{"id":1687,"date":"2016-02-24T16:03:46","date_gmt":"2016-02-24T21:03:46","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1687"},"modified":"2016-02-24T16:03:47","modified_gmt":"2016-02-24T21:03:47","slug":"new-locky-ransomware-faqs-and-how-msps-can-act-now","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=1687","title":{"rendered":"New Locky Ransomware &#8211; FAQs and How MSPs Can Act Now"},"content":{"rendered":"<div class=\"section post-header\">\n<h2><a id=\"hubspot-name\" class=\"link hubspot-editable\" href=\"http:\/\/blog.continuum.net\/new-locky-ransomware-faqs-and-how-msps-can-act-now\" data-hubspot-form-id=\"name\" data-hubspot-name=\"Blog Title\"><span id=\"hs_cos_wrapper_name\" class=\"hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text\" data-hs-cos-general-type=\"meta_field\" data-hs-cos-type=\"text\">New Locky Ransomware &#8211; FAQs and How MSPs Can Act Now<\/span><\/a><\/h2>\n<p id=\"hubspot-author_data\" class=\"hubspot-editable\" data-hubspot-form-id=\"author_data\" data-hubspot-name=\"Blog Author\"><span class=\"hs-author-label\">Posted by<\/span><span class=\"Apple-converted-space\">\u00a0<\/span><a class=\"author-link\" href=\"http:\/\/blog.continuum.net\/author\/mary-mccoy\">Mary McCoy<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>on Feb 22, 2016 6:00:00 AM<\/p>\n<\/div>\n<div class=\"social-container\">\n<div class=\"custom-social-sharing\">\n<div id=\"twitter\" class=\"sharrre\"><a class=\"share\" href=\"https:\/\/twitter.com\/intent\/tweet?original_referer=http:\/\/blog.continuum.net\/new-locky-ransomware-faqs-and-how-msps-can-act-now&amp;url=http:\/\/blog.continuum.net\/new-locky-ransomware-faqs-and-how-msps-can-act-now\/&amp;source=tweetbutton\" target=\"_blank\" data-count=\"vertical\"><img decoding=\"async\" loading=\"lazy\" class=\"hs-image-widget \" src=\"http:\/\/cdn2.hubspot.net\/hub\/281750\/file-1562852247-jpg\/img\/blog\/twitter-flat.jpg?t=1456439979740&amp;width=30&amp;height=30\" alt=\"Share via Twitter\" width=\"30\" height=\"30\" hspace=\"0\" \/><\/a><\/div>\n<div id=\"facebook\" class=\"sharrre\" data-url=\"http:\/\/blog.continuum.net\/new-locky-ransomware-faqs-and-how-msps-can-act-now\" data-text=\"\" data-title=\"Like\">\n<div class=\"box\"><a class=\"share\" href=\"http:\/\/blog.continuum.net\/new-locky-ransomware-faqs-and-how-msps-can-act-now#\">Like<\/a><\/div>\n<\/div>\n<div id=\"linkedin\" class=\"sharrre\" data-url=\"http:\/\/blog.continuum.net\/new-locky-ransomware-faqs-and-how-msps-can-act-now\" data-text=\"\" data-title=\"Connect\">\n<div class=\"box\"><a class=\"share\" href=\"http:\/\/blog.continuum.net\/new-locky-ransomware-faqs-and-how-msps-can-act-now#\">Connect<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"section post-body\">\n<p><img decoding=\"async\" loading=\"lazy\" title=\"New-Locky-Ransomware---FAQs-and-How-MSPs-Can-Act-Now.png\" src=\"http:\/\/cdn2.hubspot.net\/hub\/281750\/hubfs\/resources\/blog\/New-Locky-Ransomware---FAQs-and-How-MSPs-Can-Act-Now.png?t=1456439979740&amp;width=638&amp;height=300\" alt=\"New-Locky-Ransomware---FAQs-and-How-MSPs-Can-Act-Now.png\" width=\"638\" height=\"300\" \/><br \/>\nHave you opened any invoice attachments lately? Now, there&#8217;s a new ransomware called Locky that&#8217;s joined the ranks of viruses like CryptoLocker and CryptoWall.\u00a0This latest malware threat was detected just last week and already, IT service providers and MSPs have discovered that it&#8217;s spread at an alarming rate, employing sophisticated social engineering tactics and bypassing\u00a0antivirus (AV), spam filtering and web filtering solutions.<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/www.darkreading.com\/vulnerabilities---threats\/advanced-threats\/here-comes-locky-a-brand-new-ransomware-threat\/d\/d-id\/1324371\" target=\"_blank\">According to Dark Reading,<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>Kevin Beaumont, one of the first security researchers to unearth Locky, revealed he had seen &#8220;around 4,000 new infections per hour, or roughly 100,000 per day.&#8221;<\/p>\n<p>How does Locky work? What does it reveal about the state of ransomware and next generation cyber threats? What do you need to know to protect clients? Answers to all this and more!<\/p>\n<h2>\nWhat is Locky?<\/h2>\n<p>Locky is the latest strain of ransomware that uses two forms of social engineering to\u00a0encrypt files, filenames and unmapped network shares.<\/p>\n<h2>\nHow is Locky Installed?<\/h2>\n<p><a href=\"http:\/\/blog.continuum.net\/the-current-state-of-encrypting-ransomware\" target=\"_blank\">Like its ransomware predecessors, Locky relies on email phishing<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>to successfully install. So far, experts report that hackers email victims a fake invoice, hoping they&#8217;ll download the malicious attachment.