Locky Ransomware Returns, Nested in a PDF

Locky ransomware set records and frightened computer users throughout the world as its developers targeted millions of email addresses in early 2016. The malware was so prolific that almost 7 out of 10 malicious email attachments in the spring of 2016 contained Locky according to Proofpoint. The ransomware disappeared for a while, but now it’s popped back up with a new delivery method.

Locky Spreads Through an Infected PDF Attachment

A phishing email that attempts to spread Locky ransomware.
A phishing email that attempts to spread Locky ransomware.

Locky now hides itself in a macro-loaded Word document hidden in a PDF attachment. This nested arrangement allows the malware to bypass many antivirus programs. Attackers use various social engineering techniques to make the attached document look legitimate.

The email message sometimes claims that the attached file is a receipt or other important document. The attachment’s file name may use part of the target’s email address to look more realistic.

If someone downloads the infected attachment, a prompt will ask for permission to open another file. This file is a Word document that will warn the user that the attachment could “contain programs, macros, or viruses that could potentially harm” the computer. If the user disregards the warning and chooses “Open this file,” Locky begins to download.

How Does Locky Cause Data Loss?

After Locky downloads, it opens and begins encrypting a victim’s files. Encryption makes files unusable to everyone but the person with the decryption key. That means photos, videos, mp3s, spreadsheets, and almost every other document on a victim’s computer will be inaccessible.

Once the malware has encrypted everything it is able to, a message appears that demands one bitcoin (currently equal to $1,258). There is no known decryptor for Locky, so victims are forced to revert to backed up files, pay the ransom, or lose their data.

Prevention is the Only Cure for Most Ransomware

There are freely available decryptors for less-sophisticated ransomware, but Locky has not yet been cracked. However, using common sense and good internet hygiene can protect you from Locky and other malware.

Perhaps the most important thing you can do is regularly back up essential files. If you have a current backup, you can simply perform a clean install of your operating system to get rid of ransomware.

Avoiding malware in the first place is easy if you use good practices. Never download attachments or follow links from emails if they look suspicious. Remember that attackers are actively trying to trick you into downloading malware, so don’t be surprised if an infected attachment looks legitimate.

Updating your software as soon as new versions are available also protects you from malware. Attackers use exploit kits to find weaknesses in outdated software. Installing patches as they become available prevents these attacks from happening.

An attack from Locky could devastate a small business or cause serious headaches for larger ones, but it relies on error in human judgement. Backing up your data, updating your software, and never clicking on suspicious links or attachments can prevent this troublesome malware from making you a victim.


Leave a Reply

Your email address will not be published. Required fields are marked *