Title: Tips on how to combat the Locky Virus
Monday, 06/20/2016
A really nasty virus hit the internet around mid-February of this year and is creating utter havoc! It is a ransomware virus commonly known as the “Locky” virus, and it has been modified into other name variants producing similar results. Locky uses an AES type of encryption, and is spread generally through email and spam email with either a Word doc, Excel, .js or .zip file. Check out the Avast blog link – it goes into very specific detail on the infection vector and what to look for. The most common method so far in presentation has been an email with a Word doc invoice attachment. It will ask the recipient to open the invoice and click enable to allow the macros to process.
When a user’s system is infected, it may present with a red _Locky_recover-Instructions.png wallpaper that covers the entire desktop, or similar type pop-up dialogue boxes. This will infect all versions of Microsoft Windows. When it first infects the computer, it will create a random named executable in the %AppData% or %LocalAppData% folder. This then will be launched and begin to scan all the drive letters on your computer and network. The virus will encrypt all the user data, making it completely in-accessible. Following this a message will appear stating to retrieve the data, you need to pay in bitcoins and within a specific time-frame. Unfortunately, even if the bitcoins are paid to the hacker, it does not guarantee return of the user data.
What to do when infected? First thing that should be done immediately is to unplug the network cable from the PC and if connected wirelessly, to disconnect from the wireless network by either disabling the adapter, or shutting down the system. Next, go to Stelian Pilici’s MalwareTips website – he provides an excellent overview of the virus, how it works, and what tools to use to remove the Locky virus. Keep in mind, this may not always be successful and Stelian advises this. However, if the virus has not fully infected the system then there is a chance of possibly recovering some or most of the user data. The tools Stelian recommends in a nutshell are as follows:
- Malwarebytes
- HitmanPro
- ShadowExplorer
- CryptoWall
One other word of advice: It is always good practice to back up your data onto an external device such as an external hard drive, disconnect it from the system and/or network, and store this either in a safe or off-site. Perform periodic backups moving forward to keep the data backup current. Good luck and keep your data safe!
–written by Miylani