Share to Facebook Share to Twitter Share to Google Plus Share to LinkedIn

A new family of ransomware has come about called Locky Ransomware. While it follows the same pattern as other Ransomware by encrypting local files and holding the private encryption keys at ransom, the deployment has some minor differences.

This virus is contracted via an email containing a Javascript attachment, if the attachment is opened it will initiate a maliscious sequence of events:


• First it will download the Locky Ransomware executable file and then run it.
• The Trojan will then start encrypting local files, also changing the desktop image and creating the files that direct the user to paying the ransom and where to purchase BitCoins which can be located in these locations:

%USERPROFILE%\Cookies\_Locky_recover_instructions.txt
%USERPROFILE%\Desktop\_Locky_recover_instructions.bmp
%USERPROFILE%\Desktop\_Locky_recover_instructions.txt

Recovery

If you find yourself a victim of this virus then unfortunately there is only two ways to restore/recover the documents:


1. The best method is to restore the computer/laptop/sever from a recent backup. It is always important to keep regular and routine backups daily, this can be something as simple as a daily file backup to an external hard drive or cloud solution. Note that you must have a backup to do this.
2. Unfortunately if you don’t have any backups and the files cannot be re-created paying the price is the only way to unlock the files in which case you will need to follow the instructions, there has been issues in the past where people pay the ransom and still don’t get the keys. It is never guaranteed as the hackers will need to comply.

With Ransomware becoming more popular recently it stresses the importance of not opening suspicious emails, ensuring that you have an appropriate web filter that blocks JavaScript attachments and for all users with mission critical data to routinely backup their files.

Further reading

Full report here: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=901