<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares\/\" target=\"_blank\">Bleeping Computer<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>has already warned readers to watch out for emails with subjects similar to\u00a0<strong>ATTN: Invoice J-98223146.<\/strong>\u00a0As we know, hackers use<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blog.continuum.net\/microsoft-support-scam-recording-exposes-larger-trend-of-social-engineering\" target=\"_blank\">social engineering<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>to\u00a0convince\u00a0targets they&#8217;re trustworthy by appearing legitimate when communicating\u00a0online or over the phone. For now, Locky can&#8217;t be successfully launched without getting the victim to comply. After examining\u00a0the sophistication of the text in the body of the Locky email, it&#8217;s easy to see how attackers are able to gain buy-in.\u00a0See\u00a0the following screenshot of the email message taken from<strong>\u00a0<\/strong>Lawrence Abrams&#8217;s incredibly helpful article:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" title=\"locky-email-message-taken-from-bleeping-computer.png\" src=\"http:\/\/cdn2.hubspot.net\/hub\/281750\/hubfs\/resources\/blog\/locky-email-message-taken-from-bleeping-computer.png?t=1456439979740&amp;width=776&amp;height=542\" alt=\"locky-email-message-taken-from-bleeping-computer.png\" width=\"776\" height=\"542\" \/><\/p>\n<p><em>image source:\u00a0<a href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares\/\">http:\/\/www.bleepingcomputer.com\/news\/security\/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares\/<\/a><\/em><\/p>\n<p>The attack doesn&#8217;t end there, however. Locky must get past another security layer. Once the attached document is opened the text appears\u00a0illegible, and its reader is prompted to enable macros &#8220;if the data encoding is incorrect.&#8221; Yet again, the criminal mastermind(s) depend upon<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blog.continuum.net\/myth-data-loss-from-user-error-is-only-attributable-to-negligent-behavior\" target=\"_blank\">user error<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>to carry out their deviant mission. Be sure to instruct end users never to enable macros without first consulting you. Remember that when it comes to<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blog.continuum.net\/protecting-yourself-and-clients-from-malware\" target=\"_blank\">security awareness training and preventing malware,<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>they don&#8217;t know what they don&#8217;t know. In other words, the only way they&#8217;ll learn not to click malicious links, open false files or enable ransomware downloading macros is if you teach them how and why it is dangerous to do so.<\/p>\n<p>&nbsp;<\/p>\n<h2>What Happens When Locky is Installed?<\/h2>\n<p>I encourage you to check out the references linked at the bottom of the post for full technical details on Locky, but consider the following summary. Essentially, by enabling macros, users run code that saves the ransomware file to their disc and executes it. Once they do so, Locky then encrypts data and changes filenames to be indecipherable. It&#8217;s worth noting that a wide array\u00a0of file extensions are compromised in the process, including videos, images, documents and source code. Not only that, but as a<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\" target=\"_blank\">Naked Security by Sophos article<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>explains, Locky &#8220;scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people\u2019s computers, whether they are running Windows, OS X or Linux.&#8221; The takeaway here is that you should only log in as a domain administrator when it&#8217;s absolutely necessary to. Otherwise, you give attackers more power, should you get hit with ransomware while logged in.<\/p>\n<p>Locky wouldn&#8217;t be classified as ransomware if it didn&#8217;t demand some form of Bitcoin payment to decrypt the affected files. Once infected, victims&#8217; desktop wallpapers are changed, displaying\u00a0the following ransom payment process instructions:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" title=\"locky-wallpaper-640.png\" src=\"http:\/\/cdn2.hubspot.net\/hub\/281750\/hubfs\/resources\/blog\/locky-wallpaper-640.png?t=1456439979740&amp;width=640&amp;height=376\" alt=\"locky-wallpaper-640.png\" width=\"640\" height=\"376\" \/><\/p>\n<p><em>image source:\u00a0<a href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\">https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/<\/a><\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>How Does Locky Behave Like Previous Ransomware?