What is Locky Ransomware?November 9, 2021 | By Comodo
Locky is a type of ransomware. It was released in 2016 while security experts found that the malware authors delivered this ransomware via email asking for payment through an attached invoice of a malicious Microsoft Word document that runs infectious macros.
How does Locky Ransomware work?
The document when opened by the user would not be in a readable format and a dialog box opens with a phrase “Enable macro if data encoding is incorrect.” This is a simple social engineering technique to used as bait to trick the user and pass on the infection.
When the user enables the macros, the malware author runs a binary file which then installs the encryption trojan that locks all the files that have specific extensions. Later the filenames are changed to a combination of letters and numbers.
Once the files are encrypted,the locky ransomware demands to download the tor browser and enter a specific website which is actually malicious. It also demands to pay a ransom to unlock the encrypted file.
Who is a target for Locky Ransomware?
Locky is a very dangerous threat capable of infecting a variety of file formats that includes the files created by designers, developers, engineers and testers. Locky ransomware attack targets mainly small businesses.
The top countries hit by the Locky virus are Spain, Germany, the USA, France, Italy, Great Britain, the Czech Republic, Canada, and Poland.
What is the method of infection for Locky ransomware?
Malware authors pass on the infection through spam emails that come along with malicious attachments that include .doc,.xls, or .zip files.
Where does Locky Ransomware come from?
Security experts found evidence that the Locky ransomware has been developed by the Hackers who developed Dridex. It’s also understood that the locky comes from Russia as it targets all the PCs around the globe except Russia.
Locky Ransomware Detection
Locky infected emails looks genuine which makes it difficult for users to identify that the emails are malicious. If the email has a subject line that reads – “Upcoming Payment – 1 month notice.” or comes with a Microsoft Word document containing malicious macros.
If the locky ransomware runs and infects the files, then it will be difficult to recover. The user will be notified to pay ransom to unlock the files.
How to remove Locky?
During the process of starting your computer, press the F8 key on your keyboard continuously until the Windows Advanced Options menu pops out,
- Select Safe Mode with Command Prompt from the menu list and then press ENTER
- As the Command Prompt mode loads, type “cd restore” and then press ENTER.
- Following that type: rstrui.exe and press ENTER.
- Click NEXT in the opened Window
- Select the Restore Points and click NEXT (this is to restore your system even before the infiltration of locky ransomware on to the PC).
- Then Click “YES” in the following opened Window
Once the PC is restored, Scan the system with effective and recommended antivirus software and delete any remaining Locky virus files.
How to prevent Locky ransomware?
Ransomware trojans are developed to spread through phishing or spam emails. Below are ways to prevent locky ransomware:
- Deploy an updated antivirus
- Install an internet security suite that has email security system to eliminate spam and phishing emails
- Avoid opening suspicious links and attachments from unauthorized sources.
- Disable the macros from running default in Microsoft office.
- Take a backup of vital files on external drives or over the cloud.
- Ensure the operating system or any other third-party software associated with the system are patched and updated.
Why Comodo Advanced Endpoint Protection?
Comodo Advanced Endpoint Protection (AEP) is an ideal security solution that equips any business network with the right measure of security features. Case studies have proven that Comodo AEP completely denies targeted attacks and APTs (advanced persistent threats) which cannot be made possible by a single standalone antivirus.
Endpoint protection solutions provide enterprises a centrally managed security solution to help secure workstations, endpoints- servers, etc.. which are connected to endpoints, and the endpoint devices.
It is considered to be the best, as it integrates antivirus, anti-spyware, firewall, and application control that features HIPS (host intrusion prevention) techniques – all in one single console.
It combines patch management, configuration capability, and vulnerability assessment to enable proactive protection of data files and disk encryption.