Blocking the Locky Ransomware Virus - Update and Tips

The new "Locky" ransomware virus began distributing itself worldwide last week. It executes code in a malicious Word attachment, which downloads a trojan that encrypts local and networked hard drives. It then demands a ransom payment to unlock your data. Traditional antivirus is nearly useless against these rapidly changing campaigns, with some lasting only a few hours. To help protect yourself, take security precautions, refresh staff training, and consider using a premium hosted anti-spam service like SpamStopsHere to help provide zero-hour protection. We blocked more than 99.9% of the messages for our global customers!

Thanks to Greg C. for his data analysis and other help on this article!

What is Locky Ransomware?

In some ways, this is nothing new. Over the past year or so, we've blocked millions of messages for our global customers that use a similar "VBA macro" attack vector. Locky is just the latest in this payload delivery scheme, which in the past has included the Dridex banking trojan and other types of ransomware (such as Cryptowall).

If not blocked, the victim receives an email that requests payment on an attached "invoice", usually a Word file. The attachment contains some sort of executable code, like a VBA macro, that downloads the actual malware from a web site and runs it, encrypting the data on the victim's local and networked hard drives. It then displays a screen that demands a ransom to decrypt the data.

Malicious Email Attachment Downloads and Executes Locky Ransomware

What Do Locky Emails Look Like?

The emails are designed not to set off any red flags, either with users or antispam systems. Unlike phishing scams, they don't sound urgent and don't contain malicious links in the message body. Here's an example:

Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

Thank you!
[redacted name]
Accounting Specialist

Quickly Changing Patterns

The macros in the attached files and the email templates change too quickly for traditional antivirus and most on-premises antispam systems to keep up. During the first few days alone, we detected four campaigns with unique pattern signatures that only lasted a few hours each, and that was just the messages sent to one customer.

Here are some stats and patterns that may help you update your spam filtering. Note that three of the campaigns began to hit our servers before 8:00 AM (one as early as 1:43 AM). Our 24/7 live threat analysts are able to block even brand new campaigns like this within minutes, no matter when they hit, providing zero-hour malware protection. Anti-spam systems that require customers to update their filters may have left many businesses unprotected for hours.

Campaign 1 (to one customer)
Digits (in the subject invoice name and attached filename) change with each message
Subject (example)
ATTN: Invoice J-02651810
Attachment (example)
2016-02-16 5:17 AM EST
6h 18m
Messages Blocked
Unique Sender Addresses
Unique Sender IPs
Campaign 2 (to one customer)
Second group of digits (in the subject invoice name and attached filename) change with each message
Subject (example)
Invoice 2016-44805738
Attachment (example)
2016-02-17 1:43 AM EST
8h 06m
Messages Blocked
Unique Sender Addresses
Unique Sender IPs
Campaign 3 (to one customer)
Sender addresses are the same except for a string of digits that change with each message
unnamed document.docm
2016-02-18 7:08 AM EST
1h 51m
Messages Blocked
Unique Sender Addresses
Unique Sender IPs
Campaign 4 (to one customer)
Digits (in the subject invoice name and attached filename) change with each message
Subject (example)
Invoice FEB-75781627
Attachment (example)
2016-02-19 7:51 AM EST
3h 55m
Messages Blocked
Unique Sender Addresses
Unique Sender IPs

Traditional Antivirus Won't Block

These campaigns only lasted about 2, 4, 6 and 8 hours. Installed anti-virus software and on-premises systems tend to be updated too slowly to detect dangerous malware like this. In one instance, only a few vendors were onto this one after 24 hours, long enough for it to again become undetectable.

Premium Hosted Antispam with Antivirus is the Best Protection

We've talked about this issue here on our other blog. Hosted antispam services are now your best first-line of defense against rapidly-changing email threats. We can detect them sooner because we do much more than just scan the attachment. We can see spammy global traffic patterns and analyze the entire delivery mechanism (email headers, message body, etc.). With our global database updated every two minutes, we can provide zero-hour protection.

SpamStopsHere Blocked > 99.9% with Zero-Hour Protection

We blocked more than 99.9% of this threat, which is typical for us. Over the four days of campaigns mentioned above, we received millions of messages and less than 0.1% got through. Most of those that did were at the very beginning of the campaign. We quickly created new filters to block them.

