Locky Ransomware Returns Lurking In A Word Document Hidden Behind PDF Attachments

This latest Locky variant appears to have traits similar to a Russian doll

Locky ransomware  appears to be back again, this time hiding behind Word documents in turn lurks behind a PDF email attachment to avoid detection. 

According to the Sophos Naked Security blog, researchers for the cyber security firm compared the ransomware variant to that of a Russian matryoshka doll in that it hides an attachment within an attachment. 

The ransomware comes to life when the PDF is downloaded and tries to open the embedded Word document using Acrobat Reader. If the Word document is opened, it uses social engineering to prompt the viewer to enable editing on the document.

Once this is done the a Visual Basic for Applications (VBA) macro is launched which downloads and runs ransomware, leaving the victim to be open to exploitation by cyber criminals. 

To fight this Locky variant, Sophos advised being vigilant on what documents you choose to download and ensure you update the various software suits running on you machine or system regularly., and back up sensitive or valuable data that ransomware is likely to go after. 

This latest iteration of Locky is an example of the advanced and evolving tactics cyber criminal are using to sneak malware and ransomware attacks past anti-virus software and vigilant email users. 

23/03/2016: Security researchers Zscaler have warned that a nasty piece of ransomware known as Locky is gaining momentum.

Last month the Locky hit the Hollywood Hospital, which unfortunately paid bitcoins worth $17,000 (£12,010) in order to get the attackers to unlock their systems, and now a Kentucky hospital has declared a ‘Internal State of Emergency’ after an infection.

Zscaler warned that the Locky ransomware family is still going strong and that it has blocked 75 unique and new payloads that was targeting its customers. They warned that the ransomware authors have migrated from infecting Microsoft Word documents to now delivering the malicious content through zip attachment files in spam emails.

Read More: How to avoid ransomware and stay safe

Hospital Emergency

Methodist Hospital in Kentucky has declared an “internal state of emergency” after a ransomware attack. A streaming red banner on its website warns that a computer virus infection has limited the hospital’s use of electronic web-based services, revealed security expert Brian Krebs.

“Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services,” says the banner. “We are currently working to resolve this issue, until then we will have limited access to web based services and electronic communications.”

The attackers are reportedly demanding Bitcoins worth $1,600 in order to unlock the encrypted files, and the hospital has not ruled out paying the ransom.

“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” said David Park, an attorney for the Kentucky healthcare centre.

“We haven’t yet made decision on that, we’re working through the process. I think it’s our position that we’re not going to pay it unless we absolutely have to.”

Locky Attachments

ransomwareThe ransomware attack comes after Trend Micro said earlier this month that had been more ransomware-related infections in February this year, compared to the first six months of last year in total. It predicted that 2016 could see the largest number of ransomware attacks on record.

Zscaler said that it has seen a large uptick in Locky payloads getting delivered during the month of March. Once it has successfully infected a machine, Locky will encrypt a number of file types on the victim machine including pictures, videos and program files.

A ransom note then demands payment in return for a private RSA key that is needed to decrypt the user files.

“Locky is the latest addition to one of the most active & lucrative malware strain in past 3 years called Ransomware,” said Zscaler. “This new ransomware family follows the same model of using asymmetric (public key) encryption to lock user documents and demand ransom for the decryption key.

“The delivery vector has been primarily spammed email attachments that are responsible for downloading the Locky payload,” it said. “We also noticed an interesting overlap in the recent campaigns where same URLs were being used to deliver both Dridex & Locky payloads.”

Growing Menace

Ransomware is a growing menace. Last week Dell SecureWorks warned that hackers who previously carried out attacks on behalf of the Chinese Government may now be behind a number of recent incidents involving ransomware.

Even Apple, which has until recently enjoyed a relatively good security reputation, has been targetted by ransomware. Palo Alto Networks found a ransomware campaign, dubbed “KeRanger” hidden in a BitTorrent installer for software called Transmission, which allows Mac users to download videos, music and software via a peer-to-peer network.

Unfotunately it seems that many businesses pay the ransom. Bitdefender found that that 44 percent of ransomware victims in the UK have paid to regain access to their data. The company believes this figure will rise in the coming years, with 39 percent of victims saying it is probable or very probable that they will be attacked again in the future.

It found that victims are willing to pay up to £400 to recover their encrypted data.

Are you a security pro? Try our quiz!