If You Thought Cryptolocker was Bad, Meet Jigsaw and Locky Ransomware

Updated June 22, 2016

Back in December 2015, we shared with you a few Crypolocker stories about a number of clients and friends who had all of their vital business data kidnapped. We want you, our clients, and any business owner who is worried about their valuable business data to learn about ransomware prevention and protection.

The FBI has reported that ransomware more than doubled between April and May of this year. It’s one of the biggest growing threats to your business … and not enough business owners know about it. Kaspersky is reporting as June 22, 2016 that crypto-ransomware attacks increased 550% in the last year.

Cryptolocker, Locky, Jigsaw, and all the newest related ransomware viruses are designed to enter a system and then encrypt whatever files it can find. Then, the computer network owner is instructed to pay up in anonymous currency, usually Bitcoins, and then the extortionists will give the business owner the code to decrypt the files. Maybe.

How much does it cost? It sometimes depends on how much the ransomers think they can get. In early February, hackers locked doctors and administrators of the Hollywood Presbyterian Medical Center out of their own files for over a week. They were asking for $3.6 million. Eventually it was negotiated down to $17,000 reports Tech Times

Could your small business afford to pay $17k or even $1700 to get your own files back? Should you pay? We say NO which is why we want to share with you strategies for protecting your business network from ransomware. Start with this:

 

Download our free Asset Protection Checklist to find the gaps in your external and internal data security.

 

Now, They’ve Upped the Ante

Now there’s the Locky ransomware that is spreading at an alarming pace. It was first seen by Symantec on February 16, 2016 and was part of an aggressive spam email campaign with over 5 million messages sent in just two days.

“Most of the spam emails seen had a subject line that read ‘ATTN: Invoice J-[RANDOM NUMBERS]’. Another campaign used ‘tracking documents’ as a subject line,” said the Symantec blog post.

Since then, there have been at least two more major “campaigns” which spread the infection across the world.

While we’ve had a great deal of experience (unfortunately) with the older types of ransomware such as CryptoWall and CryptoLocker which have the ability to irreversibly encrypt files and documents when they infect a system. Fortunately, our clients haven’t seen Locky yet.

It, too, is designed to encrypt important files for the purpose of holding them hostage, but with one distressing new feature:

It has the ability to encrypt network shares and drives that your workstation may not normally have access to. In other words, the original CryptoLocker couldn’t get to files that were on a network drive, only the files that were on the originally infected PC. While that’s a real problem for a home user who probably has just one or two computers, it helped contain this form of malware for businesses.

But Locky and newer variants will travel through network drives to encrypt any files they can get to using the permissions from the original user account where the infection started.

In addition, in March of 2016, the Avast blog, an anti-virus provider, calls the authors of Locky ” … skilled and are developing Locky further. They reacted to the AV industry blocking their C&C server infrastructure by changing the DGA algorithm and also patched some minor bugs in the newer version.”

The “authors” of these programs are constantly creating their own versions, testing them, and re-releasing them. IT World reported on May 24th that the original version of DMA Locker was so flawed that it was solved by researchers in just two weeks. Then the ransomers went back to the drawing board and fixed their issues. The security industry is seeing indications that there will be a massive wave of attacks from this variant coming soon.

There’s always something new coming.

Why This is Incredibly Alarming

Variants are always looking to take advantage of what other malware authors learned or discovered in their campaigns. They are always looking to overcome obstacles to their goals (i.e. sometimes disruption but more likely money) and like a legitimate business owner, they’ll keep trying to improve. In the case of Locky, it was very bad because Cryptowall only infected drives that the infected PC is connected to. You might be in marketing, so there’s no reason you need access to the accounting drive. If you got Cryptowall, it could only reach the drives you had mapped on your computer. That’s a best practice, in part for just that reason, to prevent the spread of viruses.

But because the Locky ransomware can encrypt any network shared drive, whether or not your workstation has access to it or not, it means the virus can spread to an entire business network. The DMA Locker is distributed via web-based drive-by downloads, meaning a user can get them by clicking on a link in a website or just by clicking what they thought was the exit button in a deceptive pop-up. Even experienced and suspicious users can be susceptible to these types of attacks.

 

Download our free Asset Protection Checklist to find the gaps in your external and internal data security.

 

Wondering How to Remove Locky Ransomware?

There are a variety of methods for the individual home computer, focusing on removing the virus, but there are no known methods of getting your files back… except for paying the ransomers. The best protection is prevention. And the best solution in case of an attack is to have a robust back up so you can tell the ransomware creators to get lost.

Attacks on businesses are much, much worse than for consumers due to the nature of the Locky ransomware travelling through the network to find as many connected files and servers as possible. Prevention is incredibly crucial because even if you have a backup, you’re going to experience downtime. You might also lose files because employees have been using the shadow cloud, or because your backups aren’t running often enough.

If you get it, reach out to your I.T. as soon as absolutely possible so that they can 1) stop the rate of infection and 2) implement your Backup and Disaster Recovery plan right away. Because having a robust backup solution and not getting infected in the first place are your best options. Yes, you can pay the ransom, but there’s no guarantee you’ll get the decrypt code. And, once they realize you’re vulnerable, the ransomers will attack again and again. Don’t shut the barn door after the horses get out. Plan ahead now to prevent attacks.

Here’s what to do to help prevent attacks. The most common means of attack is through a link on a website or an email attachment. Most users know to never download an .exe or .zip files that they weren’t clearly expecting, but even plain Microsoft Word documents or PDFs can contain malicious content.

Here is an example of what an infected file containing Locky can look like:

An image of a word document that contains a macro file infected with Locky cryptolocker ransomware virus.

 

Under no circumstances should you run a macro from an unknown source. This is one of the easiest ways these criminals get you to initiate the download of this software. You should disable your Microsoft Office macros by default.

Again, do not open other attachments such as .exe files from unknown sources. Don’t open attachments unless you know exactly what is in it and who it’s from. Make sure all your malware and anti-virus are always up to date.

 

What Your I.T. Consulting or I.T. Support Firm Should be Doing

First, you should be educated and notified by your I.T. service about viruses and malware in general and the Locky ransomware problem in particular, right now. They need to be on top of new variants but also should know about new opportunities and methods to combat these attacks. In mid-May, security researcher Weston Hecker presented new strategies for detecting ransomware at the Security BSides Boston conference. Researchers at Kaspersky Labs have cracked the newest version of the CryptXXX ransomware.

But you can’t rely on decoding once the virus is in. Your focus, and the focus of your I.T. support company, must be on prevention. They should encourage you to contact them any time you get a suspicious email or attachment. They should be providing you with multiple opportunities to reevaluate and upgrade your defenses. They should be constantly sharing information with you on this and other forms of phishing, malware, and cyber-attacks.

We have put into place multiple layers of ransomware prevention and protection for our clients including web filtering, email filtering, and content filtering. We also highly recommend that you and your employees do NOT access personal email on work computers.

Ask if your I.T. department or consulting firm is taking the maximum precautions to protect you from these terrible malicious virus. Use our free asset protection checklist to check what you’re doing and what they are doing. If you’re not certain that you and your data are completely protected, reach out to us at 559-485-4335. We can help you evaluate your risk and make sure your business data is as secure as possible.

Download our free Asset Protection Checklist to find the gaps in your external and internal data security by clicking here.