The new "Locky" ransomware virus began distributing itself worldwide last week. It executes code in a malicious Word attachment, which downloads a trojan that encrypts local and networked hard drives. It then demands a ransom payment to unlock your data. Traditional antivirus is nearly useless against these rapidly changing campaigns, with some lasting only a few hours. To help protect yourself, take security precautions, refresh staff training, and consider using a premium hosted anti-spam service like SpamStopsHere to help provide zero-hour protection. We blocked more than 99.9% of the messages for our global customers!
Thanks to Greg C. for his data analysis and other help on this article!
What is Locky Ransomware?
In some ways, this is nothing new. Over the past year or so, we've blocked millions of messages for our global customers that use a similar "VBA macro" attack vector. Locky is just the latest in this payload delivery scheme, which in the past has included the Dridex banking trojan and other types of ransomware (such as Cryptowall).
If not blocked, the victim receives an email that requests payment on an attached "invoice", usually a Word file. The attachment contains some sort of executable code, like a VBA macro, that downloads the actual malware from a web site and runs it, encrypting the data on the victim's local and networked hard drives. It then displays a screen that demands a ransom to decrypt the data.
Malicious Email Attachment Downloads and Executes Locky Ransomware
What Do Locky Emails Look Like?
The emails are designed not to set off any red flags, either with users or antispam systems. Unlike phishing scams, they don't sound urgent and don't contain malicious links in the message body. Here's an example:
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.
Quickly Changing Patterns
The macros in the attached files and the email templates change too quickly for traditional antivirus and most on-premises antispam systems to keep up. During the first few days alone, we detected four campaigns with unique pattern signatures that only lasted a few hours each, and that was just the messages sent to one customer.
Here are some stats and patterns that may help you update your spam filtering. Note that three of the campaigns began to hit our servers before 8:00 AM (one as early as 1:43 AM). Our 24/7 live threat analysts are able to block even brand new campaigns like this within minutes, no matter when they hit, providing zero-hour malware protection. Anti-spam systems that require customers to update their filters may have left many businesses unprotected for hours.
Traditional Antivirus Won't Block
Premium Hosted Antispam with Antivirus is the Best Protection
We've talked about this issue here on our other blog. Hosted antispam services are now your best first-line of defense against rapidly-changing email threats. We can detect them sooner because we do much more than just scan the attachment. We can see spammy global traffic patterns and analyze the entire delivery mechanism (email headers, message body, etc.). With our global database updated every two minutes, we can provide zero-hour protection.
SpamStopsHere Blocked > 99.9% with Zero-Hour Protection
We blocked more than 99.9% of this threat, which is typical for us. Over the four days of campaigns mentioned above, we received millions of messages and less than 0.1% got through. Most of those that did were at the very beginning of the campaign. We quickly created new filters to block them.
Speaking of response time,
We block macro-based threats by scanning all attachments for a large variety of malicious coding techniques, tricks and algorithms.
That lets us block even the very first of new campaigns without needing signatures. Our knowledge base already covers virtually all of the tricks spammers use and is constantly updated by our analysts with information about new threats.
The Locker campaigns here employed a brand new technique that no one had been seen before, so it took our team a few minutes to block them, first using signatures and later by the new coding technique. In contrast, signature-based antivirus systems take hours to update and by then the campaign is already done.
How to Protect Against Locky
No antispam system can block 100% of email-based threats. Investing in the best spam filter your budget allows is generally a good idea (and can save money) but you should always back it up with other security precautions, staff training and custom filtering if you need it.
System and Network Security
Here are some tips for configuring your systems and network to protect against the spread of infections:
- Disable Macros via Group Policy
- Preventing VBA macros from running, and preventing users from enabling macros (except for perhaps on a case-by-base/need-to-have basis) can be a great second layer of protection to premium hosted spam filtering.
- Implement and/or Review Backup Procedures
- The best way to avoid paying a ransom to restore your data is to have a backup that you can recover from. Be sure that the backup solution does not use a drive mounted in Windows anywhere on your network, as most ransomware will encrypt data on all mounted drives (including network drives).
- Use a Firewall/Proxy to Block Malware Downloads via HTTP(S) and FTP(S)
- Reduce the number of computers that can access common file servers
- This will reduce the chance that any virus can access all files on the file server. In Windows, the "net" command can be used to connect and disconnect from shared file servers. With batch files and schedules processes, this can be automated.
Your spam filter might have options you can enable to help block these types of threats.
- Avoid Whitelisting
- We strongly caution against using whitelisting as a strategy to reduce false positives, and our customers can generally heed that advice because our false positive rate is so low (< 0.001%). If you must, do NOT whitelist your entire domain or other common ones. Spammers know people do so and try to exploit it (e.g., by forging typical whitelisted addresses and domains).
- Enable VBA Macro Filters
- SpamStopsHere has an optional "VBA Macro Filter", which blocks all messages with an attachment containing VBA macros (whether or not they are malicious). Organizations that do no rely on emailing Word, Excel or other Office files with macros might want to enable it. For those that do email files with VBA macros, they can enable it for their domain and set up specific whitelist entries and/or custom content filters could be used for specific users to let such messages through.
Maintain Staff Training
As we have said, no spam filter or system configuration can always block 100% of these threats. Because a few will probably get through, your last line of defense is your coworkers. Make sure everyone at your company (including all management) knows how to recognize all types of spam. Training should include:.
- Don't Click. Browse.
- If you receive an email from a vendor (like eFax, Office Max, etc.) with an attached file or urgent message about your account, do not open the file or click on the link. If you need to check your account, open a new browser tab and manually go to the company's web site and login it your account. Generally, such companies will not send you an attachment or ask you to confirm your account credentials, so always be suspicious of an attached file or urgent-sounding message about your account status. Try to confirm the vendor sent you a file or, better yet, download or view the file from within your account there. The extra minute or so can save you or your company from a lot of damage.
- Confirm Before Clicking
- If you receive a Word, Excel or other document attached to an email, before you click on it, confirm with the sender that they intended to send it to you. Even that is not foolproof, as their system could be infected. If you absolutely must open the file, DOWNLOAD it (do not run it from within your email client) and then scan it for viruses first.
Try SpamStopsHere Free for 30 Days
Check back for updates on this and other email-based threats. In the meantime, if you're having trouble blocking them yourself, you can try any edition of SpamStopsHere free for 30 days. You'll see how virtually worry-free spam and malware filtering can transform your working day!FREE Trial