Locky: Ransomware Distributed Using Dridex Trojan Botnet

A new ransomware campaign, named Locky owing to the fact that it encrypts victims’ files before demanding a ransom of half a bitcoin for the decryption key, is being distributed across the globe using the very same botnet that was used to spread the infamous Dridex banking trojan. Emails with a Word attachment dressed up as an invoice are being sent in huge numbers to recipients all over the world: thousands of computers in Europe, the US and Russia have already been infected, with reports of infections from Pakistan and Mali too.

New Campaign, Same Old Technology

Whilst this may be a new campaign, the technology behind the ransomware is nothing new. As mentioned above, the Dridex botnet is being reused to distribute the malicious code via emails with a Word file attached to them. The code itself is in the form of a Word macro; malicious Microsoft Office macros have been an issue since the 1990s and, judging by the scale of this and other similar campaigns, do not look set to disappear anytime soon. Once the Word file is opened, the code contained in the embedded macro downloads and installs an executable file from a server on the web. This executable program then encrypts key folders on victims’ computers and leaves a text file in every directory it targets, containing instructions on how to obtain the decryption key.

Combatting Locky

Most of the big names in malware scanners are already aware of the existence of Locky and are picking it up before it can do any harm. As it only works with older, less secure versions of Microsoft Office, users of the latest software have nothing to fear and if you are using reputable anti-spam software, malicious attachments of this nature will never make their way into your inbox. However, for those who have neither anti-spam software nor malware scanners, Locky could cause significant problems. As at the time of writing, it is not known whether the decryption keys that are sent to victims who pay the ransom actually work.

What You Can Do

There are a number of very easy ways to prevent ransomware such as Locky from affecting you:

  1. Always update your Office software to the latest version
  2. Use reputable software solutions such as the MailCleaner anti spam gateway
  3. Install a quality internet security suite
  4. Never open attachments from senders whose identity is not known to you.
  5. Always keep back up copies of important files, in a remote location that is not physically attached to your computer

In the event you are unlucky enough to become a Locky victim, the best thing you can do is to consult a PC security expert. Simply paying the ransom will only encourage similar campaigns and you may well end up being asked for more money before you are given a decryption key that actually works. As always, the more vigilant we are in the first place, the less chance there is that this type of malicious code can infect our computers.