What is locky Ransomware?August 17, 2018 | By Comodo
Locky is a type of ransomware. It was released in 2016 when security experts found that the malware authors deliver this ransomware through email asking for payment through an attached invoice of a malicious Microsoft Word document that runs infectious macros. The document when opened by the user would not be in a readable format and a dialog box opens with a phrase “Enable macro if data encoding is incorrect.” This is a simple social engineering technique to used as bait to trick the user and pass on the infection. When the user enables the macros, the malware author runs a binary file which then installs the encryption trojan that locks all the files that have specific extensions. Later the filenames are changed to a combination of letters and numbers. Once the files are encrypted, the malware demands to download the tor browser and enter a specific website which is actually malicious. It also demands to pay a ransom to unlock the encrypted file.
Who is Locky targeting?Locky is a very dangerous threat capable of infecting a variety of file formats that includes the files created by designers, developers, engineers and testers. Locky ransomware attack targets mainly small businesses. The top countries hit by locky are Spain, Germany, USA, France, Italy, Great Britain, Czech Republic, Canada and Poland.
Where does Locky come from?Malware authors pass on the infection through spam emails that comes along with malicious attachments that includes .doc,.xls or .zip files.. Security experts found evidences that the locky ransomware has been developed by the Hackers who developed Dridex. It’s also understood that the locky comes from Russia as it targets all the PCs around the globe except Russia.
How to detect Locky ransomware?Locky infected emails looks genuine which makes it difficult for users to identify that the emails are malicious. If the email has a subject line that reads – “Upcoming Payment – 1 month notice.” or comes with a Microsoft Word document containing malicious macros. If the ransomware runs and infects the files, then it is will be difficult to recover. The user will be notified to pay ransom to unlock the files.
How to remove locky ransomware?During the process of starting your computer, press the F8 key on your keyboard continuously until the Windows Advanced Options menu pops out, Select Safe Mode with Command Prompt from the menu list and then press ENTER As the Command Prompt mode loads, type “cd restore” and then press ENTER. Following that type: rstrui.exe and press ENTER. Click NEXT in the opened Window Select the Restore Points and click NEXT (this is to restore your system even before the infiltration of locky ransomware on to the PC). Then Click “YES” in the following opened Window Once the PC is restored, Scan the system with an effective and recommended antivirus software and delete any remaining locky ransomware files.
How to prevent Locky ransomware?Ransomware trojans are developed to spread through phishing or spam emails. Below are ways to prevent locky ransomware:
- Deploy an updated antivirus
- Install an internet security suite that has email security system to eliminate spam and phishing emails
- Avoid opening suspicious links and attachments from unauthorized sources.
- Disable the macros from running default in Microsoft office.
- Take a backup of vital files on external drives or over the cloud.
- Ensure the operating system or any other third-party software associated with the system are patched and updated.