Sign up to our newsletter
Weeks after it started attacking and encrypting victims’ files, Locky is still targeting many users. In order to provide more information about this threat, we have put together some information to help protect you in a better way.
Win32/Filecoder.Locky.A is a ransomware variant that encrypts files with over 100 file types such as images, videos, databases, etc. on fixed, removable, and network drives. When executed, the ransomware copies itself into the following location: %temp%\svchost.exe and adds a registry entry in order to be executed on every system start.
After this step, the user is requested to pay a ransom and the trojan removes itself from the computer. In addition, the malware collects information about the OS and system settings, as well as the list of the encrypted files; it then attempts to send these data to a remote machine, using the HTTP protocol.
As currently seen in ransomware variants, all the payment instructions are stored in a TOR link and the payment has to be made using bitcoins.
Since the end of February we have observed several propagation campaigns of ransomware – for example Locky and TeslaCrypt – being spread using the JS/TrojanDownloader.Nemucod malware. Those campaigns have achieved very high detection rates in ESET telemetry systems, such as LiveGrid®, with countries like Japan reaching almost 80%.
Those detection rates are calculated thanks to the users who are sending data automatically using the LiveGrid® System; it shows what percentage of the total amount of detected malware in our servers belongs to one variant.
If we take a look to the last week’s information, we can observe three big propagation campaigns since the end of February, the last one still being active at the time of writing (March 17th):
Which countries were more affected by these Trojan Downloaders propagation campaigns during last month? Japan leads the list, followed by other European countries such as Italy, UK and Ireland. We have to take in consideration that these detection rates changes every day and some countries like Germany and Spain also have very high detection rates:
Other regions such as North America, Australia, New Zealand and South Africa have also been affected and, since the email used to spread the ransomware is usually written in English, it makes sense that most of the mentioned areas are the ones where we find most of the detections.
It’s also interesting that the criminals are targeting most of the wealthiest countries, maybe expecting that the infected users will be more likely to pay in those countries.
How to protect yourself?
While protection methods that have been mentioned before in other ransomware campaigns applies perfectly to Locky, it’s not bad to review them and add some new ones:
Just make sure that you only connect to this backup system when you are doing the copy of the files. If you don’t, you might find your backup files also encrypted, since most ransomware looks for external drives and even shared folders and cloud storage services mapped to your file system.