Locky Ransomware Is Back in a Big Way

After taking a brief hiatus, cybercriminals launched four new Locky ransomware attacks in August 2017. The biggest one occurred on August 28. In a span of just 24 hours, hackers sent out more than 23 million malicious emails, making it one of the largest malware campaigns in the latter half of 2017, according to AppRiver security researchers.

The Phishing Emails and Their Payloads

In all four attacks, cybercriminals used phishing emails to deliver two new Locky variants dubbed Diablo and Lukitus to unsuspecting recipients. The phishing emails' messages varied, according to researchers at PhishLabs. For example, some emails spun a yarn about unpaid invoices, while other emails did not include any message. All the emails, though, included attachments that were hiding scripts. The types of attachments and their scripts included:

  • An attached Microsoft Word document containing a malicious macro. Macros are small scripts that Word users can create to perform repetitive tasks, such as entering a return address in correspondence. As such, they are useful tools. However, cybercriminals often use macros to initiate cyberattacks.
  • A compressed archive file (e.g., a ZIP, RAR, or 7ZIP file) containing a malicious VBScript (VBS) file. In the past, administrators often used VBS scripts to automate routine IT tasks, such as deleting old files. Although most administrators now use a different type of script for that purpose, VBS scripts are still a popular tool of destruction among hackers.
  • A compressed archive file containing a malicious JavaScript (JS) file. Still widely used today, JS scripts are typically utilized to carry out tasks, such as automatically changing dates, on web pages. Unfortunately, cybercriminals also like to use them for nefarious purposes.

Although different types of scripts were used, they all led to the same outcome if recipients inadvertently launched them. The scripts initiated a process that loaded the Locky ransomware onto their computers. A message was then displayed on the victims' computers. It stated that their files were encrypted and referred them to a site where they could get further instructions on how to get the key needed to decrypt their files.

How to Protect Your Business from Locky

The cybercriminals behind the August Locky attacks relied on email attachments to deliver the ransomware. Therein lies an important way you can help prevent a Locky ransomware attack. You should let employees know how dangerous it is to open an attachment, even if an email appears to be from someone they know or an organization with which they do business. The email might have been sent by a hacker masquerading as a colleague or business representative. Plus, you should warn employees about the dangers of opening a password-protected file (especially if it is a compressed archive file) sent via email if that email includes the password needed to unlock the file. When this occurs, there is a good chance that the file contains malicious code. Finally, it is helpful to train employees on how to spot phishing emails by looking for elements commonly found in them (e.g., generic greetings, suspicious email addresses, grammatical errors).

You also need to take other measures to protect your business from Locky. Since macros were used in some of the attacks, it is a good idea to lock them down. Macros are disabled by default in Word. However, if a macro is present in a file, employees will get a prompt asking them if they want to enable it. You can remove this prompt by changing the macro setting from "Disable all macros with notification" (the default) to "Disable all macros without notification". That way, you eliminate the possibility of employees inadvertently enabling macros. Cybercriminals have also used macros in Microsoft Excel files to deliver ransomware, so you might want to change the macro setting both Word and Excel.

Despite your best efforts to prevent an infection, Locky might get installed on one of your computers and hold its files for ransom. Thus, you need to regularly back up your business's files and make sure they can be successfully restored. If you have good backup and restore processes, you won't have to pay the ransom to get your files back.

A Dangerous Threat

Locky continues to be a dangerous threat that your business needs to be prepared for. We can help you develop and implement a comprehensive security strategy that will help protect your business against it and other types of ransomware attacks.