Locky is the rear of a Ransomware that has been evolving off late, cheers to the constant algorithm upgrade past times its authors. Locky, equally suggested past times its name, renames all the of import files on the infected PC giving them an extension .locky as well as demands ransom for the decryption keys.
Locky ransomware – Evolution
Ransomware has grown at an alarming charge per unit of measurement inwards 2016. It uses Email & Social Engineering to operate into your figurer systems. Most emails alongside malicious documents attached featured the pop ransomware strain Locky. Among the billions of messages that used malicious document attachments, approximately 97% featured Locky ransomware, that is an alarming 64% growth from Q1 2016 when it was start discovered.
The Locky ransomware was start detected inwards Feb 2016 as well as was reportedly sent to a half-million users. Locky came into limelight when inwards Feb this twelvemonth the Hollywood Presbyterian Medical Center paid a $17,000 Bitcoin ransom for the decryption fundamental for patient data. Locky infected Hospital’s information through an electronic mail attachment disguised equally a Microsoft Word invoice.
Since February, Locky has been chaining its extensions inwards a bid to deceive victims that they conduct maintain been infected past times a unlike Ransomware. Locky started originally renaming the encrypted files to .locky as well as past times the fourth dimension summertime arrived it evolved into the .zepto extension, which has been used inwards multiple campaigns since.
Last heard, Locky is instantly encrypting files alongside .ODIN extension, trying to confuse users that it is genuinely the Odin ransomware.
Locky Ransomware
Locky ransomware mainly spreads via spam emails campaigns run past times the attackers. These spam emails conduct maintain generally .doc files equally attachments that comprise scrambled text appearing to survive macros.
A typical electronic mail used inwards Locky ransomware distribution may survive of an invoice that catches most user’s attention, For instance,
Email dependent champaign could survive – “ATTN: Invoice P-12345678”, infected attachment – “invoice_P-12345678.doc” (contains Macros that download as well as install Locky ransomware on computers):”
And Email trunk – “Dear someone, Please meet the attached invoice (Microsoft Word Document) as well as remit payment according to the damage listed at the bottom of the invoice. Let us know if you lot conduct maintain whatsoever questions. We greatly appreciate your business!”
Once the user enables macro settings inwards the Word program, an executable file which is genuinely the ransomware is downloaded on the PC. Thereafter, diverse files on the victim’s PC are encrypted past times the ransomware giving them unique xvi missive of the alphabet – digit combination names alongside .shit, .thor, .locky, .zepto or .odin file extensions. All files are encrypted using the RSA-2048 as well as AES-1024 algorithms as well as require a someone fundamental stored on the remote servers controlled past times the cyber criminals for decryption.
Once the files are encrypted, Locky generates an additional .txt as well as _HELP_instructions.html file inwards each folder containing the encrypted files. This text file contains a message (as shown below) that informs users of the encryption.
It farther states that files tin exclusively survive decrypted using a decrypter developed past times cyber criminals as well as costing .5 BitCoin. Hence, to teach the files back, the victim is asked to install the Tor browser and follow a link provided inwards the text files/wallpaper. The website contains instructions to brand the payment.
There is no guarantee that fifty-fifty subsequently making the payment victim files volition survive decrypted. But ordinarily to protect its ‘reputation’ ransomware authors ordinarily stick to their purpose of the bargain.
Locky Ransomware changing from .wsf to .LNK extension
Post its development this twelvemonth inwards February; Locky ransomware infections conduct maintain gradually decreased alongside lesser detections of Nemucod, which Locky uses to infect computers. (Nemucod is a .wsf file contained inwards .zip attachments inwards spam email). However, equally Microsoft reports, Locky authors conduct maintain changed the attachment from .wsf files to shortcut files (.LNK extension) that comprise PowerShell commands to download as well as run Locky.
An instance of the spam electronic mail below shows that it is made to attract immediate attending from the users. It is sent alongside high importance as well as alongside random characters inwards the dependent champaign line. The trunk of the electronic mail is empty.
The spam electronic mail typically names equally Bill arrives alongside a .zip attachment, which contains the .LNK files. In opening the .zip attachment, users trigger the infection chain. This threat is detected equally TrojanDownloader:PowerShell/Ploprolo.A. When the PowerShell script successfully runs, it downloads as well as executes Locky inwards a temporary folder completing the infection chain.
Files types targeted past times Locky Ransomware
Below are the files types targeted past times Locky ransomware.
.yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .pst, .onetoc2, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .ke.
How to preclude Locky Ransomware attack
Locky is a unsafe virus that possesses a grave threat to your PC. It’s recommended that you lot follow these instructions to prevent ransomware as well as avoid getting infected.
- Always conduct maintain an anti-malware software as well as an anti-ransomware software protecting your PC as well as update it regularly.
- Update your Windows OS as well as the residue of your software up-to-date to mitigate possible software exploits.
- Back upwards your of import files regularly. It is a proficient selection to conduct maintain them saved offline than on a cloud storage since virus tin orbit at that topographic point equally well
- Disable the loading of Macros in Office programs. Opening an infected Word document file could bear witness risky!
- Do not blindly opened upwards post inwards the ‘Spam’ or ‘Junk’ electronic mail sections. This could play a joke on you lot into opening upwards an electronic mail containing the malware. Think earlier clicking on spider web links on websites or emails or downloading electronic mail attachments from senders that you lot don’t know. Do non click or opened upwards such attachments:
- Files with .LNK extension
- Files with.wsf extension
- Files with double point extension (for example, profile-p29d..wsf).
Read: What to produce subsequently a Ransomware assail on your Windows computer?
How to decrypt Locky Ransomware
As of now, at that topographic point are no decrypters available for Locky ransomware. However, a Decryptor from Emsisoft tin survive used to decrypt files encrypted past times AutoLocky, some other ransomware that also renames files to the .locky extension. AutoLocky uses scripting linguistic communication AutoI as well as tries to mimic the complex as well as sophisticated Locky ransomware. You tin meet the consummate listing of available ransomware decryptor tools here.
Sources & Credits: Microsoft | BleepingComputer | PCRisk.
Source: https://www.thewindowsclub.com/
comment 0 Comments
more_vert