(11 votes, 4.27 / 5
Loading...
Locky is one kind of latest ransomware. It was first released in 2016. The IT security geeks had discovered that the malware authors send ransomware infected emails demanding for payment through an invoice in the form of malicious Microsoft Word document that runs infectious macros. When the user opens the document a dialog box pops out saying “Enable macro if data encoding is incorrect.” which is a basic social engineering method to trick the user and infect the system.
When the macros are enabled, a binary file is run to install the encryption trojan to lock all the user’s files with an extension. The filenames are then changed to a complex combination of numbers and letters. The encrypted file (the malware) directs the user to a malicious website where it demands the user to pay a heavy ransom to unlock the encrypted file.
Source of Locky Ransomware
The Ransom Locky is injected into the system through malspam and exploit kits (EKS). The locky ransomware is distributed at irregular intervals through Nuclear EKs, Neutrino and RIG. The main malicious criminal is the Necurs botnet that proliferates Locky infections, usually as a result of a exclusively-coded Microsoft Office Word with malicious macros running on it.
The spam mails that are sent by the malware authors carries a genuine looking yet malicious attachments (it can be .xls, .doc, .zip files). As per reports the security experts have identified convincing evidences that locky has been developed by the malicious authors who coded Dridex. After all the analysis the locky ransomware was found to originate from Russia.
Symptoms to confirm if the system is infected with Locky Ransomware
To confirm if the system is infected with locky ransomware – there would be a ransom text shown on desktop wallpaper or comes as a text file.
Encrypted files by the malware authors will have following extensions:
- .aesir
- .locky
- .diablo6
- .asasin
- .odin
- .osiris
- .zepto
- .ykcol
- .thor
- .zzzzz
- .shit
- .loptr
Following are the ransom files that were identified in different Locky-infected systems:
- _HELP_instructions.html
- DesktopOSIRIS.htm
- ykcol-{random characters}.htm
- HELP_Recover_Files_.html
- diablo6-{random characters}.htm
- asasin-{random characters}.htm
Impact of the Locky Ransomware Attack
Once the system is infected with ransomware, it will be defunct as the files meant for normal operations is encrypted by the threat actors.
The affected users even after they make the ransom payment to the threat authors could not get back their files back. The users are unsure if the malware authors will close the deal of unencrypting the files even after getting the heavy ransom amount.
The affected users who have paid the ransom amount to the malware authors find that they are more likely to be targets for future ransomware attack campaigns.
The stolen and encrypted data that are retained by the malware authors even after getting the ransom payment are then sold in the black market or even used for fraudulent purposes.
Ways to prevent locky ransomware
The main idea behind any ransomware infection is to infect the users’ system through spam mails.
Following are the ways to prevent locky ransomware:
- Install the latest and updated version of antivirus software.
- Equip the system with an effective internet security suite with an email security system in it to identify and remove spam and phishing emails.
- Never open or click unknown or suspicious attachments or links from unauthorized sources.
- Disable the default option to stop macros running in Microsoft office.
- Backup important files over the cloud or on external hard drives.
- Update the operating system and all the third-party software installed in the system with the latest patch updates.
Protection
Comodo Antivirus ensures to effectively protect users from Ransom.Locky by blocking the malware in real time. It ensures absolute multiple-level protection against this attack at various levels. It also terminates the malicious macro that are present in the Microsoft Office document file laden with infectious macros. It combines future-proof firewall, antivirus, anti-spyware, application control featuring HIPS (host intrusion prevention) techniques – all under one roof. It also includes vulnerability assessment, patch management and configuration capability to deliver protection of disk encryption and data files.
Related Resources