<\/h2>\n<p>In reviewing the details of this malware attack, it should be evident that you&#8217;re not dealing with a whole other cybercrime creation. Hackers don&#8217;t reinvent the wheel everytime they deploy a new threat, but rather find new ways to conceal their attack and extend its impact. Besides using email phishing as an attack vector, certain\u00a0aspects of Locky should already be familiar to you. Recall when we first reported on<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blog.continuum.net\/cryptowall-4.0-what-we-know-why-your-clients-need-bdr\" target=\"_blank\">CryptoWall 4.0.<\/a>\u00a0Unlike previous versions that just encrypt files, CryptoWall 4.0 also encyrypts filenames, making it impossible to know which files are locked. We suggested that perhaps attackers did this to make victims even more frustrated and desperate to pay the ransom. Well, it seems that the creators of Locky pursued the same strategy because, as we learned above, the ransomware picks up where CryptoWall left off by\u00a0also scrambling filenames.<\/p>\n<p>One of the more disquieting features of Locky is that it\u00a0encrypts data on network shares even when they aren&#8217;t mapped to a local drive. As Bleeping Computer reports,<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/dma-locker-ransomware-targets-unmapped-network-shares\/\" target=\"_blank\">Locky takes its cue from DMA Locker<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>in this regard. Because we&#8217;ve seen this occur more than once, encrypting data on unmapped network shares may be a new trend in ransomware that IT solutions providers, system administrators and MSPs need to watch out for.<\/p>\n<p>&nbsp;<\/p>\n<h2>How Many Security Layers Must Locky Get Past?<\/h2>\n<p>We&#8217;ve already addressed the human error component of a successful attack, but let&#8217;s not forget that the email has to make it to recipients&#8217; inboxes for Locky to be installed (at least in its current version). For a clearer picture of the various security layers the ransomware must penetrate, refer to the following attack flow diagram taken from a<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blog.knowbe4.com\/its-here.-new-ransomware-hidden-in-infected-word-files\" target=\"_blank\">blog post by security awareness authority, KnowBe4:<\/a><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" title=\"Locky-attack-flow.png\" src=\"http:\/\/cdn2.hubspot.net\/hub\/281750\/hubfs\/resources\/blog\/Locky-attack-flow.png?t=1456439979740&amp;width=776&amp;height=421\" alt=\"Locky-attack-flow.png\" width=\"776\" height=\"421\" \/><\/p>\n<p><em>image source:<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blog.knowbe4.com\/its-here.-new-ransomware-hidden-in-infected-word-files\">https:\/\/blog.knowbe4.com\/its-here.-new-ransomware-hidden-in-infected-word-files<\/a><\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>What Preventative Steps Must All MSPs Take?<\/h2>\n<p>1.<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blog.continuum.net\/dont-push-your-luck-leverage-a-cloud-based-antivirus-solution\" target=\"_blank\">Work with the right AV and antimalware vendor for endpoint security<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>so that you can catch Locky and other ransomware early.<\/p>\n<p>2. Restrict access and use of your domain administrator login. Avoid risky actions such as browsing the Internet and opening files while logged in.<\/p>\n<p>3. Update systems and patch regularly. While this may not directly stop Locky, it&#8217;s a best practice for malware prevention in general because it corrects vulnerabilities in desktop applications that hackers can exploit.<\/p>\n<p>4. Use your client communication channels to warn users about Locky and what to look for. Remind them not to trust or open any emails that appear suspicious or are unexpected. Instruct them to alert you if they believe they&#8217;ve been targeted and to never pay ransom that&#8217;s demanded of them. Remind them of the various social engineering tactics hackers employ in an attempt to get them to click links and open attachments. Additionally, inform\u00a0them to never enable macros without first running it by you.<\/p>\n<p>5. Think about installing Microsoft Office viewer applications to let clients preview documents before opening them. This next step isn&#8217;t mandatory, but is a useful suggestion from the same\u00a0<a href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\" target=\"_blank\">Naked Security by Sophos article<\/a>\u00a0referenced above, since the software doesn&#8217;t support\u00a0macros.<\/p>\n<p>6. Most importantly, leverage the right backup and disaster recovery (BDR) solution and back up regularly.<\/p>\n<h2>\nWhat Role Does Backup Play in Locky\u00a0Risk Mitigation?<\/h2>\n<p>This last preventative step is a point we can&#8217;t emphasize enough! The only way to get corrupted data back without paying the ransom, which currently ranges from 0.5 to 2 Bitcoins ($208 to $800), is through your most recent backup. If you don&#8217;t\u00a0already recognize the absolute necessity of backup to protect and restore client data from\u00a0all instances of data breaches and data loss, consider the fact that Locky deletes any existing\u00a0Volume Snapshot Service (VSS) files and<a href=\"http:\/\/thehackernews.com\/2016\/02\/locky-ransomware-decrypt.html\" target=\"_blank\">encrypts network-based backup files.<\/a>\u00a0Evade this trap, and choose\u00a0a<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/www.continuum.net\/solutions\/backup-and-disaster-recovery\" target=\"_blank\">business grade\u00a0BDR solution that lets you efficiently back up encrypted data offsite<\/a><span class=\"Apple-converted-space\">\u00a0<\/span>to a secure, trusted public cloud. It&#8217;s\u00a0your only failsafe when ransomware like Locky strikes.<\/p>\n<p><span id=\"hs-cta-wrapper-6a259e78-363a-4ed4-b19e-3041487853fc\" class=\"hs-cta-wrapper\"><span id=\"hs-cta-6a259e78-363a-4ed4-b19e-3041487853fc\" class=\"hs-cta-node hs-cta-6a259e78-363a-4ed4-b19e-3041487853fc\"><a id=\"cta_button_281750_45ad034c-5003-4927-b598-e89d3aa2023f\" class=\"cta_button\" href=\"http:\/\/cta-service-cms2.hubspot.com\/ctas\/v2\/public\/cs\/c\/?cta_guid=45ad034c-5003-4927-b598-e89d3aa2023f&amp;placement_guid=6a259e78-363a-4ed4-b19e-3041487853fc&amp;portal_id=281750&amp;redirect_url=APefjpGQp5a-kzQ5JWBq_aeC4wuXC0GhZBDh3MJSfuet877HUmO5LBJLk1QkAH5oZn28PEFp8srdxDzWMFN0G8p2D0ja5kxqPKKygtE1eAHczTmcKdT8axGx1nkHKsYPm3tiiSv-8dIPK5CgWA_4IApjCWyf0OafFKZ5yymSnX5928raqLH8Qi36nRiQy6Ugy8iMGXgjhSatYBO3sRdEE2ki1UOUCQVfmPnvvr_4MTf8jrivfbnERgVPEPUkp2fGnI5Sr2Ss8RaQ&amp;hsutk=&amp;canon=http%3A%2F%2Fblog.continuum.net%2Fnew-locky-ransomware-faqs-and-how-msps-can-act-now&amp;__hstc=88753860.7f19d661990e2c9a2a3f6a2eb3355265.1456444276626.1456444276626.1456444276626.1&amp;__hssc=88753860.1.1456444276626&amp;__hsfp=679099689\"><img decoding=\"async\" id=\"hs-cta-img-6a259e78-363a-4ed4-b19e-3041487853fc\" class=\"hs-cta-img \" src=\"http:\/\/cdn2.hubspot.net\/hub\/281750\/file-1629469503.png\" alt=\"Learn more about BDR with our eBook \u2013 Hope for the Best, Plan for the Worst: The Keys to Effective Backup &amp; Disaster Recovery \" \/><\/a><\/span><\/span><br \/>\nFor more information, check out:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares\/\">http:\/\/www.bleepingcomputer.com\/news\/security\/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares\/<\/a><\/li>\n<li><a href=\"http:\/\/www.darkreading.com\/vulnerabilities---threats\/advanced-threats\/here-comes-locky-a-brand-new-ransomware-threat\/d\/d-id\/1324371\">http:\/\/www.darkreading.com\/vulnerabilities&#8212;threats\/advanced-threats\/here-comes-locky-a-brand-new-ransomware-threat\/d\/d-id\/1324371<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\">https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/<\/a><\/li>\n<li><a href=\"http:\/\/thehackernews.com\/2016\/02\/locky-ransomware-decrypt.html\">http:\/\/thehackernews.com\/2016\/02\/locky-ransomware-decrypt.html<\/a><\/li>\n<li><a href=\"http:\/\/blog.knowbe4.com\/its-here.-new-ransomware-hidden-in-infected-word-files\">https:\/\/blog.knowbe4.com\/its-here.-new-ransomware-hidden-in-infected-word-files<\/a><\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>New Locky Ransomware &#8211; FAQs and How MSPs Can Act Now Posted by\u00a0Mary McCoy\u00a0on Feb 22, 2016 6:00:00 AM Like Connect Have you opened any invoice attachments lately? Now, there&#8217;s a new ransomware called Locky that&#8217;s joined the ranks of &#8230; <a class=\"more-link\" href=\"http:\/\/www.wildow.com\/blog\/?p=1687\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[26],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1687"}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1687"}],"version-history":[{"count":1,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1687\/revisions"}],"predecessor-version":[{"id":1688,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1687\/revisions\/1688"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1687"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}