Ransomware alert: Don’t be unlucky with Locky

Topic

New Reply

---

ON SECURITY

Ransomware alert: Don’t be unlucky with Locky

By Susan Bradley Ransomware is a rapidly growing plague on computer users, and the latest variant of Locky adds malicious Word macros to its weaponry. If you must open Word documents created by others, here are some ways to ensure you don’t become a ransomware victim.

---

The full text of this column is posted at windowssecrets.com/on-security/ransomware-alert-dont-be-unlucky-with-locky/ (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]
[/SIZE][/COLOR][/FONT]

Reply | Quote

Replies

Could you please advise on the merits of switching on ransomeware protection offered by anti-virus software. I use Bitdefender but am reluctant to switch it on as I am not clear how much hassle it will involve subsequently

Reply | Quote

Good article. Anyone using computers should read and understand this.

A couple places it could be slightly improved…..

1) You do mention macros in both Word and Excel, but then you only mention disabling it in Word. You should explicitly state to disable them in Excel too. I have received emails with Locky in both types of files.

2) It would be useful to explicitly advise to disconnect your external back-up device from the PC between backups. If mounted, the backup drive(s) could be encrypted too!

3) I have seen reports of Locky being distributed in java script (.js) files too. We need to be vigilant of many file types.

Keep up the good work of spreading the knowledge of these new plagues.

Thanks!
-brino

Reply | Quote

OK Susan, you’ve explained what to do for Word.

But although you included Excel in your item, you did not explain what to do about macros in Excel.

I am still using Office 2007.

Please advise,

Ron

Reply | Quote

OK Susan, you’ve explained what to do for Word.

But although you included Excel in your item, you did not explain what to do about macros in Excel.

I am still using Office 2007.

Please advise,

Ron

Hi ronbar,

On my system (with Win7 and Excel 2007), first open the Excel application, then
1) hit the “Office Button” then “Excel Options”,
2) within the “Excel Options” pop-up, hit “Trust Center” then “Trust Center Settings”,
3) finally within the “Trust Center” pop-up, hit “Macro Settings” then make your choice, I use “Disable all macros with notification”

See below for screen-shots.
A little hidden, but not difficult.

-brino

43917-clip_808

43918-clip_809

43919-clip_810

Reply | Quote

Susan,
First off, let me say that I read and follow your Patch Watch religiously. So thanks for the great info you share.

Also thanks for this article. However I have several questions.
1. I use Macrium and make one backup image a day and keep a weeks worth on a rotating basis, on both an internal HDrive and an external HDrive. Are you saying that if I get infected that this malware would lock “ALL” the saved backup images or just the one that was created on the day of the attack? If it only effects the latest backup image, then I can simply go back to a day before the attack and restore that image and be back up and running again.
2. I also save specific files to the cloud. But in order to gain access to them, I must know my password. How can this malware lock my cloud files if the files have password protection?
3. Lastly, I have Erunt make a backup of my registry each morning when I boot up. Couldn’t I just restore the last registry backup to foil Locky and this type of ransomware?
Thanks,
SG

Reply | Quote

Thanks Susan, informative as always.
One thing that you don’t mention is whether being logged in as a Standard User rather than with an admin account would offer any protection. I have a sneaky feeling that it wouldn’t as (presumably) the encrypting macros can run as a normal user too, but I’d be interested to hear your take on this. Would Applocker also be ineffective?
Andy

Reply | Quote

Hello Ms. Bradley,

First of all allow me to say how much I enjoy your columns, especially your “Patch Watch.” I always check your patch watch before installing any Microsoft updates.

I have a couple of comments regarding your excellent ransomware article. First, before I start my laptop I make sure any external drive or USB drive I use for backup is disconnected from the laptop. If I am going to update my backup, I disconnect from the Internet and then run a malware scan. Only after I am satisfied that all is as it should be do I connect my external backup drive. Secondly, say my system and data do get infected by ransomware, would it be possible to boot from a USB or DVD drive and copy over the encrypted files from a backup, thus replacing encrypted files with unencrypted files, or would that result in spreading ransomware to my backup? Thirdly, I dual boot Linux on my laptop. If my windows OS is infected, would it also infect Linux? If not, would I be able to boot into Linux, mount the Windows volumes and copy over the encrypted files with fresh files from my backup? Do such strategies have any potential?

I would be happy to have your views on these copy strategies.

Best Regards,

Perri 7

p.s. As an alternative to copying, would it be possible to clean the Windows OS volumes by running anti-ransomware software from the Linux partition? Moreover, if you don’t have a dual boot option (i.e. Linux is not installed on your hard drive), would it be possible to clean the Windows OS by launching Linux from a DVD (or USB) and then using the anti-ransomware software to remove the ransomware? (Note: Malwarebytes is Beta testing Anti-Ransomware Software – current version is Beta 5.) Thank you.

Reply | Quote

For a quick summary of the details of Locky see this Bleeping Computer page:
http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

That page does list the affected file types. That is, Locky will (currently!) only encrypt those specific files.

So if you have a USB drive where you back up your files (Microsoft Word, Excel, Powerpoint file, or even your home videos .avi, etc.) with a simple file copy (either manually or automatically) and if this backup drive is connected when the ransomware strikes then you risk your backup copies being encrypted too!

If you use an image-based backup you _MAY_ be okay if the ransomware does not target your particular image file type……however, it is easy to see that for the biggest ransom income the next version or generation of ransomware could easily add all common image file types to their targeted file list.

The same applies for “cloud-based” connections. If you leave it constantly connected for easy back-up and retrieval of your files, then the ransomware may also have easy access.

Play Safe!
-brino

Reply | Quote

For a quick summary of the details of Locky see this Bleeping Computer page:
If you use an image-based backup you _MAY_ be okay if the ransomware does not target your particular image file type……however, it is easy to see that for the biggest ransom income the next version or generation of ransomware could easily add all common image file types to their targeted file list.

But backup images are large, so encrypting one would

a) take a long time and
b) require a lot of free space to encrypt

It also seems likely to me that the number of people who DO have a backup and DO NOT have an off-line copy is likely to be small. If I were creating ransomware I think I would be unlikely to go after image files until income from encrypting easier targets started to diminish. And then I’d try to encrypt them as they were created for about a month before I demanded the ransom.

Reply | Quote

Hi All,

After thinking about this for a while I started to wonder if Microsoft PowerPoint also supported macros.

Well guess what: Yes, it does!

Turning off macros in PowerPoint 2007 is identical to doing it in Excel as I showed in post #7 above.

-brino

Reply | Quote

From the this: http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

Could some protection be as simple as adding the bold line to the registry up front?

Last, but not least, Locky will store various information in the registry under the following keys:

HKCUSoftwareLockyid – The unique ID assigned to the victim.
HKCUSoftwareLockypubkey – The RSA public key.
HKCUSoftwareLockypaytext – The text that is stored in the ransom notes.
HKCUSoftwareLockycompleted – Whether the ransomware finished encrypting the computer

Reply | Quote

From the this: http://www.bleepingcomputer.com/news…etwork-shares/

Unfortunately the link appears truncated. I think it should be http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/%5B/url%5D.

Reply | Quote

Could some protection be as simple as adding the bold line to the registry up front?

Hi Russ,

I do believe that would help with this one particular threat….as you say “some protection”.

However it would require only a new version with a simple registry key name change to defeat it. A better approach would be to detect/block some of the methods many of these encrypting ransomware use.

One tool I like is CryptoPrevent by FoolishIT:
https://www.foolishit.com/cryptoprevent-malware-prevention/
it uses Windows group policies (unavailable to most Windows “Home” users) to deny many of the tricks used by ransom-ware.

and MalwareBytes is moving forward with their Anti-Ransomware Beta:
https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/
but that product is very early in the design cycle.

-brino

Reply | Quote

…and every preventive step taken by any piece of software will only work until the ‘next’ release of malware by-passes the preventive steps.
It has always been a race, and likely will remain there until a ‘fool-proof’ AI method is developed. But even that will eventually be overcome. 🙁

Reply | Quote