Locky Ransomware Encrypts Victim Data

Last Update Date: 6 Apr 2016 Release Date: 18 Mar 2016 12058 Views

RISK: Extremely High Risk

Extremely High Risk

TYPE: Attacks - Malware

TYPE: Malware

A new variant of ransomware known as Locky has been spreading quickly, through massive spam campaigns and compromised websites. HKCERT has received a lot of reports from victims.

 

How Locky was spread

  1. Spam email
    Some victims were infected by opening attachments in spam emails:
    • Known titles of the spam emails include the following:
      • ATTN: Invoice J-[RANDOM NUMBERS]
      • Your booking [RANDOM NUMBERS] is confirmed
      • Payment ACCEPTED [RANDOM NUMBERS]
      • FW: Invoice 2016-M#[RANDOM NUMBER]
    • The malicious email attachment could be a Macro-enabled Microsoft Office document, a ".zip" file containing a javascript (.js) file or in other formats.
    • The attachment is usually a downloader that can evade anti-malware detection.
    • The mail may pretend to be sent from the victim themselves, or from a random people.
  2. Compromised website
    • Some victims were infected by visiting compromised websites. Those websites mainly target Internet Explorer users.

Impact

  • Locky encrypts files on victims’ computers and adds a .locky file extension to them.
  • Files on network drives are affected.
  • Data will be unrecoverable due to encryption by ransomware.

Solutions

To protect yourself from ransomeware:

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Do not enable it if in doubt.
  • Regularly backup the files stored on your computer, and keep an offline copy of the backup.
  • Always keep your security software up to date.
  • Keep your operating system and other software updated.
  • Once infected, isolate the infected computer from the network and external storage immediately. Do not open any file before clearing the malware.
  • We do not recommend paying the ransom.

Vulnerability Identifier

  • No CVE information is available

Related Link

Share with

Previous

Squid Cache Multiple Vulnerabilties

5 Apr 2016 3992 Views

Next

Adobe Flash Player Content Validation Vulnerability

7 Apr 2016 4481 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY