Greedy miscreants have created a new strain of ransomware, dubbed Locky.
Locky typically spreads by tricking marks into opening a Microsoft Word attachment sent to them by email. Victims are encouraged to enable macros in the document which, in turn, downloads a malicious executable that encrypts files on compromised Windows PCs.
The ransomware scrambles files before renaming them with the extension .locky (hence the name of the malware). Victims are invited to buy a decryption key from the crooks via the so-called dark web at a fee of between BTC 0.5 to BTC 1.00 ($200 to $400).
Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, on newly infected machines. Once seeded on a host, the ransomware can spread widely over associated local networks, according to security expert Paul Ducklin.
"It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people's computers, whether they are running Windows, OS X or Linux," Ducklin warns in a post on Sophos's Naked Security blog.
"If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed," he adds.
Ducklin goes on to provide advice about guarding against infection by Locky, as well as tips on how to minimize the potential for damage from Locky and other strains of malware, here.
Palo Alto Networks adds that Locky has "borrowed the technique from the eminently successful Dridex to maximize its target base." A blog post by Palo Alto charts the spread of Locky thus far as well as providing indicators of compromise.
US computer users seem to have been disproportionately affected by the threat. "We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54 per cent)," Palo Alto said. "For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined." ®