Locky Malware the next IT Security Nightmare?

Not to be repetitive, but in several of our past articles we’ve discussed the importance of backing up your data and safeguarding it from potential disasters, including a ransomware attack.  It’s not a matter of “if” it’s just a matter of “when” a ransomware exploit will be taking an organization's data hostage with no known remediation except to pay the ransom.

Ransomware variants are causing havoc across networks, but recently we saw the emergence of Locky, not a particularly sophisticated malware but one that’s spreading fast. It asks for between 0.5 and 1 Bitcoin (roughly $420) for users to unlock their files.

Taking advantage of the fact that most end users are still fairly naïve when it comes to IT security, hackers have developed “Locky” malware.  “Locky” uses macros in a Word document to insert code that encrypts all of the data in an organization. The hacker then demands money, usually in the form of untraceable digital Bitcoin currency, in exchange for the keys needed to decrypt that data.

The best known case of Locky malware being used as “ransomware” involves the Hollywood Presbyterian Hospital, which was recently forced to pay roughly $17,000 to regain access to its data. Hackers tricked a hospital employee into downloading an infected Word document, which instructed the user to click on a portion of the document that activated the malware using embedded Microsoft Office VBA macro programs.

To date there is no known defense against Locky malware, however, there are several measures that organizations can take to circumvent an attack. The first involves disabling macros in Word documents. It is recommended that organizations disable all macros that are not digitally signed. That doesn’t get rid of the malware itself, but it substantially limits the chances that an end user will accidentally activate it.

Once the infection is discovered, organizations can either take advantage of security software to remove it before it’s activated, or they can use their backup’s to restore data volumes to a point prior to the malware infection. While backups may be the only remedy, they still result in some loss of data, so the best advice is to prevent the infection in the first place. 

Locky malware and other forms of ransomware are huge concerns for any organization, in part because Locky counts on end users being fooled into a download. Locky malware is already installed on hundreds of thousands of machines. The perpetrators of this crime are simply waiting for the opportunity to strike their next unlucky victim.

That's why it’s important to stress security education for end users. All the IT security technology in the world is essentially powerless against malware that an end user unknowingly downloads onto their machine. Unfortunately, hackers have become very sophisticated in using social engineering techniques to fool end users into thinking that the attachment is part of a legitimate business process. In a matter of a few clicks an entire organization can be rapidly infected before anyone realizes it.

Most organizations think ransomware is something that happens to everyone but them.  However, if an organization like the Hollywood Presbyterian Medical Center significant IT staff can be victimized, than certainly smaller less protected firms are certainly vulnerable to an attack. 

If correct backups were in place and good IT procedures adhered too there would have been an alternative to Hollywood Presbyterian Medical Center paying the ransom.  One would have to assume if they decided to pay the ransom, it probably means that they didn't have very good backups, they weren't able to recover the data, and that the data would have been lost if they didn't pay the ransom.

Are these attacks likely to continue?  The answer, according to the experts, is a resounding yes.  Paying the cybercriminals only encourages them to increase their efforts.  It's a very lucrative means for malware developers to make money and it continues to grow due to its continued success.