After taking a brief hiatus, cybercriminals launched four new Locky ransomware attacks in August 2017. The biggest one occurred on August 28. In a span of just 24 hours, hackers sent out more than 23 million malicious emails, making it one of the largest malware campaigns in the latter half of 2017, according to AppRiver security researchers.

The Phishing Emails and Their Payloads

In all four attacks, cybercriminals used phishing emails to deliver two new Locky variants dubbed Diablo and Lukitus to unsuspecting recipients. The phishing emails’ messages varied, according to researchers at PhishLabs. For example, some emails spun a yarn about unpaid invoices, while other emails did not include any message. All the emails, though, included attachments that were hiding scripts. The types of attachments and their scripts included:

  • An attached Microsoft Word document containing a malicious macro. Macros are small scripts that Word users can create to perform repetitive tasks, such as entering a return address in correspondence. As such, they are useful tools. However, cybercriminals often use macros to initiate cyberattacks.
  • A compressed archive file (e.g., a ZIP, RAR, or 7ZIP file) containing a malicious VBScript (VBS) file.
  • A compressed archive file containing a malicious JavaScript (JS) file. Unfortunately, cybercriminals also like to use them for nefarious purposes.

The scripts initiated a process that loaded the Locky ransomware onto their computers. A message was displayed on the victims’ computers. It stated that their files were encrypted and referred them to a site where they could get further instructions on how to get the key needed to decrypt their files.

How to Protect Your Business from Locky Ransomware

The cybercriminals behind the August Locky attacks relied on email attachments to deliver the ransomware. Therein lies an important way you can help prevent a Locky ransomware attack. You should let employees know how dangerous it is to open an attachment. Even if an email appears to be from someone they know or an organization with which they do business. The email might have been sent by a hacker masquerading as a colleague or business representative. Warn employees about the dangers of opening a password-protected file (especially if it is a compressed archive file) sent via email. When this occurs, there is a good chance that the file contains malicious code. It is helpful to train employees on how to spot phishing emails by looking for elements such as grammatical errors, and suspicious email addresses.

Other Measures

You also need to take other measures to protect your business from Locky. Since macros were used in some of the attacks, it is a good idea to lock them down. However, if a macro is present in a file, employees will get a prompt asking them if they want to enable it. You can remove this prompt by changing the macro setting from “Disable all macros with notification” (the default) to “Disable all macros without notification”. That way, you eliminate the possibility of employees inadvertently enabling macros. Cybercriminals have also used macros in Microsoft Excel files to deliver ransomware, so you might want to change the macro setting both Word and Excel.

Locky might get installed on one of your computers and hold its files for ransom. Thus, you need to regularly back up your business’s files and make sure they can be successfully restored. If you have good backup and restore processes, you won’t have to pay the ransom to get your files back.

A Dangerous Threat

We can help you develop and implement a comprehensive security strategy that will help protect your business against it and other types of ransomware attacks.