IT Risk – Locky Ransomware Virus Goes Pandemic – Thousands Of Users Have Files Encrypted Every Hour

IT Risk – Locky Ransomware Virus Goes Pandemic – Thousands Of Users Have Files Encrypted Every Hour: Horror scenario – You have just tried to open an invoice that was sent by e-mail and your computer wallpaper (example below) now presents you with a ransom demand. Your files have all been encrypted and you are told to pay-up to unlock them. Thank goodness you keep a regular backup on the plug-in drive you keep attached to your computer – but wait a minute – the virus has also encrypted your back-up files!

While you read the following article why not listen to my e-baroque compositions – just click on the box below:

or if techno music is more your cup of tea here are my techno/ambient compositions:

I hope you find the article below interesting…please visit again.

Lucky Virus Wallpaper (courtesy Kevin Beaumont)

Lucky Virus Wallpaper (courtesy Kevin Beaumont)

Having spent most of my career working in one of the World’s largest global corporations I have personally seen the kind of havoc unleashed when an employee inadvertently clicks on an email attachment without thinking. The situation I described above relates to the Locky computer virus which has recently gone pandemic (My definition of a pandemic computer virus is one that has spread internationally and infects at least 1000 machines per hour in major countries).

Not only does Locky encrypt the files on your computer but it will also do the same for any other file storage devices it can access through your file management system. Do you keep your back-up drive plugged into your PC/laptop? Have you got any other portable memory devices plugged in – like USB flash drives?  It can also use your computer to access the networks you are working on and encrypt the files on these networks causing mayhem throughout your organisation’s IT infrastructure.

Definition of a Pandemic Computer Virus

Definition of a Pandemic Computer Virus

This level of destruction is not a rare occurrence – In my view the latest alarming infection statistics for this trojan virus justify my ‘pandemic computer virus‘ classification. This morning I discovered that the virus is currently infecting 5,300 computers per hour in Germany, 2,900 per hour in Holland and 2,700 per hour in the USA. Even some of the most secure high tech organisations like the Fraunhofer-Institute in Germany have been infected. In the last week the virus annihilated several dozen of their PC workstations by infecting and encrypting files on a central server for the institute. Unlike many poorly written ‘virus carrying’ mails the ones involved in this incident were composed in perfect German and the Trojan virus managed to slip through the institute’s antivirus software and the Microsoft Outlook safety settings.

In the past I have tended to keep my back-up drive attached to my lap-top to give me easy access to archive files (and to remove ‘inconvenience’ as a reason for not regularly backing up my working files). Therefore if I had been hit by Locky it would probably have encrypted everything on my back-up drive – including my multi-year archives. For those of us depending on IT for our livelihood this creates the equivalent of an IT black hole – without the encryption key nothing can escape (Good bye to that almost finished book: Good bye to all your pics, music, videos, word docs etc., etc., Goodbye to your bitcoin wallet!).

Clearly faced with this horror scenario the criminals behind this ransomware virus are hoping you will willingly cough up the one bitcoin or so ($400 or £280) demanded to get your files unencrypted. But let’s not forget that we are dealing with unscrupulous criminals here – how often are blackmailers satisfied with just one payment once they know they have you by the short and curlies (a medical expression implying you are in a very delicate position)? Most IT experts and authorities recommend you do not pay.

Hopefully this article will have reached you before you have been infected by Locky (or one of the many lookalike ransomware viruses in circulation). If it hasn’t you will hopefully have a recent back-up that was not on-line at the time of the infection. Likewise if you are attached to a network (or even worse have admin rights) and the firewalls are breached hopefully the recent system backups were suitably quarantined. IT experts recommend back-ups should not simply be stored on separate computer systems but that they should also be in separate locations to minimise the risk from fire, flooding, theft etc.

Let me summarise what happens with Locky:

  1. You receive an e-mail usually referring to an invoice in a document attachment
  2. The text in the document is gobbledegook and the e-mail explains that if you can not read the text (“if the data encoding is incorrect“) you should “enable macros“.
  3. The Microsoft default is to turn off auto-execution of macros to improve e-mail security. Your  email reader will usually have the message “Security Warning Macros have been disabled” with an ‘options‘ button.
  4. The sender of the ransomware want’s you to click on the options button and enable macros so that you can read the gobbledegook.
  5. By enabling the macros the text in the word document will not change (it was a ‘fib’) but a hidden program in the document will be run and a file will be saved to your disk.
  6. The software runs the file which downloads some malware from the criminals that are responsible for sending you the e-mail
  7. In the case of the Locky virus this malware (ransomware) encrypts all files which have common name extensions (this will include videos, images, Office files, Bitcoin wallets and source code files).
  8. The ransomware program then changes your desktop wallpaper to look like the example shown at the top of this article.
  9. The links on the wallpaper are to sites on the ‘Dark Web‘ (popular among criminal organisations) and by visiting these sites you will receive ransom payment instructions
  10. As mentioned above it is not just your c-drive that is encrypted – any plugged-in (removable) storage devices, connected networks (including servers and linked computers) will be encryption targets. The ransomware will attack Windows, OS X and Linux operating systems. It will also hijack the access rights of any users logged in with domain administrator status.

