Locky ransomware is spreading like the clap

Feeling Locky, punk? Well, do ya?


Greedy miscreants have created a new strain of ransomware, dubbed Locky.

Locky typically spreads by tricking marks into opening a Microsoft Word attachment sent to them by email. Victims are encouraged to enable macros in the document which, in turn, downloads a malicious executable that encrypts files on compromised Windows PCs.

The ransomware scrambles files before renaming them with the extension .locky (hence the name of the malware). Victims are invited to buy a decryption key from the crooks via the so-called dark web at a fee of between BTC 0.5 to BTC 1.00 ($200 to $400).

Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, on newly infected machines. Once seeded on a host, the ransomware can spread widely over associated local networks, according to security expert Paul Ducklin.

"It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people's computers, whether they are running Windows, OS X or Linux," Ducklin warns in a post on Sophos's Naked Security blog.

"If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed," he adds.

Ducklin goes on to provide advice about guarding against infection by Locky, as well as tips on how to minimize the potential for damage from Locky and other strains of malware, here.

Palo Alto Networks adds that Locky has "borrowed the technique from the eminently successful Dridex to maximize its target base." A blog post by Palo Alto charts the spread of Locky thus far as well as providing indicators of compromise.

US computer users seem to have been disproportionately affected by the threat. "We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54 per cent)," Palo Alto said. "For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined." ®

Broader topics


Other stories you might like

  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Beijing-backed attackers use ransomware as a decoy while they conduct espionage
    They're not lying when they say 'We stole your data' – the lie is about which data they lifted

    A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.

    The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.

    "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.

    Continue reading

Biting the hand that feeds IT © 1998–2022