While Petya and WannaCry grabbed all the headlines recently, they were largely unsuccessful in that they made almost no money from ransoms – not so with Locky. The Locky ransomware was much more successful in this area, in what has been estimated as a $1 billion USD revenue for ransomware in 2016.
Around the 1st of September 2017 approximately 23 million messages were sent out with a new strain of Locky and so far, it has infected tens of thousands of computers.
What to look out for
An email message with a non-specific subject line such as “please print”, “documents” or “scans”. Clicking on a .zip file (previously a Word document full of fake encrypted text was used) unpacks the payload, a script file that downloads the Trojan and begins the cryptolocking.
According to a threat intelligence report, the email-based ransomware attacks started on 9th of August and were detected through 62,000 phishing emails in 133 countries in just three days. It also revealed that 11,625 IP addresses were used to carry out the attacks, with the IP range owners consisting mostly of internet service providers and telecom companies.
How it works
The malicious email contains an attachment named “E 2017-08-09 (580).vbs” and just one line of text. Like the original Locky authors, attackers responsible for the new variant deploy social engineering tactics to scam recipients into opening the attached .doc, zip, pdf, .jpg or tiff file, which installs the ransomware into their systems.
When an unsuspecting user downloads the file, the macros run a file that provides the encryption Trojan with an entry point into the system. The Trojan then encrypts the infected computer’s files.
Once encryption is completed, the user receives instructions to download the Tor browser so they can access the "dark web" for details on how to pay the ransom. To retrieve their encrypted files, users will be asked to pay from 0.5-1 Bitcoin.
What you need to do
This ransomware variant builds on the strengths of previous Trojans. In fact, the original Locky strain made it easy for cyber criminals to develop a formidable ransomware that could evade existing cyber security solutions. This is why adopting a "deny all" security stance, whereby all files are considered unsafe until proven otherwise, is the best way to avoid infection.
Here are other tips to avoid infection:
- Don’t open unsolicited attachments in suspicious emails. Alert your IT provider, and most importantly disallow macros in Microsoft Office unless they’ve been verified by your IT provider.
- Performing regular backups guarantees you never have to pay cyber criminals a ransom. If all other security measures fail, you can always rely on your backups, which protect your business not just from cyber-crime related disasters, but also from natural and other unforeseen system failures.
- Train your staff to identify online scams like phishing. This and other similar ransomware strains take advantage of users’ lack of cyber security training.
- Update your operating systems as soon as updates become available to reduce, or eliminate, the chances of your system’s vulnerabilities being exploited.
Even with a trained staff and the latest protections installed, your IT infrastructure may still have unidentified security holes.
How can Diamond help?
We recommend having staff view our examples of "real life" phishing scams and watch our Ransomware webinar series on how to help prepare your organisation against threats and stay protected. Or contact us today to discuss your security concerns – call now on 1300 307 907 or via our online contact form below.
Diamond Technology Optimisation - Security
At Diamond, we take Security seriously. So seriously that we created the Technology Optimisation (TechOps) team. This team is designed to focus solely on aligning our customers ICT environment to industry best practice on an ongoing, proactive basis. We will not only evaluate your hardware and software, but the overall configuration of your environment as well.
Take our quick Online Security Assessment to see how vulnerable your business may be…
Published with permission from TechAdvisory.org. Source.