Looking at this from a risk management perspective what kind of things can you do to minimise the risk of infection from Locky or any other similar ransomware?

  1. BACK-UPS: Perform back-ups regularly keeping back-ups on quarantined systems in separate locations. The objective is to minimise data loss in worst case scenarios and protect back-ups from the cause of the main data loss (malware, fire, electrical failure, flood, theft, sabotage, terrorism).
  2. EDUCATE: Users need to know how to identify when electronic communications are coming from dubious sources. They must understand why they should not click on links or enable macros in e-mails from such sources. If unsure – DON’T CLICK
  3. CONTROL ACCESS: All systems access should be managed and access rights (e.g. Administrators) should be applied (logged in) only when needed. Do not leave yourself logged in as an administrator. Segregate normal activities (opening e-mails and documents, browsing) from system administrator activities.
  4. VIEWERS: When e-mail viewers are available (e.g. MS Office viewers) use them.
  5. UPDATES: Ensure antivirus updates and all relevant software updates are installed quickly. Many software updates address security gaps or issues which will provide access points for criminal activity (hackers or malware) if they are not closed quickly.
  6. TEST: Ensure IT systems security is covered in your organisational risk assessments and regularly carry out security audits of both systems and people. In our organisation we sent employees e-mails which were designed to look very similar to current malware e-mails asking them to click on links. This helped us to identify training gaps, find security shortfalls and raise the awareness among staff of this serious problem.

Chris Duggleby

Computer Virus Preventative Health Check (Photo BP p.l.c.)

Computer Virus Preventative Health Check (Photo BP p.l.c.)

If you would like more information the Locky Ransomware try the links here (Kevin Beaumont) and here (Sophos)

Chris Duggleby started his scientific career studying Virology at Manchester University. From there he went on to spend over 35 in the chemicals and oil industries. Following an MBA from Warwick University he went on to lead a number of international manufacturing and marketing operations in the Chemicals, Plastics and Oil industries. This included being the founding President of Formosa BP Chemicals Corporation (A joint venture between BP and Taiwan’s largest private group). His work involved living and working in Europe, Asia, the USA, the Middle East, and Russia. More recently he was invited to take on a senior leadership position in the Audit Department of the BP International Oil Group. Here he used his global change and risk management experience to help the group reshape its management structures and processes following a major environmental disaster in the Gulf of Mexico. He has now retired to focus on writing about risk management and producing music in his studios near London, in the Alps and Cape Town. If you are interested in risk management check out his or (management of change) sites. He has also recently launched the site.

If you found this article interesting please consider taking a look at some of his other recent reports on similar subjects.

Just click on the titles below:

3rd Feb 2016 Zika Infection Spread By Sex In Dallas – Earlier Sexual Transmission In Colorado – Detailed Symptoms 

31st Jan 2016  Bed Bugs – Insecticide Resistance – Arbovirus Transmission – Zika and Microcephy

19th Jan 2016 ZIKA Virus Epidemic  – Health Warning – Pregnant women should postpone travel to affected areas – Including Brazil 

17th Jan 2016 Bubonic Plague Special – Lice – Hosts for The Black Death Bug

13th Jan 2016 Kill Head Lice In A Day With The Newly Developed Plasma Nitcomb From The German Fraunhofer Institute

8th Jan 2016 Cancer from Handbags, Shoes and Gloves – Allergic Reactions to Jewellery – German Institute Identifies Excessive Chromium 6 and Nickel Levels

26th July 2015 Poison in your Washing Machine: Allergic Contact Dermatitis from Laundry Detergents, Softeners, Conditioners and Whiteners

17th October 2015: Health Risk: Vitamin and antioxidant supplements help cancer cells become malignant – latest research from Texas

31st May 2015: German Concern about Potentially Carcinogenic Aromatic Hydrocarbons in Cosmetics  

29th December 2012: Spreading diarrhea and vomit through the washing machine– The Norovirus propagator in our kitchen