The Indian Government on Saturday issued an alert on the spread of a new malware — Locky Ransomware — that can lock computers and demand ransom for unlocking them. Ransomware is a malicious software and the Locky Ransomware is learnt to be demanding ransom of half bitcoin, which at present rate is equivalent to over Rs 1.5 lakh.
The alert, issued on Cyber Swachhta Kendra, said it has been reported that a new wave of spam mails is circulating with common subject lines to spread variants of Locky Ransomware. There are hundreds of ransomware-type malware infections similar or identical to Locky including, for instance, Cryptowall, JobCrypter, UmbreCrypt, TeslaCrypt, and DMA-Locker. All have identical behavior – they encrypt files and demand a ransom. The only difference is the size of ransom and type of algorithm used to encrypt the files. Research also shows that there is no guarantee that your files will ever be decrypted even after paying the ransom. By paying, you simply support cyber criminals’ malicious businesses. Therefore, you should never pay the ransom or attempt to contact them.
“Reports indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like ‘please print’, ‘documents’, ‘photo’, ‘Images’, ‘scans’ and ‘pictures’. However, the subject texts may change in targeted spear phishing campaigns,” the alert, which described severity of the ransomware as “high”, said.
“Users are advised to exercise caution while opening e-mails and organisations are advised to deploy anti-spam solutions and update spam block lists,” the alert stated.
Locky is ransomware distributed via malicious .doc files attached to spam email messages. Each word document contains scrambled text, which appear to be macros. When users enable macro settings in the Word program, an executable file (the ransomware) is downloaded. Note that Locky changes all file names to a unique 16-letter and digit combination with .diablo6, .aesir, .shit, .thor, .locky,.zepto or .odin file extension. Thus, it becomes virtually impossible to identify the original files. All are encrypted using the RSA-2048 and AES-1024 algorithms and, therefore, a private key (stored on remote servers controlled by cyber criminals) is required for decryption. To decrypt the files, victims must pay a ransom.
After the files are encrypted, Locky creates an additional .txt and_HELP_instructions.html (or _WHAT_is.html) file in each folder containing the encrypted files. Furthermore, this ransomware changes the desktop wallpaper. Both text files and wallpaper contain the same message that informs users of the encryption.
Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.
Beware of Phishing emails: Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.
Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
Keep your Antivirus software and system Up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.