Malware wormed its way into Mantralaya over the weekend, as black hat hackers released a virus to infect some 150 computers at the administrative headquarters of the state government. But all the government’s data are safe.

The virus, called Locky, a form of ransomware, attacked the machines of the revenue and public works departments, but swift measures by the state’s information technology (IT) department prevented it from spreading to the 5,000-odd computers at seat of the government, shielding the departments from data loss.

The tech department officials, though, believe the attack wasn’t targeted at the government, because hackers usually deploy Locky to hold financial institutions to ransom.

The virus essentially works by encrypting data on the target computer (see below). Hackers then demand ransom in form of bitcoins to decrypt it. They usually seek out financial establishments because any tampering with their data can cause them to suffer losses running into billions of dollars.

Principal secretary of the IT department, Vijaykumar Gautam, said, “We think the attack on our systems was a case of mistaken identity prompted by the term ‘revenue’, otherwise government systems aren’t normally the target of hackers who breach systems for ransom.” He said that after realising they had been hacked, they isolated the infected computers right away, preventing the virus from spreading further. “We have not lost any data in this hacking, as all of it is safe on the central server and also on servers of the state data centre,” Gautam said.

Officials, though, have not put paid to the possibility that an infected Memory Stick may be the culprit. “At this stage, we are not ruling out possibility of use of an infected pen drive that might have transferred the virus to the system,” Gautam said.

How locky works

Locky is a ransomware email-worm programme that is contained within a Microsoft Word document sent by email. It poses as an invoice and makes use of social-engineering tools to get the target to instal the ransomware, according to malware wiki sites. When opened, the attached file gets downloaded with its content garbled.

A prompt asks the user to ‘enable macros’. Once this is done, the user would download an executable file from a remote server, leading Locky to encrypt files on the whole network.

After a couple of other prompts, the virus asks for a payment in bitcoins in order to receive the decryption key.


Leave a Reply