A new version of ransomware called “locky” has become active.The end result hasn’t changed – all your document files etc will be encrypted and you must pay a ransom to”buy” the encryption key to recover them.
Backup regularly!! This has been, is now, and will be in the future the best, cheapest way to recover your files, in the vent of ransomware or any other disaster which will cause business disruption.
Of course you should try and avoid catch ransomware to begin with. We can help you put policies in place if you need.
Summary action to take. block .js files from running and block www.torproject.org in your firewall.
Thanks to the Emerging Threats Team at SophosLabs for their behind-the-scenes work on this article.
“Locky” feels like quite a cheery-sounding name.
But it’s also the nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky.
Of course, it doesn’t just rename your files, it scrambles them first, and – as you probably know about ransomware – only the crooks have the decryption key.
You can buy the decryption key from the crooks via the so-called dark web.
The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/£280).
The most common way that Locky arrives is as follows:
- You receive an email containing an attached document (Troj/DocDl-BCF).
- The document looks like gobbledegook.
- The document advises you to enable macros “if the data encoding is incorrect.”
- If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
- The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
- The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).
Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.
Locky even scrambles wallet.dat, your Bitcoin wallet file, if you have one.
In other words, if you have more BTCs in your wallet than the cost of the ransom, and no backup, you are very likely to pay up. (And you’ll already know how to buy new bitcoins, and how to pay with them.)
Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, that you may have made.
Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.
Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:
If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.
Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.
Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.
It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.