Locky: new ransomware initiated from infected Word file

Ransomware is a term that refers to software that deceptively gets installed in a user's computer and begins to encrypt files. The user is then instructed to pay a ransom to have access back to their files. In some cases the criminals to in fact provide the decryption key to unlock the files. In other cases the user lost both their files and their money.

Locky is new ransomware that is the first known of its type to be embedded in a Microsoft Word file. This malware starts out as a Microsoft Word attachment with malicious macros, which makes it harder to filter out of email systems. Palo Alto Networks showed 400,000 workstations were infected in a few hours. Antivirus engines are working to be updated to catch this new vulnerability.

How it works

The bad guys use social engineering twice to trick the user first into opening the attachment, and then to enable the macros in the Word file. Once a user enables the macros, the macros will download an executable from a remote server and execute it. The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on the workstation, then both mapped and unmapped network drives.

How to avoid it

  1. Make sure you're backing up your data often so you can just start over if you're infected.
  2. If your job doesn't require it, never enable macros within Microsoft Office products. If you must use macros, consider setting a policy rule to disable all except digitally signed macros (see the link below).
  3. Always be cautious with email attachments.
  4. Make sure your anti-virus program is up-to-date.

More information about this malware at the KnowBe4 website.

Last Updated: August 23, 2016