Proofpoint, a next-generation security company, found the malware on 16 February. Its researchers found new ransomware named ‘Locky’ being distributed via MS Word documents containing malicious macros.
It stands out because it is being delivered by the same actor behind many of the Dridex campaigns (iTWire report here) tracked over the last year.
In this campaign, messages from random senders with the subject "ATTN: Invoice J-12345678" deliver an attachment "invoice_J-12345678.doc". The attachments are MS Word documents containing macros which download and install the Locky ransomware. The botnet (a group of infected machines running a spam bot) delivering the spam is the same botnet that distributes the vast majority of messages bearing the Dridex banking Trojan.
The ransomware encrypts files based on their extension and uses notepad to display the ransom message. It also replaces the Desktop background with the ransom message. If the user visits the onion (or tor2web) links specified in the ransom message, they are instructed to buy Bitcoins, send them to a certain Bitcoin address, and then refresh the page to wait for the decryptor download. There is no guarantee that the key will be provided if you pay.
At this stage antivirus company coverage is limited and once encrypted you will lose your files unless you have recent backup.
It is mainly aimed at corporate targets. Sysadmins should check to see if there are .locky extension files on network shares. If so, look at the owner in the on_Locky_recover_instructions.txt file in each folder. Then lock the owners Active Directory user and computer account immediately and take them off the network. The only cure is to rebuild the PC from scratch.
Sysadmins should disable Microsoft Office running macros by default. This will also protect against Dridex.