‘Masterpiece’ ransomware Locky returns via Necurs botnet

Last year, the notorious Locky ransomware flooded email inboxes in a destructive campaign that saw it become a leading form of malware. Then, as quickly as it came, it mysteriously vanished. However, on April 21, researchers at Talos observed a new, large-scale Locky campaign spreading.

The ransomware is spread via the Necurs botnet. Once the file is opened, the user is prompted to open a macro-enabled Microsoft Word document that downloads Locky in the background.

Locky then encrypts the user’s files and network-based back-up files with the .orisis extension, before the criminals demand a Bitcoin payment in order to recover them. The price to recover your files reportedly varies from .5 bitcoin (approximately $713) to 1 bitcoin ($1,427).

The original campaign was “a masterpiece of criminality,” according to security architect Kevin Beaumont. “The infrastructure is highly developed, it was tested in the wild on a small scale […], and the ransomware is translated into many languages.”

The method

This version of the campaign adds an extra step to the attack – namely, embedding the Word file within a PDF file. This borrows from a recent Dridex campaign and, although it might seem like an unnecessary stage, it allows the ransomware to bypass sandboxes – virtual spaces in which untested software or coding can be run securely.

Once the recipient opens the PDF, they are prompted to open a Word document. This doc appears as a string of unintelligible characters, and a message appears advising users to enable macros “if the data encoding is incorrect.”

This is how the Locky ransomware takes effect. It downloads, encrypts all of the user’s files and, when it’s done, changes the user’s desktop background to a message that lets them know their computer is infected and what they need to do to recover their files.

Protect yourself from phishing

The general advice to protect yourself from ransomware and phishing attacks is to only open attachments from known sources and to learn how to spot malicious emails that masquerade as legitimate ones.

Many reports have shown that human error is the biggest weakness in cybersecurity. In order to prevent phishing attacks from spreading so freely, it’s important for individuals and organizations to step up and take preventive measures.

Employers who want their staff to be able to recognize and respond to phishing emails – and for that information to stick with them – should enroll them onto a training course.

IT Governance offers an online Phishing Staff Awareness Course to give staff a detailed understanding of phishing emails. It provides real-life examples of phishing campaigns, as well as tips and best practices to equip them with everything they need to avoid falling victim.

Find out more about out Phishing Staff Awareness Course >>