Ransomware, what is it? Defined as “malware for data kidnapping,” it is one of the top security issues in the digital and cloud age, wherein the hacker or attacker encrypts data and asks for ransom (usually a Bitcoin payment) for the decryption key.
Today, another ransomware threatens the online community “Locky” that can hit you if you were ‘unlucky.’ It works similarly like the modus conducted by the banking software Dridex.
How Locky works?
A victim will be sent an email with a Microsoft Word attachment disguising as an INVOICE that requires macro.
[By default, Microsoft disables it due to security reasons. So a user normally will see a warning if an attachment contains it.]
Now if you would enable the macro function, it will run and then download Locky to your PC, according to the Palo Alto Networks.
[It is the same modus operandi used by Dridex, a notorious Trojan that steals banking account details.]
There are suspicions that the distributors of Locky are connected to one of the main men of Dridex because both use the same mode of malware distribution.
If you or your organization happens to be the unlucky target, your files will be unrecoverable unless you have a regular backup or if your data has not been touched yet.
Lately, the Hollywood Presbyterian Medical’s computer system was infected by ransomware in which the hackers ask for 9,000 bitcoins (or approximately US$3.6 million).
Reports indicated that the operators behind Locky may have conducted a large attack. Palo Alto Networks revealed that it had detected 400,000 sessions that used the same downloader “Bartallex,” which is the one that deposits the infection onto a computer system. Over half of the targets were recorded in the United States and the rest included Australia and Canada.
Locky utilizes its command-and-control infrastructure for conducting a memory exchange before encrypting the files.
Kevin Beaumont from Medium said that encrypted files have the ‘.locky’ extension. He wrote guidance on how to figure out who among the people in an organization has been infected and recommended that the active directory account of the victim must be locked and its network access must be shut down. Finally, he said that you are more likely to rebuild the victim’s PC from scratch.
Check out the full story here.