Locky ransomware 'on the rampage' globally

First spotted in the wild just a month ago, the Locky ransomware has exploded onto the world's computers and skewered some significant victims.

Ransomware: difficult to crack without the key
Ransomware: difficult to crack without the key

Locky ransomware is rising rapidly and “on the rampage” according to McAfee and Fortinet – confirming last week's warning of a huge spike in Locky-inspired global spam traffic by Surrey University Professor Alan Woodward.

Locky – blamed for the recent £2.4 million ransom attack on a Hollywood hospital – only sprang to life in mid-February. But Fortinet has already tracked over three million ‘hits' from Locky command and control server communications in the two weeks to 2 March, with just under 50,000 of those hits coming in the UK.

“Locky already covers a big chunk of ransomware infections in the two weeks of its existence,” Fortinet said.

Locky also twists the knife in its Western targets by refusing to attack computers that run a Russian operating system.

And McAfee warns that the malware has already switched from landing in classic Microsoft Word macros to hiding in small, benign-looking JavaScript file attachments, designed to evade AV detection.

McAfee describes Locky as “on the rampage” and warned “it propagates onto victims' systems through a widespread spam campaign”.

But it adds: “Locky checks whether the operating system is Russian. If the system operating system is Russian, the malware deletes itself.”

According to Fortinet, the malware's top three country targets are the US, France and Japan, with the UK eighth on the list.

“Locky is now confirmed to have a significant presence in the ransomware landscape,” Fortinet said.

Among the three main ransomware families, it has already overtaken TeslaCrypt but lags behind CryptoWall, which was responsible for 85 per cent of hits in the two weeks to 2 March.

Fortinet found the total number of hits from the three malware families was 18.6 million, though actual infections are less as each malware may communicate with its servers several times.

Fortinet has analysed Locky's domain generation algorithm, command and control and file encryption techniques and concluded: “We believe that the actors behind Locky are experienced cyber-criminals.”

Raj Samani, EMEA chief technology officer at ‎Intel Security/McAfee, told SCMagazineUK.com via email: “Locky is infecting computers at an enormous rate after launching a huge and effective spam campaign. The ransomware has also shown a smart ability to adapt to avoid detection.”

He added: “Ransomware and crypto malware are rising at an alarming rate and show no signs of stopping. Intel Security's last Threats Report revealed that ransomware shot up by 127 percent in the past year alone.

“These services are often easy to find online at very low cost, enabling the most amateur of criminals to attack businesses and access vast amounts of information. Criminals are well aware of the huge potential for financial gain when launching ransomware attacks against organisations: one group we tracked made over £49,000 in just 10 weeks.”

Locky shares its pro-East European bias with another new ransomware, Cerber, analysed last week by Bleeping Computer malware expert Lawrence Abrams. He said Cerber will terminate if its intended victim comes from any of 12 East European countries, including Russia, Ukraine, Belarus and Georgia.

Cerber also gets the infected computer to read its extortion demand out loud in one of 12 supported languages.

Locky and Cerber join the first known example of Apple OS X ransomware as the surge in such malware shows no sign of slowing.

In an email to SC, ransomware expert Travis Smith, senior security research engineer at Tripwire, advised: “Cyber-criminals are running a for-profit business like any other legitimate organisation. The power in Locky is that it can reach out and encrypt files available over the network. It's advised that users should keep recent backups of all critical files, as well as limit user access to only that necessary to complete their job function. This will reduce the attack surface for a ransomware attack and make the cost of restoration cheaper than the cost of the ransom.”

Last week, Surrey University cyber-expert Professor Alan Woodward warned of a massive spike in the number of .Onion addresses, probably caused by a global Locky spam campaign with the ransomware creating a unique .Onion and bitcoin address for each victim, to avoid being traced. Fortinet's statistics seem to support his analysis.