sufficient anti-virus that also provides malware protection could be susceptible to Locky attacks.
How do you get the Locky virus?
- The Locky virus is delivered in a email containing an attached document (Troj/DocDl-BCF).
- If you open the document, the words inside look all scrambled up (see below)
- The document advises you to enable macros “if the data encoding is incorrect.”
- If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
- The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the cyber criminals.
- The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).
Locky then corrupts all files that match a long list of extensions, including videos, images, source code, and Microsoft Office files on your machine.
What does the Locky virus file actually look like?
Once Locky has performed it’s task it then demands the ransom by automatically changing your desktop wallpaper.
What types of files does Locky encrypt?
Your C: drive will probably be the first thing that’s encrypted, however Locky also corrupts files in any directory on any mounted drive that it can access. This includes removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers and easily spreads across Windows, OS X and Linux platforms.
Can Locky spread from one computer to another?
Yes, are logged in as an administrator and you get hit by Locky, it can easily spread to other users causing serious disruption to your business.
How to prevent the Locky virus
- Install specialist endpoint protection such as Intercept X by Sophos that protects against all major strains of ransomware.
- Automate regular backups across your network and ensure there is a regular off site backup.
- Educate employees not to ever enable macros in document attachments received via email.Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. This is the main delivery method of a wide range of viruses.
- Patch early and regularly – Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the cyber criminals to exploit.
What to do if you get the Locky Virus
We do not advise you pay the ransom set out by the cyber criminals and instead get in touch with us to see if we can restore your files via backups. This is not something that is easily done as your machine(s) will be infected, however our IT Security consultants are familiar with several methods of undertaking this procedure. Sometimes file retrieval is not possible due to the types of backup setup initially.
If you are worried about the level of virus protection your business has or would like to improve your disaster recovery plan and backup process please get in touch with one of our IT security specialists.
Infinity Group are Sophos partners and supply Intercept X which protects against malware attacks to many clients. You may also wish to consider the Cyber Essentials certification to safeguard your business against cyber threats. Please get in touch for more information.