Locky Ransomware Encrypts Victim Data
Last Update Date:
6 Apr 2016
Release Date:
18 Mar 2016
12060
Views
RISK: Extremely High Risk
TYPE: Attacks - Malware
A new variant of ransomware known as Locky has been spreading quickly, through massive spam campaigns and compromised websites. HKCERT has received a lot of reports from victims.
How Locky was spread
- Spam email
Some victims were infected by opening attachments in spam emails:- Known titles of the spam emails include the following:
- ATTN: Invoice J-[RANDOM NUMBERS]
- Your booking [RANDOM NUMBERS] is confirmed
- Payment ACCEPTED [RANDOM NUMBERS]
- FW: Invoice 2016-M#[RANDOM NUMBER]
- The malicious email attachment could be a Macro-enabled Microsoft Office document, a ".zip" file containing a javascript (.js) file or in other formats.
- The attachment is usually a downloader that can evade anti-malware detection.
- The mail may pretend to be sent from the victim themselves, or from a random people.
- Known titles of the spam emails include the following:
- Compromised website
- Some victims were infected by visiting compromised websites. Those websites mainly target Internet Explorer users.
Impact
- Locky encrypts files on victims’ computers and adds a .locky file extension to them.
- Files on network drives are affected.
- Data will be unrecoverable due to encryption by ransomware.
Solutions
To protect yourself from ransomeware:
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Do not enable it if in doubt.
- Regularly backup the files stored on your computer, and keep an offline copy of the backup.
- Always keep your security software up to date.
- Keep your operating system and other software updated.
- Once infected, isolate the infected computer from the network and external storage immediately. Do not open any file before clearing the malware.
- We do not recommend paying the ransom.
Vulnerability Identifier
- No CVE information is available
Related Link
Share with