Locky: Extension Pioneer
- Tags: Locky
Although, newer strains of Ransomware change file extension names, Locky was the first ever to start the trend. It’s not particularly old, but has become an infamous one in a short span of 5 months. Perhaps, Locky’s fame is credited to its wide spread transmission. A research over it says, out of 10 spam emails, 7 contained Locky executables in the first quarter of 2016.
How it infects?
Just like many other Ransomware variants, Locky too finds its way via spam emails. More often than not, these emails contain a .doc file that becomes operative once the user has enabled macros. If the system settings don’t allow Locky to get imported, it seeks permission to enable macros. As soon as this step is undertaken, the wily Trojan finds place on to the disk and runs itself. Thereafter, the file (typically Troj/Ransom-CGX) fetches the malware (Locky or Troj/Ransom-CGW) from the crook’s server and masquerade with files on the system.
Locky’s encryption entails to approximately 160 distinct file types including videos, audios, database, source codes, office files and others. These files are initially encrypted with RSA-2048 and AES- 128 ciphers and later on their extension is changed with locky, followed by 16 unique characters that signify the victim’s ID.
Locky also makes sure that all shadow copies are removed, so that recovery becomes practically impossible. Shadow copies are live backup snapshots made by Windows, and are also known as Volume Snapshot Service (VSS). Once Locky Ransomware has encrypted all files, it puts up a wallpaper on the computer screen, notifying users about the attack. This wallpaper gives details of encryption along with user ID and the process to decrypt the files.
What is so different about Locky?
Apart from the fact that Locky changes file extension, the following attributes set it apart from other Ransomware.
- – Locky doesn’t scramble C: drive, rather it infects files on any mounted drives including removable drives and other computers connected to the network at the time of attack. The only requisite for Locky to perform its brutishness is access over files.
- – After being deployed it disappears and runs its dropped copy (renamed to svchost.exe) from the %TEMP% folder.
- – It does away with the shadow copies of files.
- – Locky demands ransom in Bitcoin, payable via TOR. Its usual ransom demand varies from 0.5 to 1.00 Bitcoin
How can you avoid its attack?
Locky has stood as one of the most ravenous Ransomware in the malware community. Unfortunately, there aren’t many in which users can defend their data once it is infected by Locky. However, there are precautions that a user can take to avoid its attack or becoming its victim. You can simply use default settings for Windows, wherein macros aren’t welcome in your system. Secondly, you should enable hidden files extension on your system. Last but not the least, you must always opt for a secure backup plan with any user-friendly software like Ransomware Protector. This will help you recover files even if the Trojan has infected your system.