Top Menu

Locky Ransomware Is Spreading

Victims are usually sent via email a Microsoft Word document purporting to be an invoice that requires a macro, or a small application that does some function.

Macros are disabled by default by Microsoft due to the security dangers. Users who encounter a macro see a warning if a document contains one.

If macros are enabled, the document will run the macro and download Locky to a computer, wrote Palo Alto Networks in a blog post on Tuesday. – Templar Shield

From nakedsecurity.sophos.com :

The most common way that Locky arrives is as follows:

  • You receive an email containing an attached document (Troj/DocDl-BCF).
  • The document looks like gobbledegook.
  • The document advises you to enable macros “if the data encoding is incorrect.”

  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).

 

Bottom line is do not open attachments that look suspicious especially from unknown users. Stay safe!

 

Full report from PaloAlto Networks – http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/

, , , , ,