During your busy work day you receive an email with a word document attached, you open it to view the contents and accept the prompt to run macros. The contents of the file will be un-exciting, maybe even blank, but the damage has been done. Allowing the file to open and run its macros has already opened the door for Locky and the quite devastating results of its work.
You wont know anything about it until either you notice the name of your files changing and you not being able to access them, or when it has finished encrypting every file it can get its grubby little hands on and proudly displays a ransom demand something similar to this:-
A brief overview:
Locky is a type of “ransomware” and it targets any office document it can access, be it on your local computer or on your network. this means that it also has the capability to encrypt your network-based backup files. If you can see it then Locky can encrypt it.
When started, Locky silently starts getting to work encrypting your files, all your files, and saves them under a new file name with a “.locky” extension and removes your original file. This encryption makes them (at present, and for the foreseeable future) impossible to open. This, of course, can be devastating to any size organisation. Once the files are encrypted by Locky there are only 2 solutions, either to restore from an unaffected backup or to pay the ransom and hope that the file encryption key will be released to you.
Minimising your risk:
As always, protection starts with user understanding and education, locky repeatedly evades AV interception, so the more mindful the end user is of the potential risk the better.
Always think before opening an attachment, even if you recognise the source.
If it subsequently requests access to run macros then definitely think again before allowing them to run (Remember our post re spoofed spam emails? spammers can make their emails look like they are coming from a person/source you know and trust)
If you start losing access to files, or if you see files named xxxxxxxx.locky then alert your administrator straight away, rapid reaction to the signs of an infection can seriously limit the damage of locky (and other viruses/ransomware).
If your backup strategy is to simply make a copy of your files in a different area of your network that you can browse to, it’s time for you to keep you sensitive and important files in a third party storage or removable offsite as a backup plan in order to recover from ransomware infections.
Recovering from a ransomware infection:
Switch off and disconnect any infected computer, do not turn it back on, ensure all staff know that the machine should not be turned back on under any circumstances, put a big sign on it if required.
Ensure the source machine is cleaned/reinstalled. Scan the rest of your network to try and ensure no other machines are infected.
As mentioned above, once a file is encrypted and the original deleted, there are only 2 ways of getting that information back, either from your latest unaffected backup or by paying the ransom and hoping you receive the decryption key. By far the best of these 2 alternatives is to recover from backup! but for this to be a viable option you need to have an effective backup solution in place BEFORE you are infected. Now is the time to re-assess your backup solution rather than after an infection.
If you would like to talk to us further about this form of ransomware, backup solutions, or any other technical queries then please get in touch.