A brand new type of ransomware has been disturbing PC users lately. According to the security experts, this malware is rather similar in its mode of attack to the notorious banking software Dridex.
Most often, victims receive a Microsoft Word document via email, disguised as an invoice which requires a macro, or a small application that does some function. As Microsoft has disabled macros by default due to security dangers, users who encounter a macro, see a warning on their monitors.
In case the macros are enabled, the document containing it, will run the macro and download Locky straight to the virtual machine. This technique is also used by Dridex, a banking trojan which steals online account credentials.
Most probably the developers who distribute Locky are somehow affiliated to those behind Dridex, “due to similar styles of distribution, overlapping file names, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky,” Palo Alto said.
In any case, ransomware is an overwhelming issue for all PC users. This malware encrypts files on the computer, and hackers demand a payment for the decryption key. Meanwhile, victims cannot recover the files unless they have regularly backed up them and this data hasn’t been reached by ransomware.
Not long ago, the computer system of Hollywood Presbyterian Medical Center was shut down after a ransomware infection. The hackers were asking for 9,000 bitcoins, worth US$3.6 million, which is one of the largest ransom figures made public.
Most probably, Locky’s creators have staged a large attack. According to Palo Alto, it detected 400,000 sessions which used the same kind of macro downloader, called Bartallex. It is namely Bartallex which deposits Locky onto the system.
Locky uses its command-and-control infrastructure to conduct a key exchange in memory before files are encrypted, which could be a potential weak point.
“This is interesting, as most ransomware generates a random encryption key locally on the victim host and then transmits an encrypted copy to attacker infrastructure,” Palo Alto said.
“This also presents an actionable strategy for mitigating this generation of Locky by disrupting associated command-and-control networks.”
According to Kevin Beaumont, the files which have been encrypted with the ransomware have a “.locky” extension. Beaumont included guidance for figuring out who in an organization has been infected. According to it, the user’s Active Directory account should be locked immediately and network access shut down. In conclusion, Beaumont stated:
“You will likely have to rebuild their PC from scratch.”
