Locky Ransomware infects computers through emails
A new Locky ransomware virus appeared on the internet and encrypts a lot of important files.
During the last few days, we were getting reports about Locky Ransomware virus. This malicious program encrypts your files using AES-128 and RSA-2048 ciphers and then demands a ransom fee from 0.5 to 1 bitcoin. Even though this is not the first ransomware that was developed, Locky is unique because of how it spreads among users. Also, its difference from other representatives like CryptoWall and DMA Locker is that Locky Ransomware targets a lot of file extensions. Basically, it turns your Windows Operating system into 0. At this moment, there is no way to decrypt your files without paying the demanded money.
How Locky Ransomware infects your computer
As we have told before, Locky ransomware is unique because of its installation way. Despite that email spam messaging was discovered a long time ago, this was the first cryptovirus, that used this method of spreading. It’s very clever how hackers were able to hide this virus in an attachment to a message.
Once victim receives the message, it will contain an attachment with name “Invoice.doc”. Cyber criminals are trying to fool victims to download this document by masking this email as a bank notification or a confirmation from money transfer. If a user gets interested in this, he will download the attached document and open it. Here is the example of the letter:
The downloaded document usually comes in .doc, .docx formats and it can be opened with almost all versions of Microsoft Office Word. When a user tries to open it, he will see the unreadable message with a simple suggestion “Enable macro if data encoding is incorrect”:
Microsoft Word will display a message that this document is opened in protected view and if you need to see all content of the document you need to enable macro. In that same moment, when victim turns on macro, the Locky Ransomware will start to work. Macros will download an executable file from a remote server. After that, this file will be executed in silent mode, you won’t even notice anything and Locky Ransomware will be encrypting your information. This executable file will be located in %temp% folder and work from there.
The second thing that makes Locky ransomware so dangerous is a wide-spread amount of file extension that it encrypts. Here is a full list of file extensions that will be encrypted:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
Terrefying how one program can do so much damage. But the is also one interesting thing. Locky Ransomware won’t encrypt files that are located in specific folders or files, that are “whitelisted” in the same list:
tmp winnt Application Data AppData Program Files (x86) Program Files temp thumbs.db $Recycle.Bin System Volume Information Boot Windows
These actions will allow Locky to leave vital Widowns files alone and maintane a workable state of the operating system. After the encrypting process is over, the virus will show you next message:
At this point, the work of the Locky Ransomware is finished. Your files are encrypted, and you are not able to return them, unless you pay the ransom fee, specified in the message.
Locky Ransomware Protection
It doesn’t matter were you able to return your files or not, you need to protect your computer from possible future infection like that. Because the era of ransomware is coming. We are glad to annonce that our anti-ransomware product is now ready for a beta release! GridinSoft Anti-Ransomware was developed to protect your computer from cyptoviruses. Try this program, it may save your computer from possible future infication. Help us make GridinSoft Anti-Ransomware better by leaving your feedback! To install this program follow next steps:
- Download GridinSoft Anti-Ransomware.
- Follow the installation instruction.
- Open the program and enable the protection.