The Locky ransomware quagmire
David Pyatkin | 08.03.2016 16:18
Ransom Trojans take their preys’ files hostage by encrypting them. Then, they blackmail people by threatening to never give the data back unless a fee is paid within a specified period of time.
If there are no backup copies in the cloud or on an external data storage, this predicament means that the victims may lose all personal files, including family photos, work documents and many others. The latest widespread infection of this sort is called Locky. This denomination is derived from the specificity of its modus operandi – the malware adds .locky extension to the original names of ciphered objects.
Some ransomware programs are not professional as they don’t even use a Command and Control server to store decryption keys, but Locky is different. It features secure communication with the victims over The Onion Router technology, a firmly hosted C2 server and a sophisticated antivirus evasion methodology. Furthermore, this infection spreads in a tricky way.
The campaign operators send messages to potential victims, making the users think those are invoices. In fact, the embedded MS Word documents are used as triggers for exploitation of a macros-related vulnerability.
Once a targeted user enables macros, remote criminals can easily execute random code on their PC. That’s what happens in the Locky case. The malicious program then encodes all personal files with AES-128 cryptographic standard. The ransom notes redirect the person to the Locky Decrypter Page, where they’re supposed to submit the ransom of 0.5 BTC and get a recovery solution in return.
Though a couple hundred dollars may be a suitable deal for some when invaluable data is at stake, others cannot afford it or hate the idea of surrendering to the extortionists. It’s not recommended to pay the ransom at once. Instead, one should try alternative recovery methods provided on reputable security sites first. Removal tips can be found here:
http://myspybot.com/decrypt-locky-files/
Some ransomware programs are not professional as they don’t even use a Command and Control server to store decryption keys, but Locky is different. It features secure communication with the victims over The Onion Router technology, a firmly hosted C2 server and a sophisticated antivirus evasion methodology. Furthermore, this infection spreads in a tricky way.
The campaign operators send messages to potential victims, making the users think those are invoices. In fact, the embedded MS Word documents are used as triggers for exploitation of a macros-related vulnerability.
Once a targeted user enables macros, remote criminals can easily execute random code on their PC. That’s what happens in the Locky case. The malicious program then encodes all personal files with AES-128 cryptographic standard. The ransom notes redirect the person to the Locky Decrypter Page, where they’re supposed to submit the ransom of 0.5 BTC and get a recovery solution in return.
Though a couple hundred dollars may be a suitable deal for some when invaluable data is at stake, others cannot afford it or hate the idea of surrendering to the extortionists. It’s not recommended to pay the ransom at once. Instead, one should try alternative recovery methods provided on reputable security sites first. Removal tips can be found here:
http://myspybot.com/decrypt-locky-files/
David Pyatkin
