Lead Image © sandra zuerlein, fotolia.com

Lead Image © sandra zuerlein, fotolia.com

Halting the ransomware blackmail wave

Ransomware Storm

Article from ADMIN 36/2016
In the tsunami of ransomware infections this year, the Locky encryption trojan is a high-water mark. With a constant stream of novel attack patterns, this continually evolving pest makes life difficult for IT managers, users, and security vendors. Here's how to protect yourself.

Since February, there have been continuous waves of Locky infection. Windows users are attacked by drive-by downloads or email attachments. After infection, the malicious program encrypts individual files or even the entire hard disk, and demands an anonymous Bitcoin ransom payment from its victims. Locky, an encryption trojan, has found many victims, including well-known corporations and institutions. The trojan changes almost weekly and is known under the following names:

  • Ransom: Win32/Locky.A:
  • TrojanDownloader: O97M/Bartallex
  • TrojanDownloader: BAT/Locky.A
  • TrojanDownloader: JS/Locky.A

Encrypt and Blackmail

The name "Locky" already suggests its function. The ransomware encrypts files on the affected computer, on network drives, and even in the cloud, thanks to synchronization. These data can only be restored if you have the decryption key or have made copies of the files on an external, non-affected storage medium. Locky searches specifically for audio files, documents, movies, images, databases, and archive files. Once the trojan has found these files, it encrypts them using the Advanced Encryption Standard (AES). In addition, the malware deletes volume shadow copies, which could be used to recover the encrypted files.

Once the encryption process is complete, Locky stores a ransom demand and also sets up a desktop background with a ransom demand. It requires the victim to pay a ransom of 0.5 to 1 bitcoins (about EUR200-400/$217-434) to the cybercriminals. In return, the victim receives the private key for decrypting the files.

This blackmail trojan is currently spreading rapidly throughout Germany, according to some security researchers, with up to 5,000 new infections per hour. The Netherlands and the United States follow in the ranking at some distance. Locky is mainly spread by email. A fictitious invoice serves as the infection channel. Apparently, the malware developers have succeeded in making users believe that the email contains a genuine bill. Parallel to this, harmless-looking but infected websites serve as the distribution channel via "Drive-by Download." Exploit kits, such as Neutrino, are used for this purpose. They use a wide range of security vulnerabilities in the browser and plugins to inject malware into the computer. To fend off such attacks, users are forced to maintain their systems at the latest patch level.

Symptoms of Infection

A message (Figure 1) is the most noticeable symptom of infection with Locky (and with other ransomware). Additionally, files and data on network drives and in cloud storage are encrypted and therefore unreadable. Locky also attacks disconnected network drives if they are still accessible – a novelty. In the case of an infection, the following files (or similar files) appear on the system:

 %temp%\svchost.exe (Locky ransomware)
 [ID][identifier].locky (encrypted files)
Figure 1: If this message appears, it is too late, and the files are already encrypted. Only backups will help.

The malware also attempts to contact the following internet addresses:


Finally, several changes in the registry are identifiable under the HKEY_CURRENT_ USER\Software\Locky key.

Camouflage: Batch Files and Fax Messages

Hardly a week passes without new Locky variants making an appearance. The motivation for this is clear: Constant change and development significantly complicates detection by antivirus programs. Typically, manufacturers need about 12 hours to respond to known malicious code to adjust their signatures – in this period, very few protection programs detect the new ransomware.

To avoid detection, the cybercriminals recently used batch files and the Windows Script Host cscript.exe to download and execute the crypto trojan. Apparently, this variant was very successful. Spam fax messages are another creative form of attack. At first glance, the matching and deceptively realistic fax by VoIP provider sipgate attempts to deceive the user and motivate them to open the document (sipgate has already warned users about this variant on its own site). The subject of the email ("New fax from 034205-99 …"), and the realistic details in the email text entice the user to open a ZIP file attachment.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=