A new variant of the aggressive “Locky” ransomware hits 20 million confirmed attacks in a single day, warns a cybersecurity firm.
Ransomware actors are sometimes incredibly sophisticated, demonstrating careful planning and methodical execution. Some hacker individuals or groups can launch large-scale attacks, casting the widest net possible to catch the maximum number of victims.
To protect yourself, it’s best to get familiar with the types of ransomware out there and how to avoid them.
Here are some figures to give you an idea of the massive scale on which ransomware operates:
Last year, ransomware spread increased by a staggering 500%, with email phishing as the most-used distribution method.
In a given month, ransomware infects 30,000-35,000 devices on average.
During the first 6 months of 2016, 300 new ransomware variants were developed. During the same period, an unknown ransomware actor made nearly $100 million USD in profits.
This year, profits generated through ransomware are expected to hit $1 billion USD.
Locky, a Sneaky Ransomware
First appearing in February 2016, Locky is ransomware, a type of malware that takes hostage all files by encrypting them and demanding a ransom from the victim to have their files returned unencrypted. Usually, with the proliferation of cryptocurrencies, hackers ask for ransoms to be paid in Bitcoin, for obvious reasons (learn more about Bitcoin anonymity here).
Like most ransomware, Locky infects a system via spam (email sent by a botnet), to which a .doc file is attached. These emails often come with a subject that reads: “ATTN: Invoice…”, with a message asking the payment of an invoice urgently.
If the victim clicks on the link, Locky will be quickly installed then it scrambles and renames all files with the extension “.locky” within a system, as well as files in other systems connected to the same network.
This ransomware also removes backup copies (shadow copies) of Windows which makes it impossible to recover files through this method.
Believed to be released by the same hackers who were behind Dridex ransomware in 2015, Locky has been spreading like wildfire across the web in 2017, evolving every now and then by using new sneaky distribution methods.
Just last month, it was revealed that a new version of Locky attacked millions of systems in just one day.
Locky’s Back With new Aggressive Variant
The threat, according to researchers at Barracuda Networks Advanced Technology Group, comes in the form of a new very aggressive version of the strain of ransomware known as Locky.
Per a Barracuda blog post, the attacks originate predominantly from Vietnam, but hotbeds include other countries across three continents, like India, Turkey, Colombia, and Greece, albeit in very low volumes as compared to those from Vietnam.
Barracuda analysts say that about 20 million of these attacks occurred in 24 hours, from the 18th to the 19th of September, and this figure was growing rapidly. Most of the spam emails claim to be from the “Herbalife company” or fake “copier file delivery”.
In an update, Barracuda said its researchers confirmed that the attacks use a variant of the Locky ransomware with a unique identifier. Identifiers are supposed to let hackers ID victims in order to send them tools to decrypt data after the ransom is paid.
This time, however, all victims have been assigned the same identifier, which means that even if victims pay the ransom they won’t receive decryption tools.
Barracuda also said its filters had blocked about 27 million Locky-related emails, adding that its researchers are actively monitoring the situation.
EdgyLabs readers, here’s what you can do if you fall a victim to a Locky or other ransomware attack:
Whatever you do, don’t pay the ransom because paying cybercriminals is tantamount to nourishing their behavior, unless of course there’s no other way to get your “critical” data back.
But in the case of this new vague of Locky attacks, as security researchers found out (same ID for all victims), just don’t bother, because you’re not getting decryption tools anyway whether the ransom was paid or not.
You can remove Locky ransomware using your average antivirus program. You can try to recover your encrypted data by restoring backup copies, but that’s not guaranteed with the new strain of Locky that deletes shadow copies.
Besides updating your antivirus and using spam filters, in the case of ransomware, remember to not open an attached file from suspicious emails of unverified origins and delete them.
But before all of that, make sure you use 3-2-1 data protection.
Use 3-2-1 Data Protection
3 copies of your data
2 separate types of media (tape, disk, deduplication)
1 offline and off-site copy
As always, whenever a hard data drive is compromised, it’s best to reformat the drive completely before using it again in the future.