February 22, 2016 @ 09:57 am
Ransomware is a term that refers to software that deceptively gets installed in a user's computer and begins to encrypt files. The user is then instructed to pay a ransom to have access back to their files. In some cases the criminals to in fact provide the decryption key to unlock the files. In other cases the user lost both their files and their money.
Locky is new ransomware that is the first known of its type to be embedded in a Microsoft Word file. This malware starts out as a Microsoft Word attachment with malicious macros, which makes it harder to filter out of email systems. Palo Alto Networks showed 400,000 workstations were infected in a few hours. Antivirus engines are working to be updated to catch this new vulnerability.
How it works
The bad guys use social engineering twice to trick the user first into opening the attachment, and then to enable the macros in the Word file. Once a user enables the macros, the macros will download an executable from a remote server and execute it. The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on the workstation, then both mapped and unmapped network drives.
How to avoid it
More information about this malware at the KnowBe4 website.