Alert - Recent Ransomware Variant - Locky

Number: AL16-005
Date: 1 April 2016

Purpose

The Canadian Cyber Incident Cyber incidentAny unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. Response Centre (CCIRC), in collaboration with the United States Department of Homeland Security (DHS) Computer Emergency Readiness Team (US-CERT) is releasing this Alert to provide further information on a recent ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. variant named Locky. Since early 2016, Locky has been observed infecting computers belonging to individuals and businesses, including healthcare facilities and hospitals worldwide.

Assessment

CCIRC is aware of a destructive ransomware variant named Locky which has been observed since early 2016. This form of destructive ransomware attempts to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user's computer has been locked or that all of the user's files have been encrypted. Users are then told that unless a ransom is paid, access will not be restored.

Locky ransomware propagates through spam emails that include malicious Microsoft Office documents or compressed archive attachments, such as .zip and .rar.  The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files. Locky has affected computers belonging to individuals and businesses, including healthcare facilities and hospitals in the United States, New Zealand, Germany, and Canada. Other destructive ransomware variants have also emerged in 2016, such as Samas, which is used to compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. the networks of healthcare facilities. See the reference section below for more information.

Ransomware is typically spread either through phishing PhishingAn attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website. Malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. is downloaded and installed without the user's knowledge. Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and also has been spread through Web-based instant messaging applications.

Ransomware not only targets home users; businesses can also become infected with ransomware, which can have negative consequences, including:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization's reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information as well. In addition, decrypting files does not mean the malware infection itself has been removed.

Suggested action

CCIRC recommends that organizations review the following mitigation information/preventive mesures and consider their implementation in the context of their network environment:

  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Since network storage can also be affected, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
  • Follow safe practices when browsing the Web.
  • Do not follow unsolicited Web links in emails.

It is important to note that infections can be devastating to an individual or organization, and that recovery can be a difficult process which may require the services of a reputable data recovery specialist.

References

US-CERT Alert (TA16-091A)
https://www.us-cert.gov/ncas/alerts/TA16-091A

CCIRC Cyber Safe Guide
http://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx

McAfee Labs Threat Advisory: Ransomware - Locky
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26383/en_US/McAfee_Labs_Threat_Advisory-Ransomware-Locky.pdf

Sophos / Naked Security, “Locky” ransomware – what you need to know
https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know

Symantec Article - Cryptolocker: A Thriving Menace
http://www.symantec.com/connect/blogs/cryptolocker-thriving-menace

Samas - SamSam: The Doctor Will See You, After He Pays The Ransom
http://blog.talosintel.com/2016/03/samsam-ransomware.html

Date modified: