One of the most common types of ransomware, “Locky” all but disappeared late last year. Sadly however this very dangerous cyber threat has reemerged and is worse then ever. Everyone should make themselves aware of this particular cyber threat – because once your data is infected – you may never see it again.
The New Locky Brings a New Infection Mechanism
This current wave of SPAM comes in the form of emails that pretend to be payment receipts with various subjects. According to an article by My Online Security, the email subjects include Receipt 435, Payment Receipt 2724, Payment-2677, Payment Receipt_739, and Payment#229, where the numbers change.
These emails include a PDF attachment with a name like P72732.pdf. When these PDFs are opened, the target will be prompted to open an embedded Word document as shown below.
If a user opens the file, the Word document will open and the target will be greeted with the typical Malicious word document prompt. That is the prompting to enable the macros by clicking on Enable Content in order to properly see the document.
When the macros are enabled, the macros are currently downloading an encrypted Locky binary from http://uwdesign.com.br/9yg65, decrypting the file, saving it to %Temp%\redchip2.exe, and then executing the file to begin the encryption process. Redchip2.exe currently has a 7/55 detection on VirusTotal.
Just like previous variants, Locky deletes Shadow Volume Copies using a Scheduled Task and appends the .OSIRIS extension to encrypted files. You can see the task used below.
IgnoreNew false false true true false PT10M PT1H true false true true false false false PT72H 7
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
While encrypting files it will routinely send status updates to the Command & Control servers located at 18.104.22.168/checkupdate and 22.214.171.124/checkupdate. When done it will display the ransom note to let the victim know that they have been infected.
Unfortunately, at this time there is still no way to decrypt files encrypted by Locky.
Protecting Yourself Against Ransomware
As I continually recommend you should never open an attachment from a sender that you did not request. This goes for hyperlinks in email messages as well that you did not request. If you receive email messages from “lenders” or “creditors” regarding payments etc that include documents call the lender and speak to someone. Do not open the attachment p or click on the hyperlink unless you are 100% certain of its legitimacy.