A new ransomware dubbed “Locky” recently surfaced targeting endpoints in Europe, Saudi Arabia and the United States. Based on researcher estimates, Locky is infecting 4,000 new endpoints every hour and 100,000 endpoints every day.

Certainly impressive numbers, but two aspects of the malware reveal how the malware industry is maturing:

  1. I18N: Locky supports multiple languages, presumably so non-English speakers can have a more pleasurable user experience and, more importantly, understand the terms of the ransom.
  2. Product development: It seems that the malware was beta-tested on February 15, deployed on a small scale before it was released for GA.

The Attack

Like so many malware schemes, it starts with a phishing email, asking users to open an attached invoice and send payment. When the user tries to open the Word attachment, it appears to be encrypted. Word asks the user to enable macros.

When the user enables macros, the malware is downloaded and executed. Locky connects the servers (that are implemented as TOR hidden services), and the servers create a pair of public and private keys. The malware downloads the public key to the endpoint and encrypts all the important files (namely, data files) with the public key; new files now have a “.locky” extension. Locky is even capable of removing any Volume Snapshot Service files (aka shadow copies), meaning if you don’t have a proper backup in place, you may find yourself $800 out of pocket.

You know you’ve been ransomed when the desktop background changes to the message below:

Locky Wallpaper

In order to unlock their files, users must pay between 0.5­­­–2 Bitcoin (approximately $200–$800 in today’s market). That is, of course, unless you’re a gold-star cybersecurity student and have all of your files backed up off-line.

Malware as a Service

While ransomware is nothing new, the finesse of it is. Aspects of the Locky malware point to a growing trend, where cybercriminals are employing aspects of the corporate world to nefarious acts like customer service, multi-lingual pop-ups, beta-testing and operator-friendly ransomware builders.

And not only are the cybercriminals going corporate – so are their targets. Earlier in February, Hollywood Presbyterian Medical Center paid $17,000 to attackers after they locked HPMC out of their network and took down and e-communications for 10 days. The medical center joined a long line of businesses and government organizations who opted to pay the hostage takers to regain access.

The crypto ransomware threat is certainly growing. While regular backups are best practice, it’s also important to consider the overall security problem – attackers are infiltrating your network. Continuous vulnerability and threat management, virtual pen testing and controlled access will contribute to a comprehensive security program that limit the risk of a more broad range of attacks.

In the coming months, we’ll be covering more of the changing threat landscape, including the growing MaaS trend. Stay tuned to The Skybox View for more info.