eSentire White Logo

Security advisories | Feb 26, 2019

Locky Ransomware

Recently eSentire has seen an increase in activity for the ransomware Locky. In order to help our customers address this threat we have outlined our detailed investigation into the behavior and mitigation methods applicable to the Locky ransomware below.

What We Know
Behavior of Locky:
  • Most common infections occur through spam emails with .doc attachments related to invoices
    • Social engineering campaigns may be used as part of this infection vector
  • Locky works by connecting to the Command and Control server and downloading the public key to use in the encryption of files. It then deletes all Shadow Volume Copies so that the machine cannot be restored using files from the Shadow Volumes.
  • This means restoration can only occur using backups or possibly paying the ransom
  • The ransomware will scan the infected machine and encrypt data files such as text, image, and video files as well as office documents
  • In most cases the encryption of files begins immediately, there may be instances where there is a 24 hour period before the ransomware begins to encrypt files
  • Typically Locky will change the wallpaper of the infected machine to the ransom note once encryption is complete
Additional Information:
  • This is a new ransomware similar to CryptoLocker or CryptoWall
  • Files are encrypted with an RSA public key
  • Awareness is needed for any emails that claim to be:
    • A Xerox copier delivering a PDF of an image
    • A major delivery service like UPS or FedEx offering tracking information
    • A bank letter confirming a wire or money transfer [Phishing emails]
    • As this is a new variant some information is not known:
      • It is not currently known if paying the ransom will actually decrypt files. Be cautious as some variants have not actually decrypted the files properly
      • The cost of the ransom for decryption is typically $400/£280
eSentire Defense
eSentire features that help protect you:
  • Executioner can stop the download of malicious payloads over HTTP if it is enabled for Network InterceptorTM
  • Asset Manager Protect (AMP) can stop the communication between infected machines and known command and control servers
  • With the Host InterceptorTM service, the ESOC can quarantine suspected systems at your direction or based on established policy
  • Behavioral analysis tools can detect anomalous network behavior

Additional Protection
How to further protect yourself from this emerging threat:
  • The variants eSentire have analyzed are caught by most updated endpoint anti-virus systems
  • Ensure the use of proper user privileges
  • Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files)
  • User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments)
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
  • Remind users to be cautious when clicking on links in emails coming from trusted sources
  • eSentire recommends blocking .zip and .exe file extensions on your SMTP server