When Locky strikes

A friend’s company is hit with aggressive ransomware and calls our manager for advice

A friend of mine called me for advice yesterday. He had just gotten hit hard by ransomware.

If you’ve been keeping up with the news lately, you’ve probably heard about the explosion of the ransomware strain known as Locky. Locky is a very aggressive type of malware that encrypts files on a victim’s computers and crawls through network shares that are accessible to the victim. It is typically delivered by macros inside of Microsoft Word documents sent through email. When recipients open the Word document, they are prompted to enable macros, and when they do, the ransomware embedded in the macro executes and infects the victim’s computer.

This is what happened to my colleague, who works for another company. So far, we’ve escaped Locky at my company, but I’ve had my own experiences with ransomware, and I’d rather be the one giving advice on how to deal with it than the one who has to clean up the mess. And because of my own experience, I was able to give some helpful advice to my friend.

My first question to him was, “What is the current situation?” About 75% of the documents and important files on his company’s computers and file shares had been replaced by ones with “.locky” extensions. (His team had turned off the majority of end-user PCs to stop the spread of the infection). There was a text file in the affected folders with instructions to pay a ransom of half a bitcoin to purchase the decryption key, along with instructions about where to go to do so.

My second question was, “Can you restore the files from backup?” This is what I did in my own ransomware situation last year, and it was effective. I just deleted all the encrypted files and restored them from backup, making sure the source of the infection was neutralized, and never looked back. My friend was not so lucky. Files stored on the network storage system were backed up every week, so there wouldn’t be too much data lost, but restoring them would take about 36 hours. And most employees of his company had been saving important files locally to their My Documents and Desktop folders, where they were not backed up, and they insisted that getting those files back was essential to business.

At this point, you probably have the same thought that I and my friend had: Just pay the ransom. Half a bitcoin, at today’s exchange rate, is just under $210. Assuming that the criminals are honest and provide the decryption key as promised, they should get their files back. I don’t yet know how this will work out — he purchased the bitcoin and sent the payment but hasn’t yet heard back from the Locky operators. I hope he doesn’t have to call their help desk — I can’t imagine what that conversation would be like.

I asked about the source of the infection. After all, there’s little point in decrypting the files if the malware is still active. It may end up re-encrypting the files, putting him back to square one. But in their haste to stop the infection, they turned off most of the computers and hadn’t yet determined which one was doing the encrypting. I advised him to bring in a professional forensics malware specialist at this point, which he agreed to. In this situation, you want to be 100% sure you contain the situation.

I figure that, given the amount of time required to encrypt so many files, the malware must have been active for over a day. It probably started doing its nasty work in the late afternoon the day before, and everyone went home without noticing that files were being gobbled up. Hopefully, the decryption process will take less than a day. In the meantime, the forensics team can eliminate the infection. If it were me, I would probably throw away all the end-user computers and buy new ones!

I also advised my colleague to block macro-enabled Word (and Excel and PowerPoint) documents from being delivered in email, and I would advise you to do this as well. I have never seen anybody send a legitimate Office document containing a macro from outside a company. Sure, they might be used internally occasionally, but I think the odds of such documents that originate from outside being work-related are nil. And trust me, you don’t want to get Locky.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickExcelMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts