“Locky” sounds like a fun name. But there's nothing fun about this new strain of ransomware, because it renames all your important files so that they now have a ".locky" extension.
This nasty ransomware doesn’t just rename your files, it scrambles them first, and only the crooks have the decryption key.
You can buy the decryption key from the crooks via the so-called dark web using bitcoin.
Pricing tends to vary from 0.5 to 1.0 bitcoin (one bitcoin is currently worth about $400).
The most common way that Locky arrives is as follows:
You receive an email containing an attached document.
Upon opening it, the document looks like garbled characters.
The document advises you to enable macros “if the characters are unreadable.”
If you enable macros, you don’t actually correct the text. Instead, you run code inside the document that saves a file to disk and runs it.
The saved file then acts as a downloader, fetching the final malware from the crooks.
The final malware could be anything, but in this case is usually the Locky Ransomware.
Locky encrypts all files that match a long list of extensions, including videos, images, source code, and Office files.
Locky also removes any shadow copies, that you may have made. Shadow copies are the Windows way of making live backups of files without having to stop working. You don’t even need to logout or close your applications first. They are a quick and popular alternative to a proper backup.
Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:
If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.
Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.
Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.
It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.
If you are logged in as a domain administrator and you get hit by ransomware, the damage will be widespread.
Giving yourself up front all the login power you might ever need is very convenient, but please don’t do it.
Only login (or use Run As...) as an administrator when you really need to.
1. Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
2. Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
3. Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
4. Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
5. Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
6. Update software early and often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Microsoft Office, your web browser, Adobe Flash and more. The sooner you update, the fewer open doors remain for the crooks to walk through.