In February 2016 the latest and most sophisticated version of ransomware called Locky arrived and by March daily malware email levels were up by 412% from the previous month.
What is Locky?
Locky is a piece of malware that encrypts the data on the victim’s computer requiring the victim to pay a ransom fee to get their data back. It also has other abilities including the ability to lock files on not just local files but network files as well as shared drives. Locky also deletes local backup files to prevent you recovering any data.
Essentially, any data that you have file explorer access to on your computer, it will encrypt and lock down.
The ransom fee varies between ½ a bitcoin and 1 bitcoin, at the time of writing one bitcoin is worth £504.38, so getting your files unlocked isn’t cheap.
If you are an enterprise and have several computers the cost can be as much as 50 bitcoins or £25,219.
Oh and by the way, if you have a bitcoin account already with the wallet on your computer then the contents of that wallet will be stolen first!
How does Locky infect computers?
The typical path for infection is from an email. You may have noticed the increase in spam emails, in particular those suggesting that an account has not been paid (although Locky is not restricted to that type of email).
Once that link in the email downloads the ransomware it starts to encrypt your files.
Next, you will be given notice of a deadline for payment; you are required to pay with Bitcoins via TOR.
Tor is free software that prevents people from learning your location or browsing habits by letting you communicate anonymously on the Internet. TOR provides access to the dark web, a particularly secretive area of the internet where criminals and whistle blowers operate anonymously.
Once you have paid up the attacker provides you with a decryption key, which usually works (there have been some instances where it has not). If you pay up and you don’t get a working encryption key then you are on your own, there are no hacker helpdesks and call centres!
How much of a threat is it really?
This is not scaremongering, the threat is real.
Security experts Cyren have researchers who have observed the following explosion of Locky peak distribution rates:
- 25th March 16.87 Billion emails
- 30th March 36.63 Billion emails
- 2nd April 16.16 Billion emails
They also report that the main surge occurs primarily on weekdays during the hours of 12:00 – 20:00 UTC. This suggests that the targets of the emails are North America, Southe America and Europe.
The emails contained links to over 1 million unique web pages that were being used to host the ransomware.
This is big business
The reason the bad guys go to such lengths to infect computers is simple. If you take the infection rate as being just 1% of all recipients then on 2nd April using the above figures the number of infected machines was 16,160,000 and if they charged ½ a bit coin and got paid that would be £4,040,000,000 across all the hackers sending those emails.
If you are wondering where the money ends up, there is a broad consensus that the money ends up in Russia, as if to back that up, when Locky is downloaded to a computer it first looks at what language the operating system uses and if it is Russian then Locky deletes itself!
Locky has shutdown businesses – No joke!
A Methodist Hospital in Kentucky declared a viral state of emergency that didn’t pose a threat to humans when it was crippled by Locky, they were forced to pay 4 Bitcoins (about £2016). Another California based hospital was forced to pay $17,000 in bitcoins (about £12,900).
The threat has not been limited to hospitals as law firms and even Police departments have fallen victims to Locky.
How to protect your computer(s)
To do this anywhere near properly will take a combined approach.
Enterprise businesses: First consider employing email gateways from cybersecurity firms that offer mass-scale analysis and updates
Use a Hardware Firewall:
Home Users have a look HERE
Business Users have a look HERE
All computer Users have get the Professional Version of CryptoPrevent, click the image below.
Need more Information?