Hail Showcase: Ransomware "Locky"—What You Need to Know
Jay Haines — RTFM Consulting - April 7, 2016
This article originally appeared on the RTFM Consulting Facebook Page.
There is yet another new kid on the block when it comes to upsetting your day. Locky is the latest ransomware software which renames all of your files to have the extension .locky.
This would be annoying enough, but it doesn't stop there. It encrypts the contents of the files and only the bad guys have the decryption key. They will sell you the key using Bitcoin currency, but you've no guarantee you'll get the key after paying!
The Infection — The way this particular software travels (as at the time of writing) seem to be via a Microsoft Word document. When you open the document, the contents are scrambled and it tells you to enable Macros in Word. If you do this, hidden code in the Word Document saves itself to your computer and executes, reaching out over the internet to fetch the actual ransomware.
The Payload — This is a particularly smart and nasty infection as it attacks your computer in a number of ways. It will first find files including videos, images, source code and Office files then encrypt them. It will look for a Bitcoin wallet if you have one and encrypt this and even look for Volume Snapshot Service files (VSS) which are backups of your computer (often made automatically) and remove these make it impossible for you to rewind your computer. Once all of this is done, it's ready to reveal itself and demand payment.
Locky will encrypt any drives which it can access including USB drives and network shares whether on a server or another person's PC (including Mac and Linux). This will likely cripple an entire business, not just the infected PC itself.
How to Protect Yourself — If you're an existing customer using web protection through the RTFM Cloud Manage and Protect Platform then breathe easy. We've already put in place blocks to prevent this software from reaching the currently known offending servers. If you're not using Web Protection, or aren't sure, please contact us, this is just one example of the protection which comes with this service.
Read the rest of the post here and explore their social blog 'The Manual'.
