What does a .locky file extension mean? Ransomware! • Graham Cluley
Ransomware with apparent links to a Dridex botnet affiliate has been spotted attempting to infect at least 450,000 computer users.
Brandon Levene, Micah Yates and Rob Downs, all security researchers for Palo Alto Networks, provided a backstory on the malware, dubbed “Locky”, in a blog post published Tuesday:
“Using Palo Alto Networks AutoFocus, Unit 42 observed over 400,000 individual sessions containing the Bartallex macro downloader, which in turn dropped Locky ransomware on victimized machines. Researchers suspect that there is a link between botnet affiliate Dridex 220 and Locky due to similar distribution styles, overlapping file names, and the lack of campaigns from this particularly aggressive affiliate to coincide with the Locky’s initial emergence.
A commonly encountered banking Trojan horse, Dridex was reportedly at least partially retired in October of last year. However, researchers spotted malware earlier this year targeting several UK banks.
Now it appears that those who operate the botnet affiliate Dridex have decided that the ransomware is a more lucrative payload than a regular Trojan horse.
The Locky infection process starts with a fake financial spam email along with a malicious Microsoft Word document like this one. describe on the Dynamoo blog:
From: June Rojas
Date: February 16, 2016 at 9:34 a.m.
Subject: ATTN: Invoice J-06593788
Please consult the attached invoice (Microsoft Word Document) and make payment according to the terms indicated at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
If the user opens the attachment and enables the macros, the embedded code will run the malware on the machine.
Interestingly, there is a possibility to stop the encryption process. Unlike other ransomware, which locally generates a random encryption key, Locky performs an in-memory key exchange through its command and control (C&C) infrastructure. If a user were therefore able to disrupt C&C communication, for example by disconnecting from the web, they could stop the encryption process in its tracks.
If the communication continues without interruption, however, a ransom screen loads on the computer and redirects the user to the payment portal page:
At this point, the ransomware has encrypted all documents, including those on connected network drives, as hash.locky files and deleted all VSS snapshots.
Most of the 446,000 individual infection sessions observed by Palo Alto Networks occurred in the United States.
Assuming a 50% infection rate and a 1% payout rate of 0.5 BTC, attackers can expect to earn several hundred thousand dollars from the ransomware.
The Palo Alto Networks research team believes the developers of the Locky ransomware have lofty aspirations:
“Locky is aiming high in an effort to join the ranks of other major ransomware families. Despite some weaknesses in its current implementation, we can expect to see further developments for this threat in the future. However, the successes of one group of attackers embolden and inspire others. It goes without saying that opponents of cybercrime will continue to advance their efforts to trivialize the already lucrative extortion of victims through encryption.
With this in mind, it is important that users back up their data frequently, do not enable macros on attachments in Word emails, and fix software running on their computers as soon as possible.
For more tips on how to stay protected against Locky and other forms of ransomware, read the Sophos Naked Security site report.
Did you find this article interesting ? Follow Graham Cluley on Twitter to learn more about the exclusive content we publish.