Locky: the ransomware raging in France and the United States

The Locky ransomware has been around for barely a month, yet every day it claims new victims, including prestigious organizations and companies. Here’s the information we have.

Locky: presentation and propagation

Locky malware is categorized as Ransomware. It was created in order to obtain a ransom from a disarmed user whose files have been blocked. As many specialists claim, the appearance of the ransomware dates back to February 2016. It’s highly likely that this is a creation of the hackers behind the equally notorious Dridex.

Locky has nothing in common with its peers other than its mode of distribution (by e-mail) and its category (ransomware). Like most ransomware, it is released when the user attempts to open the attachment in which it is found. The subject and content of the e-mail may convince us to open the attachment, often referring to unpaid orders or invoices. The wording is correct and the message often seems to come from a company with which you have a relationship. The e-mail attachment is usually in Office or ZIP format.

Locky: the effects

Release of the ransomware triggers the encryption of files according to their extension and the display of a ransom note in the notepad. This release also replaces the Windows wallpaper with one containing the same request. The most serious consequence is the deletion of all internal Windows backups via the Volume Snapshot Service, and any attempt to remedy this is ineffective. One wonders how the pirates behind this software intend to get paid. The message contains links to a page on Bitcoin ransom payments. These range from 0.5 to 1 Bitcoin, or 200 to 400 euros. After payment, a decryptor named Locky Decryptor PRO will be allocated to the victim. However, there’s nothing to suggest that he’ll be able to put everything back in order.

After Dridex in 2015, French businesses will have to deal with an equally fearsome “successor” in 2016: Locky. On the other hand, some companies have already been able to gauge the scale of the threat, such as Free, which remains powerless in the face of the series of attacks affecting its subscribers.

How can we avoid this threat?

Oktey, publisher of email security solutions, has integrated a powerful automatic detection engine for suspicious files into its Altospam antivirus fortress. It also incorporates a real-time analysis system for macros contained in Microsoft Office files. It is therefore a better defense against Locky.

Over the past few days, our customers have been asking us whether Altospam is sufficiently armed to block Locky. We think so.

Here, in a nutshell, is a summary of the barriers put in place within Altospam to block Locky: 5 complementary antivirus programs, on-the-fly scanning of Office macros, detection of suspicious files, verification of zip file signatures and suspicious file signatures with 57 antivirus programs, blocking of compressed files containing .js files (in particular) and analysis by integrated anti-spam technologies.

The fact remains that, despite all these technologies, we are constantly looking for ways to improve, and are constantly analyzing our traffic to identify new threats and remedy them as quickly as possible. In any case, every measure is taken to block these polymorphic viruses.