Beware Of “Locky” – Ransomware That Takes Your Files And Folders Hostage

image depicting a hand passing several $100 bills in exchange for a key - representing a de-encryption key used to gain back data and computer files held hostage by ransomware

by Richard Cameron


Locky is not Lucky

What is “Locky” and why should you take steps to avoid getting hit with it?  Well, for one thing, it’s a lot worse than being in Facebook Jail.  Instead of being suspended from posting on the social media giant, if your computer gets infected by Locky, all of your saved files will be taken into custody by hackers and not released back to you until you pay a hefty price to effect their release.

Locky is but one prominent example of “ransomware” – or as it is known in cyber science, “cryptoviral extortion”.  In May of this year, a worldwide launch of ransomware captured over 200,000 computers in 150 countries. While ransomware is sometimes launched as an attack on an individual computer or a network, it most often reveals itself through the phenomenon known as ‘phishing”, which we will outline in a second.

How does it work and what happens?

Once you have unwittingly allowed Locky to gain entrance to your computer’s file system – most commonly through Windows based PC’s, Locky scrambles your files and then renames them, changing the file extension, which is usually .doc if it is a Word document for example – to .locky.  Now your files are encrypted by the invaders and you are locked out of them, hence the moniker ‘locky’.

Most recently, the hackers have released a few new iterations of the pirate file extensions – .diablo6 and .lukitus.  Here is the list of the extensions that have been cataloged since February of 2016, when Locky first reared its ugly head. Of particular note is the extension in currency in October of 2016:

a list of file extensions that ransomware exploits have used since 2016

But what the extensions are named is not important. What is important is evading this scheme to begin with – and we’ll outline that in just a moment.

the pop up that alerts you when cyber criminals have hijacked your files and documents
what you see in a pop up, when ransomware has captured your files

Here comes the part where we find out what you’ll have to do to get your documents back.

The hackers will, of course, possess the decryption key. Without it, you’ll never again have access to those files.

So now, it becomes a game of “the price is right”. The crooks, lurking in the ‘dark web’ – the portion of the web where they are anonymous and their activities are virtually untraceable, will sell you a key in exchange for a Bitcoin or another similar virtual currency.

The price of rescuing your data from Locky and other ransomware schemes …

Naked Security reports that the asking price for decryption keys is averaging BTC 0.75 or about $300.  Here is a visual of the actual ransom payment demand:

the pop up that specifies the terms of the ransom required to
The dark side of e-commerce, your money or your data …

So, now that you know Locky is out there and is targeting millions of private, public and business computers, what do you need to do to avoid it to begin with?  A general warning about the concept of how ransomware is conceived, is worth considering.

cartoon drawing of a cyber criminal with a fishing pole, 'phishing' for victim's personal data

Phishing

Everyone has heard of ‘phishing’. Phishing is where some intriguing, enticing or alarming message is sent, usually through an email and the unsuspecting recipient follows the instructions of the message.

The City of El Paso, Texas was hit by a phishing scheme last November that targeted the city’s municipal street car development program – for a take of $3.2 million.

Phishing will come in the form of something that either prompts the curiosity of the recipient or causes alarm.

For example, you might be told that some entity you subscribe to as a consumer, needs you to verify your account information – (Facebook, PayPal, your utility company, Visa or Mastercard, a bank – even the IRS and Microsoft itself are spoofed) for ‘security purposes’ – ironically enough.

You also might be told that you owe a payment and the attachment is the ‘invoice’. The invoice ruse was the one that was employed on September 18 last year, to extort $17,000 in bitcoins from the Hollywood Presbyterian Medical Center

Incredibly the computer network at the Dartford Science & Technology College in the UK, was even compromised by the injudicious opening of an unsolicited attachment in April 2016.  A month later, ransomware attempts were distributed to over half a million computers.

At my house, we received an email in which an attached document purportedly contained a draft of a real estate contract.  Perhaps it was just incidental that we were in fact, negotiating the sale of some property at the time.  This illustrates that there is no stock target profile for ransomware.

The objective  is to convince you to either log in to a fake login screen or to furnish them with other vital data such as your Social Security number or a credit card number. Malware – which is similar in its wiley ways, seeks to get you to introduce a virus to your computer by way of tricking you into clicking on a link – after which your computer becomes a bot in a vast network of cyber criminals.

The Ransomware Angle

With Locky – the approach is similar, with a slight twist.  Instead of a log in or request for personal data – an email will contain an attachment – a document of one type or another.   MalwareBytes Labs indicates that Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script. Sometimes intended victims will see PDF files or Excel worksheets.

The lure is that the recipient is rendered the impression that a legitimate and important message has been sent, but that somehow it has become scrambled – therefore the email will be hashed up and chaotic in appearance. The message will give you instructions on how to resolve it.  It will tell you to enable macros, “if the data encoding is incorrect”. Seems sensible if one doesn’t recognize the scam.

It is extremely important for all of us to understand the premise behind all forms of phishing, including ransomware – which is to catch the recipient off balance and get them in an unguarded moment, to throw caution to the wind and open a malicious file or link or enable a macro.

Macros usually surface in Microsoft Office documents. Their legitimate use is to code a sequence of repetitive functions that form a shortcut for the user.  But macros can be used by hackers as mules for malicious code – malware.     

Does something look Phishy?

Your best defense with phishing attempts is not a defense, but offense – your spidey sense that something is just not adding up right.  If in doubt, don’t respond to the instructions or open the file.  The questions in your mind should be – is this something I am expecting and does the email address of the sender look familiar?

The main question is “what is the worst that could happen if I make a wrong decision?”  Keep in mind, the cyber criminal is asking you to do his work for him. He’s not trying to hack his way into your computer through brute force, but instead attempting to lure you to open the front door for him. So at the end of the day this is not a matter of relying on an anti-virus –  it is instead a matter of employing severe caution and discernment.

Here are the do’s and don’ts on ransomware (and phishing in general), to keep you safe – in order of importance:

1. Be wary and resistant to unsolicited messages containing attachments.  If in any doubt, do not open them. If you think they could be legitimate, do an internet search with some of the keywords in the email or solicit the assistance of a cyber security expert. One telltale sign will be the presence of a fair number of grammatical and spelling errors.  Aren’t you glad you didn’t sleep through your English class?

2.  If you review emails on your phone, defer further examination of suspect emails and attachments until you can look them over more carefully and vet them on your notebook or desktop PC.

3.  Microsoft disables macro auto-execution by default for the very reason that ransomware has been such a widespread threat since 2015. Do not re-activate macro execution unless you are absolutely certain a legit reason exists for doing so.

4.  Run frequent backups of all your data.  If despite your due caution, something should happen – the crooks will not be able to prevent you from reloading the bulk of your files without having to pay their extortion fee.

5.  Keep current with whatever version of your operating system is still being supported with security updates and patches and run those updates. So for example – if you still have Windows XP or Vista on any of your actively used PCs – drop everything you are doing and either upgrade to Windows 10 or to a Linux based OS like Ubuntu – which is ideal and more secure for those older laptops you still want to use.  The Equifax data breach, we now have learned, was the consequence of their IT security department not installing critical security patches on schedule.

“Ransomware is something you have to be proactive about preventing,” said Capt. Spencer Johnson, chief of the Network Operations Branch in the Directorate of Communications at Headquarters Air Force Reserve Command. “It’s vital to not get behind the power curve with your computer’s operating system. If you’re more than two operating systems behind (the latest available version), it’s time to upgrade your software or, better yet, get a new laptop.”

Please follow and like us:

Related posts