Be Afraid, Be Very Afraid: Locky Is Coming To Steal Your Files

Locky is the latest security nightmare

Are you scared yet? You should be quaking every time you sit down at your computer. It gets worse every day.

Locky is the latest virus sweeping the globe. It arrives as a Word or Excel email attachment that appears to be an invoice. When you open it, the contents are scrambled, but a friendly message suggests that you click the button if the “data encoding is incorrect.” You click. Poof! Your files are gone! Poof! The files on the company server are gone! Poof! The files on the computer across the room are gone! What’s left is a ransom note demanding anywhere from a few hundred or a few thousand dollars to decrypt your files. If you pay the money (detailed instructions are provided for untraceable payments in bitcoins) then there’s a chance you’ll get your files back. Of course you’re paying criminals in foreign countries and they’re not great at keeping their promises, what with being criminals in foreign countries and all, so it’s more likely that you’ve lost a few hundred dollars in addition to potentially destroying your business.

The first wave of Locky messages looks like this. Remember, though, the messages can change quickly and it will be no surprise to see many variations on this, including some that look more professional. Images are from this detailed discussion of Locky at Bleeping Computer.

Locky malware - email message

If you open the document attached to the message, it looks like this.

Locky malware - document with macro virus

Locky is the latest example of ransomware, which first appeared in the fall of 2013 as Cryptolocker and more recently in a variation named Cryptowall. Locky is the worst one yet. When you click the button, it runs a Word or Excel macro to download the real virus in the background, which then encrypts all of the files on your computer and starts looking around the network for more files to encrypt. It is one of the first viruses that seeks out unmapped network shares. Previous versions would encrypt files in the company folder mapped with a drive letter (the “M:” drive or “P:” drive or whatever) but would ignore shared folders like \\servername\programdata, which is commonly how line-of-business programs connect to their data. Locky seeks those out as well and encrypts them, then presents the ransom notice.

Now that Locky is raging in the wild, security researchers report seeing 100,000 new Locky infections per day. The highest profile victim so far is Hollywood Presbyterian Hospital, which paid $17,000 to decrypt its files after a Locky attack.

The good news is that the Locky virus file is now recognized by Microsoft Security Essentials (Windows 7) and Windows Defender (Windows 8/10), as well as the other antivirus programs. The bad news is that I’ve personally worked on systems where ransomware got at least part way through its job of encrypting files and scrambling file names before the security software kicked in to stop it. Your best protection is paranoia.

There are two things you can do to keep from being attacked by Locky.

The one suggested by Microsoft is to check a setting in Microsoft Word and Excel. Click on File / Options / Trust Center / Trust Center Settings / Macro Settings. Make sure the bullet is either on Disable all macros with notification or Disable all macros except digitally signed macros. Those are the default settings.

wordsecurity_disablemacros

The effect is that macros will not run automatically. When you open a document or spreadsheet with a macro, you’ll see the bar across the top with a button that says “Enable content.” Do not click that button unless you know exactly where the document came from and you are 100% certain that the macro is harmless.

Word macro warning

The more important thing you can do ought to be second nature by now.

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

If you haven’t read the Rules For Computer Safety for a while, like the last 72 hours, go refresh your recollection. And hey, hey, hey – let’s be careful out there!

Hill Street Blues - Be careful out there