Locky Ransomware in Action: Real-World Attack Description

IT security professionals appear to be in a constant run after numerous ransomware authors who systematically infect individual computers as well enterprise networks. This article outlines a case of an actual attack that took place in September 2016.

September 23, 2016, 4:45 P.M.:

The staff members of a finance consulting company (that does not want to disclose its name) got several incoming email messages with attachments pretending to be an invoice issued by a recognized law firm. Rogue emails arrived in a blink of an eye to the accounts of several employees both in the North American and European offices. The letter looked much like other invoices company receives every week. An employee in the North America office read the notification and clicked the attachment looking like an MS Word document.

Also Read: “No More Ransom” Campaign Saves 2,500 Ransomware Victims, 1.3 Mil Euros

This incident happened in a company that instructs its staff members to abstain from clicking suspicious links and attachments, as well as runs an advanced security monitoring tool, firewalls, and up-to-date antivirus suite. However, the hack succeeds as it exploits the primeval urge to explore the unknown inherent in human nature. Careless clicking on links and attachments remains the most common infection vector.

September 23, 2016, 4:46 P.M.:

The virus starts installing itself on the victim’s computer. The file is basically a new strain of extortion Trojan dubbed Locky that often updates its versionsThe infection initiates connections to several remote servers. Some connections have been terminated as the security tool installed recognizes their IP addresses as blacklisted. Eventually, the full ransomware package delivery completes from the server that is not marked as malicious.

Since this version of the Locky Trojan is brand new, the security suite fails to detect the newcomer in the course of its introduction. However, the follow-up observations would reveal suspicious communications.

September 23, 2016, 4:48 P.M.:

Very soon after its setup, the ransomware dispatches a notification to its server. The message informs the C&C that ransomware has been installed successfully and needs the encryption key to scramble the data. The security software detects suspicious traffic and communication and submits it for the consideration of IT staff.

Meanwhile, the ransomware is scanning hard drives for data files to encrypt, excluding the latest items to avoid early awareness of the victim. Locky encrypts detected files with strong algorithms like RSA and AES. The fastest machine in the world is theoretically able to unlock files, but the computations are going to last for years. Basically, the encryption is too strong. The victim often must pay the crooks for the decryption tool.

The Locky ransomware typically demands to send around $400 payable in Bitcoin cryptocurrency. Frankly, you either send the requested amount or have your data locked. Switching off your PC, disconnecting it from the network, or doing any other manipulations cannot help. Only recent backups may help to minimize loss.

September 23, 2016, 4:57 P.M.:

A security analyst has recognized the invasion. He informs top managers and other employees of the Trojan. The IT security team manages to disconnect the office from the local and global networks. The file encryption on the affected machine is ongoing while experts detect the physical PC. Fortunately, Locky failed to propagate beyond a single machine.

Also Read: How to secure your cyber infrastructure from threats like ransomware?

Another IT analyst recalls an attack that took place some weeks before and targeted an investment business of similar scale; the invasion was not spotted in good time. Within less than six hours the cryptovirus hit almost a terabyte of files disrupting an ongoing work of about fifty employees. The company managed to recover the files from the reserve copies. Its IT team was quite positive the infection had been cleaned at all of their multiple local offices. The reality failed the assumption. In five days, a concealed copy of the same extortion virus launched its delayed ransom attack at another location.

September 23, 2016, 5:21 P.M.:

The compromised PC has been found. IT stuff wipes it clean and rebuilds from scratch. Any data kept on that machine is destroyed.

There are still some after-effects to face. Certain types ransomware steal files and send them to their own servers. Ransomware authors continue their extortion attempts by threatening to put all data online and make it publicly available. These guys know their victims. They try to attack businesses that deal with highly sensitive information: legal advisories, insurance agencies, and healthcare institutions.

Plenty of ransomware victims pay for the decryption of their data. A single strain of ransomware collected $121 million in just half a year.

Keep in mind that purchasing the encryption key does not restore your data automatically. Ransomware authors are usually not the best software developers. Their code may contain a number of flaws so that the compromised data may crash for good.

Also Read: New Ransomware Asks User to Play Click Me Game while Encrypting Data

To sum it up, the year of 2016 should definitely be marked as the year of ransomware. As per Symantec Security report, crypto viruses are wrecking approximately 50,000 computers monthly.

Flickr/Christiaan Colen 

Related Posts