‘Locky’ sounds like a cute nick-name, though the reality of this ransomware is quite the opposite. It infects a machine (and any network shares), then encrypts files. A ransom is then demanded, and in the case of multiple machines in a company, this can be a great sum (50% of Locky ransomware victims have been small-to-medium businesses to date). It is one of the most complex and effective ransomware variants so far.
The malware is usually spread by a botnet – a network of covertly occupied computers that relay infected spam, distributing the infection. The botnet is controlled from a command and control server (C&C). Earlier this year, the server that Locky downloads from was hacked, and the ransomware executive (.exe) was replaced by an empty file reading ‘STUPID LOCKY’.
A similar occurrence happened in February last year when the Dridex botnet was hacked. The malware was reconfigured to deliver an antivirus software sample instead of the banking trojan. White (or Grey) Hat hackers (or crackers) are increasingly attacking these malware networks. Perhaps a pro-active response like this is what is needed to combat the rising threat. It is fine for companies to defend themselves more efficiently – this much they owe to their investors and customers. But with every new defensive method comes a malware advancement or change of strategy to match – it’s time to be proactive against malware threats like Locky.