Earlier this week, a Locky ransomware campaign sent more than 23 million messages out across the US in one of the largest attacks in the second half of 2017, according to a post from AppRiver.
Ransomware dominated the cyberthreat landscape in 2016, increasing more than 600% over the year before, with Locky attacks leading the way. As noted by ZDNet, at the start of 2017 distribution of Locky sharply declined, with Cerber variants taking its place.
But Locky made a comeback in recent months, and this massive attack shows just how dangerous it can be. On Monday, just as many US workers were arriving to their offices, the malicious email campaign began inundating their inboxes. The malware traffic spike began that morning just after 7 a.m. CST, the post noted.
The emails in the attack were "extremely vague," Troy Gill, manager of security research at AppRiver, wrote in the post. They included subject lines such as "please print," "documents," "photos," "images," "scans," and "pictures."
Each message included a ZIP attachment that contained a Visual Basic Script (VBS) file nested inside a secondary ZIP file, the post say. When a user clicks on it, the VBS file starts a downloader that reaches out to "greatesthits[dot]mygoldmusic[dotcom]" to pull the latest Locky ransomware.
After that, Locky begins encrypting all files on the user's machine, and adding [.]lukitus to those encrypted files.
Once the victim's files have all been encrypted, the attackers change their desktop background to an image with instructions for decryption. They also place an HTM file named "Lukitus[dot]htm" on the desktop.
Then, the victim is instructed to install a TOR browser, and is provided a Darkweb site to pay 0.5 Bitcoins, or about $2,150. Once the payment is made, the attackers promise to redirect the victim to the decryption service.
This attack is still occurring, the post noted. On Monday, AppRiver had quarantined more than 5.6 million messages in the campaign. And there currently are no publicly shared methods to reverse this Locky strain, Gill wrote.
AppRiver recommends the following tips to protect your computer from ransomware attacks:
1. Run regular software and hardware updates. These updates often contain security patches to holes that ransomware and other malware variants exploit. Automatic software updates are the best option, but if not possible, then you should set up alerts for the newest updates. You should also set a max number of times they can "snooze" the alert.
2. Have layered, redundant security in place. Ransomware is often delivered via an email attachment or malvertisement on the web. By having email and web protection, you can prevent ransomware from ever entering your network.
3. Back up your files. A secure backup allows you to rid your network of malware and then restore your files, so you don't have to pay a criminal and hope he keeps his word to un-encrypt your data.
For more tips on how to avoid and mitigate ransomware attacks, click here.
- How to avoid ransomware attacks: 10 tips (TechRepublic)
- Ransomware incidents surge, education a hot bed for data breaches, according to Verizon (ZDNet)
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
- Cybersecurity: Two-thirds of CIOs say threats increasing, cite growth of ransomware (TechRepublic)
- Information Security Management Fundamentals (TechRepublic Academy)
Alison DeNisco is a Staff Writer for TechRepublic. She covers CXO and the convergence of tech and the workplace.