22 Jul 2016
You may have heard about the Locky strain of ransomware due to it being one of the most pervasive brands of malware. Its success rate is due in no small part to it being constantly updated and recently it got a new one: it can encrypt files when a computer is offline.
Previously, Locky worked by getting its instructions from a command and control server run by the Russian Cyber Mafia, who also created the Dridex ransomware. Typically what this means is that when a machine goes offline or is behind a firewall, the malware isn’t able to encrypt a victim’s files. By adding a secondary function that encrypts when the computer can’t communicate with their server, they can get around that.
In most cases, a computer infected with ransomware that uses public key cryptography is never able to start the encryption process due to it being unable to communicate with the C&C server. Essentially, the malware generates an encryption key, then asks to the C&C server to create an RSA key pair for the infected computer. The malware then uses the public key of the pair to encrypt the original key it created. So without internet access, this process can’t take place and the malware is ineffective.
The bad news is that even if you take a whole network offline to see how far an infection has spread, the computers will be encrypted, and with the whole process taking less than two minutes, there’s little hope in stopping it. The good news is that if you do take machines offline and pay the ransom, the key you receive will work on every machine, meaning there’s likely to be a decryptor coming out soon.
Not surprisingly, this new strain of Locky was spread through a massive phishing campaign that was getting 1,200 hits per hour. The best way to prepare for a ransomware attack is to make sure all users are able to recognize social engineering attacks and phishing emails. Develop robust backup and data recovery policies with those backups being stored offline. It’s also a good idea for everyone to be running the latest version of their operating system and that their anti-malware software is up to date. Permanently disable flash on all computers and install adblockers. Don’t download anything from an email address you don’t recognize and be wary of unexpected emails from well-known brands with attachments.