It's Here. New Locky Ransomware Hidden In Infected Word Files

Locky Ransomware Email[UPDATED FEB 22, 2016]

It was only a matter of time, but some miscreant finally did it.  There is a new ransomware strain somewhat amateurishly called "Locky", but this is professional grade malware. The major headache is that this flavor starts out with a Microsoft Word attachment which has malicious macros in it, making it hard to filter out. Over 400,000 workstations were infected in just a few hours, data from Palo Alto Networks shows. Antivirus engines are being updated to catch it, you can see the Virustotal results here, but it took several days to get there, so you cannot rely on endpoint security tools with new attacks like this.

The bad guys use social engineering twice to trick the user first into opening the attachment, and then to enable the macros in the Word file. The malicious code itself was written in Office VBA, and closely mimics Dridex infections, suggesting the Dridex Bank Trojan gang is now moving into this racket. Ransomware families have exploded in the last few years, here is a graph created by the folks of Bromium:

Ransomware Family Growth Since 2013

The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice". This new strain was first reported in the UK by Kevin Baumont, and Larry at Bleepingcomputer did a more in-depth analysis.   

When the Word document is opened, it looks like the content of the document is scrambled and the document will display a message stating that you should enable the macros if the text is unreadable.  Here is a screenshot of how that looks:


Once a victim enables the macros, the macros will download an executable from a remote server and execute it. The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer and network.

Larry said: "It targets a large amount of file extensions and even more importantly, encrypts data on unmapped network shares.  Encrypting data on unmapped network shares is trivial to code and the fact that we saw the recent DMA Locker with this feature and now in Locky, it is safe to say that it is going to become the norm.  Like CryptoWall, Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data. " 

At this time, there is no known way to decrypt files encrypted by Locky. This is the locking message that gets opened:

Locky Ransomware Message 

The Attack Flow

This is a typical attack flow for Locky ransomware. Note that filenames will likely change with each variant. A lot of things need to go wrong for this attack to make it through. As you can see, anti-virus, spam filtering and web filtering all failed. (The schematic was created by the people of HitmanPro, developers of an anti-ransomware tool. )

Locky Ransomware Attack Flow

What To Do About It

Obviously having weapons-grade backup/restore functionality is top priority. However, perhaps you remember Office macros from the nineties. Well, they have never gone away and the bad guys are still using this old technology but have now combined it with clever social engineering. If you trust antivirus software and your users not clicking "Enable Content" or "Enable Editing" you are going to have a problem.

So, what to do about it? You cannot just disable all macros across the whole company, end-users would riot because a lot of legacy code relies on macros. Telling all users to sign their macros will also take months. However, Kevin suggested you can do this:

Go hunt for this Group Policy Setting in the Trust Center, and set it to “Disable all except digitally signed macros.

Secure Your Macro Settings

Now check out Trusted Locations:

User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations

Set your shared folder location URL in here, e.g. \\blah.local\public\office

More details at Microsoft Technet is here.

Now instruct your users to make sure all macros are used from shared folders. Macros should work as before on their regular documents. If Mr. Bad Guy emails Joe in Accounts Payable a Bad File, the macro won’t run.

The user won’t even see a prompt to enable the macro, nor can they from the Office options.

But wait — what if they save the malicious email attachment to the network and open it? Yes, it’s a risk. It’s a much, much smaller risk than before. Real world experience shows this is extremely effective, and takes about an hour to test and implement. These "Locky" infections were caused by employees that were social engineered and did not get effective security awareness training.



Get the most informative and complete ransomware hostage rescue manual.

This 20-page manual (PDF) is packed with actionable info that you need to prevent infections, and what to do when you are hit with ransomware.

Download Here

PS: Technically speaking, your users are the new DMZ, and you have to create a human firewall. Effective security awareness training really is a must these days. Find out how affordable this is and be pleasantly surprised.


Related Pages: Ransomware

Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews