After the return of Locky in India via spam emails, ransomware now targeting Chrome, Firefox and IE users. Eight organisations in the capital are already said to be infected!
"Locky" is a deadly ransomware that encrypts all the files in a system and renames them to a .locky extension. The decryption key to the encrypted files is held only by the creator of the malware.
When a system gets infected with Locky ransomware, all of the victim's files gets encrypted and a pop-up appears on the screen which ask the victim to pay the demanded ransom if he/she wants the files back else all of the files will get deleted.
Locky ransomware was first released in 2016, and was delivered via email. The victims received an email masquerading as a company's invoice and contained a Microsoft Word file. On opening the file, the user would get some scrambled text and a message that states "Enable macro if data encoding is incorrect," a social engineering technique.
If the user does enable macros, the macros then downloaded the encryption tool which locks the system and asked the victim to pay a ransom to get the decryption key.
Previously, Locky ransomware has infected 114 countries in the world targeting all the versions of Windows. However, a heavy concentration of attacks has been registered in Germany and France according to Kaspersky Lab.
In the month of August, security researchers discovered a new spam campaign distributing a variant of Locky known as Diablo6. Diablo6 is targeting computers around the world affecting the United States the most, followed by Austria.
How is "Locky" spreading?
"Locky" ransomware usually spreads via phishing emails with catchy headlines saying "Please print the document", "Download the photos", and some of these even come as email verification from Dropbox.
Inside the email is a zip attachment file, which hides the malware in the form of a Visual Basic Script (VBS). Once the victim clicks on the link, the script downloads the Locky ransomware and encrypts all the files in the system.
"Locky" implements 128-bit AES encryption to encrypt all the files. Locky encrypts all files in the system that match a long list of extensions, including videos, images, source code, and Office files. It even scrambles wallet.dat, your Bitcoin wallet file.
Traditionally, Locky exploited “macros” in Microsoft Office for spreading the ransomware, but now the hackers have started using Javascript which on getting executed installs "Locky" ransomware on the system.
Government's take
The "Locky" ransomware made its comeback a few weeks back and it has struck India at mass.
The alert issued on the government's Cyber Swachhta Kendra warned Indians about a new wave of spam emails circulating with common subject lines to spread variants of Locky ransomware, but the delivery mechanism seems to have changed and the users must be alerted again.
Around eight mid-size companies in Delhi have become the victims of Locky ransomware, as reported on Mail Today.
Organisations are suggested to use anti-spam solutions on their systems and update their spam block lists. In addition to this, the basic practices of installing certified anti-virus software on systems and updating them regularly is also advised by the government.
How are popular web browsers getting targeted by hackers?
After the recent warnings issued by the governments worldwide alerting its countrymen about the Locky ransomware, the hackers behind the mischief have now pulled out an old trick of their sleeves.
The attacks target Google Chrome and Firefox users by using a sneaky pop-up which asks the users to update a missing font in the browser via clicking the download button. The pop ups contain a malicious JavaScript file which when executed, downloads either the NetSupport Manager remote administration tool (RAT) or the Locky ransomware.
The pop-up reads "The Hoefler Text font wasn't found" and the designing is done as to make it seem like a popup by Chrome or Firefox, instead of a web page. The victim falls for the trick and clicks on download and the booby-trapped javascript downloads the malware.
How to protect yourself from "Locky" ransomware?
Ankush Johar, director, HumanFirewall.io, says: "Social engineering attacks are the go-to strategy for spreading malware. Humans remain the weakest link in the cybersecurity chain, which is the reason why ransomware like “WannaCry” and “Locky” are capable of creating such a havoc since both of them are spread via emails containing malicious link or attachments.
"Over 23 million messages have been sent to spread the variants of Locky ransomware and India is a massive portion of the target audience. With this new delivery mechanism targeting the two most used browsers in India, less aware users are at a massive risk."
Few steps that should be taken into consideration:
* Always keep a backup of all your important files. In that case, even if you get affected by "Locky", at least your files will still be accessible.
* Beware of pop-ups that try to look like from your browser but are simple web popups. Use a pop-up blocker to avoid unwanted pops.
* Always keep a backup of all your important files. In that case, even if you get affected by "Locky", at least your files will still be accessible.
* You don't need to install any additional fonts. All browsers have the required fonts pre-installed.
* Never click on unknown links or open emails from untrusted sources.
* Stay far away from pirated software/cracks. Most of these contain some form of malware.
* Be aware of any other social engineering tactics that can be used by hackers to trick you into downloading a malware.
* Keep a genuine copy of a reputed antivirus solution setup and updated.
* Keep your OS updated to the latest version and install security updates as they come.