Ransomware has been put on the front lines as a cyber security threat, and Locky was one of the first strains to set the standards for modern techniques. The variants that emerged in campaigns in August 2017 and beginning of September have once again directed attention towards the Locky ransomware variants, and the risk it presents to unsuspecting victims. Let’s take a closer look at the new Locky campaigns and what businesses can do to protect themselves effectively from variants.
IKARUS Flies Past Defenses
On August 9, a new Locky variant became part of a large-scale, email-based campaign and managed to slip past some company defenses. IKARUSdilapidated, named from a text string found within the code of the malicious downloaded file, was sent to tens of thousands of inboxes in three days, Threatpost reported. The emails themselves contained little to no content, just the attachment. Because IKARUSdilapidated is still a new strain, it’s currently read as an “unknown file” and is allowed to enter organizations and secure inboxes.
If a user opens the document, they’ll see unusual text, along with the instruction to “Enable macro if data encoding is incorrect”. Users who follow this command will actually be saving and running a binary file that downloads the encryption trojan, enabling the ransomware to take over. This first wave of IKARUSdilapidated has been dubbed the Diablo variant. An infected system will have files renamed to a unique 16-letter and number combination with a “.diablo6” extension, according to BankInfoSecurity. The ransom demands for these attacks ranged from $2,150 to $4,300 in exchange for a decryption key.
Lukitus locks down with social engineering
The flight of IKARUSdilapidated doesn’t stop there. A week later the ransomware was used in a second wave of attacks, this time coming from a botnet of zombie servers, Threatpost reported. The emails and attachments used in this campaign appeared as though they came from a recipient’s trusted business-class multifunction printer. Users received an email that used a popular printer model as the subject line to trick them into believing it was a legitimate message. This wave started on August 18, and was delivered over the course of three days in three stages, making it a large and involved attack. According to BankInfoSecurity, other individuals might have received similar convincing messages with subject lines about missed voicemail or outstanding invoices to lure victims into opening the attachments. These files used Lukitus – meaning “locking” in Finnish – as the extension.
“This is a more mature campaign, targeting office workers whose workstations are part of a corporate network linked to multifunction scanners and printers,” security expert Faith Orhan told Threatpost. “As many employees today scan original documents at the company printer and email them to themselves and others, this malware-laden email will look very innocent.”
Further, a smaller wave of IKARUSdilapidated ransomware came from a campaign featuring a message about a bill or billing inquiry. The email would appear to be from a French post office with the word “FRACTURE” as the subject line. Social engineering is the biggest thread tying in each part of IKARUSdilapidated together. This is proving to be a ransomware variant that’s adept at learning, reaching out to more users and advancing to bypass security measures.
“While it might pain you to do so, it’s critical to not give in.”
Protecting Yourself Without Paying
Within the past two years, cyber criminals have earned $25 million across 35 unique ransomware strains. Locky remains one of the most effective and profitable method, earning $7.8 million from victims, according to Threatpost. The success of Locky and its rising variants come from the author’s focus on malware development and improving the supporting botnet infrastructure. These efforts help the ransomware spread wider and faster than its competitors. Fortunately, there are a few steps that business can take to protect themselves from Locky and other ransomware threats:
- Do not pay: While it might pain you to do so, it’s critical to not give in. Paying the ransom doesn’t guarantee that the attackers will follow through on their promises. They might demand more money or attack you again in the future because they know there’s the potential of a quick payday.
- Train your staff: Your employees are the best first line of defense against ransomware. Train them to know what a malicious email looks like and when to question files they’re clicking on. This can significantly decrease the number of people that fall for these tactics.
- Establish a backup plan: If ransomware does get onto your system, restoring everything from backups is one of the easiest ways to avoid paying while minimizing data loss and damages. It might take some time, but it’s often better than the alternative.
- Implement security proactively: Attackers won’t wait, and neither should you. Implement layered security measures like application control, threat detection and response (TDR), reboot to restore solutions, to fill in the gaps left behind by an anti-virus only approach. This will help protect PCs across the enterprise as well as servers from sophisticated malware attacks.