Similar to wildfire in a Jungle, a new Ransomware by the name of “Locky” is spreading at an alarming rate. Similar to the ancient Ransomware who encrypted files before demanding a ransom to decrypt them, Locky is demanding Bitcoins from its users, as reported by nabzsoftware.
This Ransomware was first unearthed by PhishMe’s intelligence team on February, 16 this year. The team identified that users all across the globe were receiving alarmingly high numbers of Spam emails. Embedded in those emails was an infected Word document which contained Macro scripts which are basically used to download the Malware from its original location.
While the attack route chosen by Locky wasn’t unprecedented – as it used the technique which was previously used by CryptoWall, it was the staggering rate with which it spread throughout the world which left the experts astonished.
Just within hours of its inception on February 16, there were more than 400,000 endpoints around the globe that were infected by Locky.
Looking at the content of the Word document which comes with the mail and it takes the shape of an Invoice. In the message of the email, the recipient is asked to “see the attached invoice”. However, once the user clicks on the Locky payload, it automatically gets downloaded to the system before being executed.
This is where all hell breaks loose as the malware starts to encrypt a wide majority of files. After encrypting the files, Locky leaves its trace in the form of a “.locky” extension.
Ever since Crypto Locker came into being in 2013, Ransomware has been the most widely used category of malware. One major thing which differentiates Locky and another Ransomware of its ilk from other viruses is its monetizing ability.
While the ancient malware had to collect all the credentials of the user before using them for monetizing gains, Ransomware is more direct in its approach as it directly asks the users to pay the ransom up front in order to get their files back. If the victims refuse to pay the money in the specified time, they risk of losing important files that are installed either on their device or on the network with which it is connected.
The importance of the documents that might get in the wrong hands – or in the hands of Ransomware in this particular case, might vary from individuals to small and large sized Organizations. While the individual might lose access to his family photos or important files, it is the loss of confidential files which has epitomized the danger of this Ransomware for Multi-National Organizations.
However, despite its varying importance for different segments of the society, one thing that is for sure is that all of these files would be used to extort money one way or the other from the victims. When the user pays the money that is demanded by the Ransomware, the Ransomware manufacturers will exchange that money with an application that will undo all the effects of the Ransomware from his/her computer. Thus, in simple words, the policy of “give-and-take” has been used in this case.
Locky targeted 400,000 Victims in a “trial run”.
While the numbers that are mentioned above are staggering enough, the fact that all of them were infected just within a day epitomizes how huge this threat is to the online world. For example, according to a Security expert, Locky is infecting 1-5 computers per second. Thus, upon extrapolating it to a matter of days, Locky has the ability to infect a quarter of a million computers in the just 3-day period.
Looking at where the attacks are carried out and US and Germany are hubs of this attack. While 16.5 thousand computer users have been infected in Germany, around 11,000 users have felt the effect of Locky in the US. Italy comes in the 3rd spot with 5200 of its computer users feeling the heat.
Thus, looking at the trend of Locky, it has mainly attacked European servers. The reason for this seems simple as the Power of the economy in these parts of the world lured the manufacturers of Locky to focus their attention.
Looking at Google trends data and they paint a similar picture as we mentioned above. While there is a dramatic rise in the number of people who want to know about Locky virus, the majority of those users are coming from Malta, Germany and Luxembourg.
How it works.
In addition to the removable devices, images, PDF’s, Videos and Office files, there are more than 70 extension types which rocky has attacked so far. However, this is only if the user is disconnected from the Internet. If they are connected to a network with the controls of an administrator, the virus would be spread making use of his contact lists.
Another dangerous aspect of Locky is its ability to encrypt the Bitcoin wallet. While the average user might not pay for his/her files, the fear of losing their Bitcoin wallet to an unknown person subdues them to pay the ransom. It is also expected that the amount of ransom which Locky demands is less than that of the Bitcoin that are stored in the wallet.
Can Locky be removed and files are decrypted without paying the ransom?
To be honest, this is a fairly difficult call to make. However, before paying the ransom, give nabzsoftware a go. They claim of removing the Ransomware from your computer before decrypting the files.