Everything you need to know about Locky Ransomware Attack

What is Locky ransomware?

The Locky ransomware is similar in nature compared to the “WannaCry” that caused massive outcry around the world earlier this year. The Indian Computer Emergency Response Team (CERT-In) issued an advisory for Locky ransomware warning for users in India to stay alert. Locky ransomware has been active since last year, and this time around it is back with its new variant. A new ransomware campaign was launched on August 9, and it appears to have started to penetrate in India as well. Cybersecurity company AppRiver said that it has seen over 23 million messages sent in the attack, making it one of the largest malware campaigns seen so far.

How does it work?

The ransomware is being distributed through a new file extension called “.diablo6”, according to Malwarebytes research. A new variant adds the extension “.Lukitus” to encrypted files. Lukitus is the French word for locking. The ransomware campaign spreads through the help of spam emails containing a malicious  ZIP attachment. These zip file attachments contain Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader leading to domain “greatesthits [dot] mygoldmusic[dot] com”.
The e-mail messages contain common subjects like “please print”, “documents”, “photo”, “images”, “scans” and “pictures”. If you open these attachments, variants of Locky ransomware will automatically get a download on the computer. You will soon find that the desktop background will be changed with one showing an HTM file named “Lukitus[dot]htm”. Users are instructed to pay a ransom of 0.5 Bitcoin, which is equivalent to Rs 1.5 lakh. Victims are instructed to install the Onion Router Network (TOR) browser, which takes users to a decryption service if they pay the ransom.

Can we stop the ‘deadly’ Locky ransomware?

There is currently no way to decrypt all those systems without paying a ransom. Researchers have not found a tool that can be used to unlock the infected computers.

How can we protect our computer from ransomware?

Here are some ways to protect your PC from ransomware:
  • You need to be vigilant and run through the following checks Before replying to an email, clicking on a link or opening an attachment.
  • Scrutinize the sender id by clicking on ‘Show Details’ in Lotus notes mail; Even if the sender’s name is correct, verify if the e-mail address belongs to the sender. 
  • Look out for obscure email subject lines that do not concern you or your project especially those that prompts you to open an attachment. e.g. URGENT, PDF12345 
  • Take time to read the e-mail: Despite noticing a sense of urgency expressed in the subject line, try to recollect if you had received any previous e-mails on this subject. 
  • Check the e-mail ‘Mail Tag’: Be careful if e-mails are marked as ‘External’, but are received from a TCSer or senior management. 
  • Check sender id before replying: Confirm the sender email id and domain before replying to an e-mail. 
  • External recipient identifier: When an e-mail is sent to external email ids, you will get a message that it is being sent to an external entity. You shouldn't receive this message if you are replying to a TCS e-mail id. (currently being rolled out in phases) 
  • Note suspicious attachments or links: Be wary of suspicious attachments that you aren’t expecting or URLs in the e-mail.
Also please ensure that on your machines Antivirus and Windows/Application patch is updated to the latest version.
Please refer to the attached notification by CERT for more details.
Authored By - Mansi Grover
TCS Cyber Security Practice
Source: indianexpress.com, CERT - India
Rate this article: 
No votes yet
Article category: