The Locky ransomware is becoming more complex and far reaching…
Update: Locky has accounted for 97% of all malicious email attachments, according to Proofpoint’s Quarterly Threat Summary for the third quarter.
We are seeing an increase in the amount of Locky ransomware attempting to execute on our customers’ computers. This version of ransomware is becoming more common this year as they advance the technology and take on new strategies behind distributing it. If you’re not familiar with the Locky ransomware, you can read this post about the recent developments within the Locky world, written by Dodi Glenn the Vice President of Cyber Security at PC Pitstop. Additionally, there is an article here written by Stu Sjouwerman at KnowBe4 that covers Locky as well.
After analyzing samples of Locky ransomware that were stopped from executing on our customers’ computers, Dodi Glenn had this to say about changes happening within Locky.
“The creators recently modified the DGA (Domain Generating Algorithm) so that the Command and Control servers are different each day. They also made a new variant of Locky, which attacks network shares and other attached storage, using blank/null credentials and/or the locally logged in user credentials. For the most part, they are sticking to 184.108.40.206 as the server, but are registering multiple domains. Lastly, they are partnering with the Exploit Kit (EK) developers to bundle Locky, so I expect to see a drastic increase in the number of samples being distributed via exploits and spam.”
Now, even more than ever, it is recommended that you keep offline backups of your data as malicious files can find their way to networked storage or devices. I personally have a backup that is always attatched and runs several times per day, and an offline copy that is secure in the case that my attatched backups are compromised. Getting started with backups is very easy, especially as storage prices are steadily decreasing. A simple 1 TB (TeraByte) external hard drive will work perfectly for most consumers, and only costs around $50.00.
There are currently developments in creating a vaccine to prevent Locky from encrypting your files. Sylvain Sarméjeanne has an article here that dives very technically into the workings of Locky and how vaccines can be developed. One Locky vaccine, which is being used as a proof of concept has been published by cryptobioz here. We’re still testing this vaccine for it’s effectiveness, and will update this blog with our findings. It is not expected to be a complete fix to stop Locky encryptions, just proof that the ideas presented by Sylvain Sarméjeanne in his article can be effective and further developed.
PC Matic users with SuperShield running should be aware that these files will not be able to execute on their machines, as SuperShield will stop them.