Speaking of response time, we had new filters in place blocking two of the four campaigns globally in under 5 minutes. We had the other two campaigns blocked in only about 14 and 33 minutes. Many of our customers likely never even knew about the threat. That's zero-hour threat protection.

We block macro-based threats by scanning all attachments for a large variety of malicious coding techniques, tricks and algorithms.

That lets us block even the very first of new campaigns without needing signatures. Our knowledge base already covers virtually all of the tricks spammers use and is constantly updated by our analysts with information about new threats.

The Locker campaigns here employed a brand new technique that no one had been seen before, so it took our team a few minutes to block them, first using signatures and later by the new coding technique. In contrast, signature-based antivirus systems take hours to update and by then the campaign is already done.

How to Protect Against Locky

No antispam system can block 100% of email-based threats. Investing in the best spam filter your budget allows is generally a good idea (and can save money) but you should always back it up with other security precautions, staff training and custom filtering if you need it.

System and Network Security

Here are some tips for configuring your systems and network to protect against the spread of infections:

Disable Macros via Group Policy
Preventing VBA macros from running, and preventing users from enabling macros (except for perhaps on a case-by-base/need-to-have basis) can be a great second layer of protection to premium hosted spam filtering.
Implement and/or Review Backup Procedures
The best way to avoid paying a ransom to restore your data is to have a backup that you can recover from. Be sure that the backup solution does not use a drive mounted in Windows anywhere on your network, as most ransomware will encrypt data on all mounted drives (including network drives).
Use a Firewall/Proxy to Block Malware Downloads via HTTP(S) and FTP(S)
VBA and Javascript downloaders typically connect to a hacked website to retrieve the primary malware they are intended to install (the actual ransomware executable). Although antivirus products typically will not identify the downloaders, they are often better at detecting the main malware payload (Cryptowall, "locky", Dridex, etc).
Reduce the number of computers that can access common file servers
This will reduce the chance that any virus can access all files on the file server. In Windows, the "net" command can be used to connect and disconnect from shared file servers. With batch files and schedules processes, this can be automated.

Custom Filtering

Your spam filter might have options you can enable to help block these types of threats.

Avoid Whitelisting
We strongly caution against using whitelisting as a strategy to reduce false positives, and our customers can generally heed that advice because our false positive rate is so low (< 0.001%). If you must, do NOT whitelist your entire domain or other common ones. Spammers know people do so and try to exploit it (e.g., by forging typical whitelisted addresses and domains).
Enable VBA Macro Filters
SpamStopsHere has an optional "VBA Macro Filter", which blocks all messages with an attachment containing VBA macros (whether or not they are malicious). Organizations that do no rely on emailing Word, Excel or other Office files with macros might want to enable it. For those that do email files with VBA macros, they can enable it for their domain and set up specific whitelist entries and/or custom content filters could be used for specific users to let such messages through.

Maintain Staff Training

As we have said, no spam filter or system configuration can always block 100% of these threats. Because a few will probably get through, your last line of defense is your coworkers. Make sure everyone at your company (including all management) knows how to recognize all types of spam. Training should include:.

Don't Click. Browse.
If you receive an email from a vendor (like eFax, Office Max, etc.) with an attached file or urgent message about your account, do not open the file or click on the link. If you need to check your account, open a new browser tab and manually go to the company's web site and login it your account. Generally, such companies will not send you an attachment or ask you to confirm your account credentials, so always be suspicious of an attached file or urgent-sounding message about your account status. Try to confirm the vendor sent you a file or, better yet, download or view the file from within your account there. The extra minute or so can save you or your company from a lot of damage.
Confirm Before Clicking
If you receive a Word, Excel or other document attached to an email, before you click on it, confirm with the sender that they intended to send it to you. Even that is not foolproof, as their system could be infected. If you absolutely must open the file, DOWNLOAD it (do not run it from within your email client) and then scan it for viruses first.

Try SpamStopsHere Free for 30 Days

Check back for updates on this and other email-based threats. In the meantime, if you're having trouble blocking them yourself, you can try any edition of SpamStopsHere free for 30 days. You'll see how virtually worry-free spam and malware filtering can transform your working day!

FREE Trial