HKCert
  

Locky Ransomware Encrypts Victim Data

Release Date: 18 / 03 / 2016
Last Update: 06 / 04 / 2016
Criticality Level:  


A new variant of ransomware known as Locky has been spreading quickly, through massive spam campaigns and compromised websites. HKCERT has received a lot of reports from victims.

 

How Locky was spread

  1. Spam email
    Some victims were infected by opening attachments in spam emails:
    • Known titles of the spam emails include the following:
      • ATTN: Invoice J-[RANDOM NUMBERS]
      • Your booking [RANDOM NUMBERS] is confirmed
      • Payment ACCEPTED [RANDOM NUMBERS]
      • FW: Invoice 2016-M#[RANDOM NUMBER]
    • The malicious email attachment could be a Macro-enabled Microsoft Office document, a ".zip" file containing a javascript (.js) file or in other formats.
    • The attachment is usually a downloader that can evade anti-malware detection.
    • The mail may pretend to be sent from the victim themselves, or from a random people.
  2. Compromised website
    • Some victims were infected by visiting compromised websites. Those websites mainly target Internet Explorer users.

Impact

  • Locky encrypts files on victims’ computers and adds a .locky file extension to them.
  • Files on network drives are affected.
  • Data will be unrecoverable due to encryption by ransomware.

To protect yourself from ransomeware:

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Do not enable it if in doubt.
  • Regularly backup the files stored on your computer, and keep an offline copy of the backup.
  • Always keep your security software up to date.
  • Keep your operating system and other software updated.
  • Once infected, isolate the infected computer from the network and external storage immediately. Do not open any file before clearing the malware.
  • We do not recommend paying the ransom.