What a Locky Ransomware attack looks like

CSO Online | Jan 9, 2017

CSO Online's Steve Ragan infects a laptop with Locky Ransomware

What a Locky ransomware attack looks like

Steve Ragan: Hi, my name's Steve Ragan with CSO Online. With me, is my editor in chief, Joan Goodchild. Today, we're going to break company property. I'm going to infect this system with ransomware. Now we cover ransomware a lot.
Joan Goodchild: We do.
Steve: It's probably the biggest malware type story we cover at CSO lately because it's everywhere. The particular sample of ransomware I'm going to play with today is Locky.
It's the number one variant of ransomware on the Internet, and it's only been around since February. I had a nifty little trivia tidbit. Do you know when the first ransomware variant was discovered?
Joan: I'm going to say last year.
Steve: No. I thought so too, until somebody did some digging for me, and turns out the first variant of ransomware happened in 1989.
Joan: How?
Steve: It was called the AIDS Virus or PC Cyborg. What had happened was it would encrypt your files and your DOS boot record. It would demand a payment of $189 to get your stuff back. That's ransomware.
Joan: What is ransomware?
Steve: Ransomware is a type of malware that will encrypt all of the important files on your computer. Not just your system files, but I'm talking like your documents. It's going to encrypt your photos. It's going to encrypt your movies. It's going to encrypt your music.
Anything that you hold value, it's going to take away from you. The only way you get it back is to either, a: recover your system or, b: pay the ransom.
Joan: Why is Locky so popular now? What is it about this particular variant of ransomware that makes it number one now?
Steve: Locky is easy to deploy. It's easy to manage the infrastructure itself. It's a turnkey business. Quite literally, you rent out some servers, pay somebody a cut of your take to host the stuff for you and mail out everything for you, or you actually rent the servers yourself.
For a small fee, you can get the code from another criminal, and you pay a transaction based commission. It would be a good way to put it.
The barrier to entry to this type of crime and the ease of management makes it everybody's favorite. What we have here is Honeynet 2. You see on this email that Mark DeFlowers was kind enough to send me an urgent message.
Joan: Just like Martha.
Steve: I know. Just sending me some urgent message. If we look here, we see that the subject's "Urgent." It's very common for these types of attacks to use some basic generic subject lines in their emails.
You got "urgent," or if we come back over here, you could see, "Hello. Here's a scan for your consideration. We're up for an Oscar," apparently. That's what they're going for.
Joan: I was expecting one.
Steve: Insufficient funds, user agent. This looks like an image. I don't trust it. Overdue invoice. I've also seen things that are flight travel confirmations, shipping confirmations things like that. The point is generic subject, "Dear contact..."
To be fair though, it is, "Dear contact," but also the name of the email account that's being spammed right now is contact@, so it would be, "Dear first name," or whatever. "Our accountant informed me that in the bill you processed..." Really?
"The invalid account number had been specified." Well, gee, that's all right. "Please be guided by instructions in the attachment to fix it up [laughs].
Joan: I think that's what's always gets me in these emails is they put all the effort in, but then the grammar and the spelling is never there [laughs].
Steve: I'm about to do something you should never do, which is open this attachment and run the file. I feel horrible now. They couldn't even put in the effort to make me want to do this. We have here, "Your unpaid contact." In fact, you know what I'm going to do, I'm going to pull this out.
Right click, cut. I want to put it in the main folder with all the other things because I want you to watch what happens now. Again, here on your right, this is our attached storage. Here on your left, this is our local document folder, so watch. I'm going to click it. I'm going to open it. I'm not going to touch the computer at all. I'm just going to watch. Bam! All gone.
Joan: Wow.
Steve: That's what it was. Normally, it's actually quicker, but still less than a minute and those things encrypted. What we have here is the image that pops up. The image is instructions warning me that my laptop's been encrypted. It gives me an address to visit, and we got to pay.
Joan: It's very helpful when these Wikipedia links that they offer you, so that you could get a little background history.
