Locky Ransomware Is Becoming More Prevalent

The Locky ransomware is becoming more complex and far reaching…

Update: Locky has accounted for 97% of all malicious email attachments, according to Proofpoint’s Quarterly Threat Summary for the third quarter. 

We are seeing an increase in the amount of Locky ransomware attempting to execute on our customers’ computers. This version of ransomware is becoming more common this year as they advance the technology and take on new strategies behind distributing it. If you’re not familiar with the Locky ransomware, you can read this post about the recent developments within the Locky world, written by Dodi Glenn the Vice President of Cyber Security at PC Pitstop. Additionally, there is an article here written by Stu Sjouwerman at KnowBe4 that covers Locky as well.

After analyzing samples of Locky ransomware that were stopped from executing on our customers’ computers, Dodi Glenn had this to say about changes happening within Locky.

“The creators recently modified the DGA (Domain Generating Algorithm) so that the Command and Control servers are different each day. They also made a new variant of Locky, which attacks network shares and other attached storage, using blank/null credentials and/or the locally logged in user credentials. For the most part, they are sticking to 104.239.213.7 as the server, but are registering multiple domains. Lastly, they are partnering with the Exploit Kit (EK) developers to bundle Locky, so I expect to see a drastic increase in the number of samples being distributed via exploits and spam.” 

Now, even more than ever, it is recommended that you keep offline backups of your data as malicious files can find their way to networked storage or devices. I personally have a backup that is always attatched and runs several times per day, and an offline copy that is secure in the case that my attatched backups are compromised. Getting started with backups is very easy, especially as storage prices are steadily decreasing. A simple 1 TB (TeraByte) external hard drive will work perfectly for most consumers, and only costs around $50.00.

There are currently developments in creating a vaccine to prevent Locky from encrypting your files. Sylvain Sarméjeanne has an article here that dives very technically into the workings of Locky and how vaccines can be developed. One Locky vaccine, which is being used as a proof of concept has been published by cryptobioz here. We’re still testing this vaccine for it’s effectiveness, and will update this blog with our findings. It is not expected to be a complete fix to stop Locky encryptions, just proof that the ideas presented by Sylvain Sarméjeanne in his article can be effective and further developed.

PC Matic users with SuperShield running should be aware that these files will not be able to execute on their machines, as SuperShield will stop them.

 

(Visited 153 times, 1 visits today)

4 thoughts on “Locky Ransomware Is Becoming More Prevalent

  1. Do you think that they may be getting sloppy? They as in the hackers, or whatever you want to call them. How? They are creating variants quickly which could mean sloppiness. They are all based off an original and most are probably using some form of key. Enigma in wwii comes to mind. Now the key needs to be found so the process can be reversed engineered in order to break the code. Sorry, this was just random thinking and I had to put it down.

    • There are multiple things you can do to be proactive. First, make sure your PC’s software is up to date. Most updates are used to enhance processes and patch any security vulnerabilities. If you are not updating your system when updates are available, you are leaving your PC vulnerable. Secondly, you need to make sure your security software is up-to-date and running. Unfortunately traditional AV software programs have had difficulties stopping the Locky ransomware; however Super Shield has been successful in stopping the attempts to gain access to various consumers’ PCs.

Leave a Reply

Your email address will not be published. Required fields are marked *