Locky ransomware arrived on the scene in 2016, and, as with most ransomware strains, arrives in the form of an email attachment. This particular strain is disguised as an invoice, requesting a payment.
The attachment is a Microsoft Word document, which contains malicious macros. When the victim opens the document to see what the invoice is about, they are presented with gibberish text, along with a heading that says “Enable macro if data encoding is incorrect”.
If the victim decides to enable the macro in MS Word, another script is downloaded which begins encrypting files with particular extensions. The script will convert filenames to a unique 16 letter and number combination, and the file extensions will be changed to something along the lines of .locky, .zepto, .odin, .aesir, .thor, .zzzzz, .osiris and .shit.
In addition to encrypting the victim’s files, the script will also download exploit kits from the attacker’s Command & Control (C&C) server in order to identify and exploit vulnerabilities on their machine. Exploiting vulnerabilities can help the attack spread to other systems. The script will also attempt to delete existing shadow copies of the victims’ data.
Once the files have been encrypted, the victim will be asked to download the Tor browser and visit the attacker’s website for further instructions. As it stands, the ransom payment is between 0.5 and 1 bitcoin, which, as of June 2022, is approximately 32,000 USD. At this stage, a timer will begin, and if the victim refuses to pay the ransom within the specified time frame, the decryption key will be automatically destroyed, or at least that’s what is claimed.
Examples of Locky Ransomware Attacks
There are not many publicized examples of Locky ransomware attacks. However, there were reports of a large number of Locky ransomware attacks being launched against healthcare service providers in the United States.
In one scenario, a hospital in Los Angeles was forced to pay a ransom of $17,000, after falling victim to a sustained attack. The Locky ransomware payload arrived in the form of an MS Office Open XML file, with the extension.DOCM.
Healthcare providers in Japan, Korea, and Thailand were also hit, and there were also reports of Locky ransomware attacks on telecom, transportation, and manufacturing industries, although there is little-to-no documentation about how the victims were affected, and whether they chose to pay the ransom.
How to Protect Against Locky Ransomware Attacks
The methods used to protect against Locky ransomware are much the same as they would be for any other strain of ransomware, although there are some unique characteristics that we can look out for. Below are some simple tips to help you prevent, detect and respond to Locky ransomware attacks:
Security awareness training
All employees must be trained to identify suspicious emails and attachments. In the case of Locky, employees must be advised not to click on emails requesting payment information, and not enable macros on Word documents unless absolutely necessary.
Ensure that all software is patched
Given that Locky downloads additional tools to identify and exploit vulnerabilities, it is crucially important that all software, including firmware, is patched in a timely and controlled manner.
Take regular backups
This may seem obvious, but it is crucially important that you take regular backups of your data, and store them in a secure location – preferably either off-line or off-network.
Monitor network traffic
If the Locky script is sending information between the victim’s device and the C&C server, you should use a sophisticated intrusion prevention solution to help you detect, block and report on suspicious inbound and outbound network traffic. You will also need to watch out for the installation of unauthorized software.
Monitor user activity
In addition to encrypting data and installing exploit kits, most ransomware attacks create events that can be monitored in order to help detect and block anomalous data-centric activities. For example, the script may try to create new privileged accounts, or access privileged accounts in an atypical manner. These days, there are a number of data-centric auditing solutions that can detect and respond to events that match a pre-defined threshold condition and then execute a custom script in response. For example, to identify Locky attacks you could create a script which will fire an alert when x number of files and file extensions are renamed within a given time-frame, and then respond by disabling user accounts, revoking permissions, changing the firewall settings, shutting down the affected servers, and/or anything else that might help to stop the attack from spreading.