To proliferate ransomware, cyber criminals often employ spam emails (infectious attachments), unofficial software download sources, trojans, and fake software updates. eScan’s research team has found out that there are two new variants of Locky Ransomware which add .diablo6 or .lukitus as file extensions to the encrypted files. For past few months Locky had gone dark but now in past couple of days, it has reared its ugly head. Locky was one of the most prominent of the Ransomware family and with the recent spam campaign, it has again proved that unless and until the creators of the dreaded Ransomware are not apprehended, it would keep on wreaking havoc. Spam emails might contain attachments (for example, JavaScript files, MS Office documents, etc.) designed to download/install malware.
Once infected it contacts its Command and Control (CnC) server and sends across the encryption keys which are important for successfully decrypting the files once the ransom has been paid. Unlike Wannacry Ransomware, there does not exist a Kill Switch Domain in Locky. WannaCry used the Eternal Blue exploit to propagate, it called back to a non-existent domain and this flaw was exploited by researchers to stop WannaCry dead in its track. However, with Locky this cannot be done.
Law Enforcement Agencies and Security Researchers may try to gain access to the CnC and provide the decryption keys as they have done this in the past. eScan PBAE detects and blocks these attempts by Locky Ransomware.
Prevention Measures
- Administrators should block all executable files from being transmitted via emails.
- Administrators should isolate the affected system in the Network.
- Administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.
- Install and Configure eScan with all security modules active.
- Users shouldn’t enable macros in documents.
- Organizations should deploy and maintain a backup solution.
Most important, Organizations should implement MailScan at the Gateway Level for mail servers, to contain the spread of suspicious attachments.
