Locky Ransomware Attack Feb 2016 Spike
Locky Ransomware is spreading fast Globally, Ransomware variants are causing havoc across global networks. Earlier in Feb 2016 TeslaCrypt was active from 2nd Feb onwards and encrypts data files with .mp3 or .micro
Locky Ransomware, started spreading widely from 15th Feb and renames all files to .LOCKY extension.
Russian ransomware rampant at 90,000 infections a day from 15th Feb Onwards
Hollywood Presbyterian Medical Center paid ransom amount of $17,000 (approx Rs. 11Lacs+) to open locked files, Ransomware has to be paid in Bitcoins.
Hackers are sending Emails of the types Unpaid Invoice, Purchase Orders, Payment Advice etc. through document attachments spam.
In this campaign, messages from random senders with the subject "ATTN: Invoice J-12345678" deliver an attachment "invoice_J-12345678.doc". The attachments are MS Word documents containing macros which download and install the Locky ransomware on victims computer.
The ransomware encrypts files based on their extension and uses notepad to display the ransom message. Additionally, it replaces the Desktop background with the ransom message
If the user visits the .onion (or tor2web) links specified in the ransom message, s/he is instructed to buy Bitcoins, send them to a certain Bitcoin address, and then refresh the page to wait for the decryptor download.
Attachment showing macro enabling
Encryption Format:
Locky encrypts most of the useful file formats on the user's local disk drives; some reports are emerging that Locky also encrypts files on mapped shared drives.
Files Created in Documents Folder:
_Locky_recover_instructions.txt
Created on Desktop
_Locky_recover_instructions.txt
The affected file formats are listed below:
.m4u | .m3u | .mid | .wma | .flv | .3g2 | .mkv | .3gp | .mp4 | .mov | .avi | .asf | .mpeg | .vob | .mpg | .wmv | .fla | .swf | .wav | .mp3 | .qcow2 | .vdi | .vmdk | .vmx | .gpg | .aes | .ARC | .PAQ | .tar.bz2 | .tbk | .bak | .tar | .tgz | .gz | .7z | .rar | .zip | .djv | .djvu | .svg | .bmp | .png | .gif | .raw | .cgm | .jpeg | .jpg | .tif | .tiff | .NEF | .psd | .cmd | .bat | .sh | .class | .jar | .java | .rb | .asp | .cs | .brd | .sch | .dch | .dip | .pl | .vbs | .vb | .js | .asm | .pas | .cpp | .php | .ldf | .mdf | .ibd | .MYI | .MYD | .frm | .odb | .dbf | .db | .mdb | .sql | .SQLITEDB | .SQLITE3 | .asc | .lay6 | .lay | .ms11 (Security copy) | .ms11 | .sldm | .sldx | .ppsm | .ppsx | .ppam | .docb | .mml | .sxm | .otg | .odg | .uop | .potx | .potm | .pptx | .pptm | .std | .sxd | .pot | .pps | .sti | .sxi | .otp | .odp | .wb2 | .123 | .wks | .wk1 | .xltx | .xltm | .xlsx | .xlsm | .xlsb | .slk | .xlw | .xlt | .xlm | .xlc | .dif | .stc | .sxc | .ots | .ods | .hwp | .602 | .dotm | .dotx | .docm | .docx | .DOT | .3dm | .max | .3ds | .xml | .txt | .CSV | .uot | .RTF | .pdf | .XLS | .PPT | .stw | .sxw | .ott | .odt | .DOC | .pem | .p12 | .csr | .crt | .key
Net Protector Total Security includes Automatic NP Databackup feature.
Customer are requested to add any extra important file types to the DataBackup Settings
Net Protector > Protection > Data Backup > Setting > .extension > ADD > Save
How to Enable Data Backup
http://blogs.npav.net/blogs/?p=2576
How to Restore Data Backup
http://blogs.npav.net/blogs/?p=2553
Thank u very much "npav" team......
-- sharad j.