‘Locky’ ransomware threat decoded, here’s how you can protect yourself
The government of India’s Computer Emergency Response Team (CERT) has issued an alert with regards to the spread of ransomware Locky. This comes just months after the onslaught of ransomware WannaCry, which had compromised many computer systems in the country, including those at ATM networks and government offices.
The CERT alert on Saturday termed it as a “severe” threat and advised users not to open any emails from unknown senders. It estimates that a total of 23 million messages have been sent in this massive “phishing” campaign.
“The contents of the original files are encrypted (renamed to .locky) using an RSA-2048 and AES-1024 algorithm. The compromised user has to pay the attacker to get the files decrypted,” the CERT alert states.
The malware that first surfaced in 2016, is known to encrypt files on Windows systems and has emerged as one of the largest malware campaigns this year. Victims are made to pay a ransom in untraceable Bitcoins to recover the files.
Some hospitals in US and New Zealand have become victims of the attack.
A recent study estimates that close to USD 8 million has been extorted by malicious hackers using Locky.
Spam emails are used most commonly by rogue hackers to target victims. The emails will contain an attachment in the form of a Microsoft Office document with unsuspecting file names.
What makes the recent spate of attacks more lethal is the equally unsuspecting subject lines in the emails—like "please print", "documents", "photo", "images", "scans" and "pictures".
Speaking on this, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari, notes that Locky has not created havoc like WannaCry.
“No, it is not as big as WannaCry given the number of systems intercepted yet. WannaCry was the first ransomware to have an effect on that many systems universally as it did because it exploited a patching vulnerability in most of the systems,” Udbhav tells TNM.
He added that awareness created due to the massive impact of WannaCry, limited the extent of damage caused by Locky.
Locky specifically exploits “macros” in Microsoft Office similar to how Dridex, the infamous virus which attacked banks used to spread.
“Macros are scripts used for automating certain tasks. In the latest version of Office, it is disabled unless it's turned on by the user manually but more sophisticated macros exploit vulnerabilities of Office or OS to install themselves without the user even running them manually,” explains Udbhav.
“The only way to avoid this is to note the file extension before opening a word file from suspicious senders. Macro-enabled documents have extensions such as ‘.docm’, ‘mdoc’ for Word files or ‘.xlsm’ or ‘mxls’ for Excel files,” says Udbhav.
Udbhav says, “Preventive measures like installing specific patches from official sources like the CERT, can prevent an attack for specific viruses and can help users once a threat is in public knowledge.”
“The biggest preventive measure is to make sure that one runs the latest updated version of the operating system (OS) which is the first line of defence. The second line of defence can be running a good anti-virus software,” advises Udbhav.
“The third defence mechanism is to follow best online practices like not opening suspicious emails, not downloading email attachments from strangers. You can run the most updated OS and the best antivirus software and yet fall for a specific vulnerability engineered for you,” he adds.