Locky Ransomware Attack Feb 2016 Spike

Locky Ransomware is spreading fast Globally, Ransomware variants are causing havoc across global networks. Earlier in Feb 2016 TeslaCrypt was active from 2nd Feb onwards and encrypts data files with .mp3 or .micro

Locky Ransomware, started spreading widely from 15th Feb and renames all files to .LOCKY extension.

Russian ransomware rampant at 90,000 infections a day from 15th Feb Onwards

Hollywood Presbyterian Medical Center paid ransom amount of $17,000 (approx Rs. 11Lacs+) to open locked files, Ransomware has to be paid in Bitcoins.

Hackers are sending Emails of the types Unpaid Invoice, Purchase Orders, Payment Advice etc. through document attachments spam.
In this campaign, messages from random senders with the subject “ATTN: Invoice J-12345678” deliver an attachment “invoice_J-12345678.doc”. The attachments are MS Word documents containing macros which download and install the Locky ransomware on victims computer.

invoice_outlook new

The ransomware encrypts files based on their extension and uses notepad to display the ransom message. Additionally, it replaces the Desktop background with the ransom message
If the user visits the .onion (or tor2web) links specified in the ransom message, s/he is instructed to buy Bitcoins, send them to a certain Bitcoin address, and then refresh the page to wait for the decryptor download.

 

12

Attachment showing macro enabling

w

 

e

 

Encryption Format:
Locky encrypts most of the useful file formats on the user’s local disk drives; some reports are emerging that Locky also encrypts files on mapped shared drives.

Files Created in Documents Folder:
_Locky_recover_instructions.txt

Created on Desktop
_Locky_recover_instructions.txt

The affected file formats are listed below:
.m4u | .m3u | .mid | .wma | .flv | .3g2 | .mkv | .3gp | .mp4 | .mov | .avi | .asf | .mpeg | .vob | .mpg | .wmv | .fla | .swf | .wav | .mp3 | .qcow2 | .vdi | .vmdk | .vmx | .gpg | .aes | .ARC | .PAQ | .tar.bz2 | .tbk | .bak | .tar | .tgz | .gz | .7z | .rar | .zip | .djv | .djvu | .svg | .bmp | .png | .gif | .raw | .cgm | .jpeg | .jpg | .tif | .tiff | .NEF | .psd | .cmd | .bat | .sh | .class | .jar | .java | .rb | .asp | .cs | .brd | .sch | .dch | .dip | .pl | .vbs | .vb | .js | .asm | .pas | .cpp | .php | .ldf | .mdf | .ibd | .MYI | .MYD | .frm | .odb | .dbf | .db | .mdb | .sql | .SQLITEDB | .SQLITE3 | .asc | .lay6 | .lay | .ms11 (Security copy) | .ms11 | .sldm | .sldx | .ppsm | .ppsx | .ppam | .docb | .mml | .sxm | .otg | .odg | .uop | .potx | .potm | .pptx | .pptm | .std | .sxd | .pot | .pps | .sti | .sxi | .otp | .odp | .wb2 | .123 | .wks | .wk1 | .xltx | .xltm | .xlsx | .xlsm | .xlsb | .slk | .xlw | .xlt | .xlm | .xlc | .dif | .stc | .sxc | .ots | .ods | .hwp | .602 | .dotm | .dotx | .docm | .docx | .DOT | .3dm | .max | .3ds | .xml | .txt | .CSV | .uot | .RTF | .pdf | .XLS | .PPT | .stw | .sxw | .ott | .odt | .DOC | .pem | .p12 | .csr | .crt | .key

Net Protector Total Security includes Automatic NP Databackup feature.
Customer are requested to add any extra important file types to the DataBackup Settings
Net Protector > Protection > Data Backup > Setting > .extension > ADD > Save

 

 

How to Enable Data Backup
http://blogs.npav.net/blogs/?p=2576

How to Restore Data Backup
http://blogs.npav.net/blogs/?p=2553

Sharing is caring!

10 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*