Locky is the latest in an ever increasing range of ransomware threats used by cyber criminals in an expanding and increasingly lucrative market. What makes Locky special is that it appears to have come from the same group behind several large Dridex campaigns showing that they are possibly diversifying their range of attacks.
The Locky strain has been observed in the Avecto malware labs and by other researchers spreading via Word documents attached to phishing emails. These typically look like invoices and come from a variety of domains. So far, the campaign seems to be very successful and well-orchestrated with a global impact across all industries.
Figure 1: Locky Phishing Email
When the user enables the macros in the malicious document the Locky malware executable is dropped in the user’s temporary directory and executed. This then renames and encrypts all the users documents, changes their wallpaper to a ransom demand and will also attempt to silently delete backup shadow copies of the filesystem.
Figure 2: Locky Ransom Demand
The problem for traditional security solutions trying to prevent threats such as Locky is they are reliant on detecting it to prevent it. Even if a detection solution could detect 99 out of 100 threats it only takes 1 instance of Locky to go unnoticed to inflict serious damage. In the case of Locky it took most AV vendors days to catch up.
So how can RansomCare help?
Watch how RansomCare stops real-time ransomware attacks and prevents an outbreak in this 4 min video.