Ransomware Variants: Locky & Others

Have you ever thought of your computer being kidnapped? In this new age, this is no longer ridiculous as several destructive ransomware variants (including Locky, CyptoLocker, CryptoDefense, CyptoWall, CTB-Locker, etc.) appeared to kidnap computers in the world. The number of ransomware infections has been increasing!

A new variant of Locky ransomwares known as Lukitus has been spreading through socially-engineered emails, e.g. phishing emails.

How ransomware and variants kidnap computers?

Ransomware attacks victims through:

phishing emails with look of legitimate emails such as phony FedEx and UPS tracking notices with malicious file attached;
compromised website which targeted users with outdated or unpatched browser (e.g. IE) or plugins (e.g. Flash Player);
some banner ads to cause user device infected.

Once you open an anonymous attachment, or visit compromised website using outdated browser, ransomware will invade and encrypt your computer. More horribly, this “criminal” encrypts files not only on your computer, but also within shared network drive(s).
After the files are encrypted, a popup will display on your computer asking you to pay ransom money typically in the range of 100-300 USD within a time limit, otherwise, the only key for decryption will be deleted.

Impact:

Encrypts files on victims’ computers, e.g. CryptXXX & Locky/Lukitus encrypts files on victims’ computers and adds a .crypt or .locky/.lukitus file extension to them.
Files on network drives and cloud services are affected.
Data will be unrecoverable due to encryption by ransomware.

Prevent to be a Victim:

Until now, there is NO effective method to decrypt all the kidnapped files. To save your computer from harms, please remember:

Keep your operating system and software up-to-date with the latest patches.
Alert to the suspicious email.
- Do not open any malicious attachment, especially compress files (.zip,.7zip,.rar), or executable files (.exe).
- Do not follow unsolicited web links in email messages.
Disable macros for MS Office Files.
Backup our files regularly and keep it offline or in a separate and safe place, e.g. offline, to avoid being affected by the malware.
Install and maintain up-to-date anti-virus software.
If you are using Kaspersky anti-virus software, enable ‘System Watcher‘, ‘Application Privilege Control‘ and ‘Kaspersky Security Network (KSN)‘ to detect the abnormal activities on the system. Details guidelines can be found at “Guidelines for Configuring Kaspersky Antivirus on Client“.

As a Victim:

If you are unluckily being kidnapped by ransomware, please:

Disconnect your computer IMMEDIATELY from both wired and wireless network to avoid further impacts on shared network.
Use another clean computer to change all the passwords (such as email, e-banking, etc.) which have been used or saved on the infected computer.
DO NOT respond to any kidnapper by attempting payment and instead to report the incident to ITSC and the Police.
Prepare a clean computer and restore the files and data from the backup.

Reference:

[HKCERT] CryptXXX Ransomware Encrypt Victim Data:
https://www.hkcert.org/my_url/en/alert/16060301
[HKCERT] Locky Ransomware Encrypts Victim Data:
https://www.hkcert.org/my_url/en/alert/16031701
[HKCERT] An aggressive campaign of Locky ransomware:
https://www.hkcert.org/my_url/en/blog/16031802
[US-CERT] Ransomware and Recent Variants:
https://www.us-cert.gov/ncas/alerts/TA16-091A
[Microsoft] Locky malware, lucky to avoid it
https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky-to-avoid-it/
【數據綁匪】Locky加密勒索軟件襲港　3日爆15宗　中小企、非政府組織中招:
http://news.mingpao.com/ins/instantnews/web_tc/article/20160318/s00001/1458302237058

Please visit here for more Information Security tips.

Last Update on: 4 Jul 2016