“Locky” crypto-ransomware rides in on malicious Word document macro

[soxhop411]

Several security researchers have discovered a new type of malware that jumps onto the ransomware bandwagon, encrypting victims' files and then demanding a payment of half a bitcoin for the key. Named "Locky," the malware depends on a rather low-tech installation method to take root in a user's system: it arrives courtesy of a malicious macro in a Word document.

Security researchers Kevin Beaumont and Lawrence Abrams each wrote an analysis of Locky on Tuesday, detailing how it installs itself and its components. The carrier document arrives in an e-mail that claims to be delivering an invoice (with a subject line that includes an apparently random invoice number starting with the letter J). When the document is opened, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, "Enable macro if the data encoding is incorrect"—and then infects the system if the user follows that instruction.

Somehow, this malware has already infected hundreds of computers in Europe, Russia, the US, Pakistan, and Mali. The malicious script downloads Locky's malware executable file from a Web server and stores it in the "Temp" folder associated with the active user account. Once installed, it starts scanning for attached drives (including networked drives) and encrypts document, music, video, image, archive, database, and Web application-related files. Networked drives don't need to be actively mapped to be found, however.
"When Locky encrypts a file it will rename the file to the format [unique_id][identifier].locky," wrote Abrams. "So when test.jpg is encrypted it would be renamed to something like F67091F1D24A922B1A7FC27E19A9D9BC.locky. The unique ID and other information will also be embedded into the end of the encrypted file."

Locky's mechanics are pretty much like every other ransomware package currently floating around in malware marketplaces. It leaves a ransom note text file called "_Locky_recover_instructions.txt" in each directory that's been encrypted, pointing to servers on the Tor anonymizing network (both via Tor directly and through Internet relays) where the victim can make payment, and changes the Windows background image to a graphic version of the same message. It also stores some of the data in the Windows Registry file under HKCUSoftwareLocky.

Since yesterday, Locky has been picked up by most of the major malware scanners. But given that the malware depends on would-be victims using older versions of Microsoft Office or falling for some of the most preposterous social engineering ever, the most likely targets of Locky are probably not updating their anti-virus software—if they have any.

Stu Sjouwerman, the CEO of security awareness training company KnowBe4, pointed out that those targets may be legion. “The old Office macros from the nineties have not gone away and the bad guys are combining this old technology with clever social engineering," he said. "If you trust antivirus software and your users not clicking ‘Enable macros’ you are going to have a problem. You can’t just disable all macros across the whole company because a lot of legacy code relies on macros. Telling all users to sign their macros will also take months.”

Never open a word document from someone you do not know

http://arstechnica.com/security/2016/02/locky-crypto-ransomware-rides-in-on-malicious-word-document-macro/

 

[Monbo Jumbo]

related

Los Angeles hospital paid hackers $17,000 ransom in bitcoins

The president of Hollywood Presbyterian Medical Center said on Wednesday that his hospital paid hackers a ransom of $17,000 in bitcoins to regain control of their computer systems after a cyber attack.

Allen Stefanek said in a statement that paying the ransom was the "quickest and most efficient way" of regaining access to the affected systems, which were crippled on Feb. 5 and interfered with hospital staff's ability to communicate electronically.

Stefanek said there was no evidence that any patient or employee information was accessed in the so-called malware attack, and that the hospital fully restored access to its electronic medical record system this Monday....

Maybe that's why bitcoin is going up. There's demand from people needing to pay hacker ransom.

 

[djbayko]

There was a really good RadioLab or This American Life about this that I listened to a while back. I'll see if I can find it later.

 

[Time to Mo Vaughn]

So ransomware that exploits Word macros. How is this news?

 

[AlNipper49]

no kidding, I think that I got my first one of these in like 1997

 

[Van Everyman]

We sure it wasn't coded by Bill Gates personally?

 

[PayrodsFirstClutchHit]

On a con call with our security vendor today and they report getting swamped by customers infected with this new variant of cryptolocker that impacts more than just Microsoft Office files. The new variant even encrypts SQL databases and many other file types and is not detected by AV tools.

 

[SoxFanInCali]

Had a client open one of those a couple weeks back. Thank goodness for SAN snapshots.

 

[Couperin47]

The obvious best protection is a backup on an external drive, but one tip to try and preserve backups on the attacked computer: The one thing none of the cryptolock malware can afford to do is damage the OS. If you can't boot and run the computer, you can't be blackmailed to pay for unlocking. As a result, while such malware will generally encrypt any filetype it thinks may be of value or which you want to recover (any business documents, databases, all forms of graphics, etc.) Generally it will be careful not to damage the OS...so naming backup files to match fundamental .dll and other major component files of Windows gives you a decent shot that they will remain untouched if infected. A file named shell32wordfiles.dll has a good chance at escaping encryption.

 

[HriniakPosterChild]

Never open a word document from someone you do not know

How does this help?

"Someone you know" could have an infected machine blasting out viruses, or the From: header in any email could be spoofed to appear to be from someone you know.

 

[mt8thsw9th]

There was a really good RadioLab or This American Life about this that I listened to a while back. I'll see if I can find it later.

http://www.radiolab.org/story/darkode/

 

[NortheasternPJ]

On a con call with our security vendor today and they report getting swamped by customers infected with this new variant of cryptolocker that impacts more than just Microsoft Office files. The new variant even encrypts SQL databases and many other file types and is not detected by AV tools.

If the SQl Database is on a server that gets encyoted it's hosed just as it would have been with Cryptowall etc.

I haven't heard a thing from any of my customers about it. I'm guessing the reason is a lot of them have been through Cryptowall before or have a real backup strategy. I don't know of many non-small businesses that would bother calling for help at this
Point.

None of this stuff is detected by signature based AV anymore in a reasonable time frame, which is why there's a large market for the next level, even if they're still pretty raw.