Steve: A little background on what it is and what's going on. Then of course, it automatically opened my browser for me. It shows me that. Now, there's something else that I don't want to do. I'm going to minimize some of this stuff here so you could see it. Again, this is our attached storage. Notice that all the files in it are encrypted. We're going to come back here to look at documents again.
Every file we had, the Excel document, the image, the PowerPoint, all of it, it's all gone. Also, notice the zip file we had on there. It's encrypted its own malware. It's all gone, every bit of it. What we've got, when we minimize this down, this is the backdrop or the background now on your computer.
It's also been changed to let me know that we've been infected. It tells me to download to our browser. I've already done that just to save us some time. We're going to start the tour browser. Now that we've got tour running, we're going to come here. Copy that address.
Joan: This is the address that's been set up for folks who have been infected to go and try to find out what they need to do to recover their machine.
Steve: When you load this up in this little page here, it tells you it's the Locky decrypter page. What happens is it gives you all the instructions you need to buy bitcoins, how to get bitcoins.
It gives you the address wallet you need to send payment to, which is right there. It also tells you how much you owe, three bitcoins. Bitcoin is a digital currency. It's a Cryptocurrency that people use to stay anonymous when they do transactions. Obviously, we see here criminals deal with bitcoin. Bitcoin is a legit currency so a lot of legit companies use bitcoin or accept bitcoin. You can buy it and trade in it, everything like that. Bitcoin's thing is BTC. We're going to get a BTC to USD, and it wants two or three bitcoins for us?
Joan: Three.
Steve: Three bitcoins is $2,234.94.
Joan: Wow.
Steve: To get our files back, we need to spend $2,200. Isn't that just lovely?
Joan: That's probably a lot more than what the machine is even worth.
Steve: Seriously, IT gave us this because they were going to recycle it. It's way more than what this machine is worth. At this point here, you're hoaxed. If you have backups, you can restore from those or throw them at your computer, whichever you see fit.
You would have to start the recovery process which I will explain and go through in a different video. We're not going to do that right now.
If you happen to run into this, and you get infected with Locky or some other type of ransomware, believe me, you'll know if it's ransomware because what you see on your desktop here, this is very common. It will show you stuff like this. You'll know. If it's a corporate computer, go to your IT department.
Do not be afraid to go to your IT department because nobody in IT is going to hold this against you. It's not your fault. You're a victim. Don't be panicked. You're not going to lose your job over this.
IT's going to take your machine, and 24 hours later, you're going to get it back. You won't know anything changed because they're just going to re image it.
If you get infected with this at home, there are some things you need to do. You need to come to the realization that if you don't have current working backups, your files are gone. Do not pay the ransom. Do not. Don't negotiate. Don't try to make a deal. Don't try to contact. Don't pay the ransom. That's why it's so important to make sure you have accurate working backups. We'll cover backups here in a little bit.
Joan: We just infected a PC, but does this apply to Macs, too? Is everybody at risk for ransomware?
Steve: Ransomware as it is now, especially over the last couple of months, is strictly Windows based. I've not seen a Mac based ransomware, but I'm not going to say it's impossible. If there's a will, there's a way. Criminals are very devious in the fact that they will target where the money is.
There's a lot of money to be had in Macintosh. I haven't seen that yet, but that doesn't mean there hasn't been malicious attacks against Mac users. Phishing is a very common threat vector for Mac users. There has been malware that's targeted OS X in the past. That's all still a very real risk that you have to face.
Joan: If you do get to this point, and you're already infected with ransomware, then what?
Steve: Again, if this is a corporate laptop, take it to IT, they're going to take care of you. If you're on your own, there are a few options you have. We're going to cover those in the next "Ransomware Nightmare" segment which you'll be able to find on CSO Online.
Joan: Great.
Transcription by CastingWords