Inside a ransomware attack: Infecting a system with Locky

CSO infected a laptop with Locky Ransomware, so you can see what a ransomware attack looks like

Locky Ransomware infects a Windows 10 computer
Steve Ragan

CSO (the parent and host of XSS) wanted to demonstrate the speed and devastation that comes with a Ransomware attack, and the only way to do that was to infect one of our own systems. So just before the Thanksgiving holiday in the U.S., that's exactly what we did.

The first thing that stands out when you infect a system with Ransomware is the speed. In less than a minute, the system went from fully functional, to essentially useless. Not only were the local files encrypted, but the backup files on the hard drive attached to the computer were toast too.

The family of Ransomware used in our experiment, which you will see in the video below, was Locky.

Locky ransomware:

The Locky ransomware family emerged in February of 2016, and it has quickly become the favorite among criminals. In fact, depending on how you measure infection rates, it’s either the first or second most common type of Ransomware on the Web.

Locky started in 18 different countries on the day it first appeared, but that number jumped to 61 countries twenty-four hours later. By the end of its first week, Locky had touched 109 countries across six continents.

Arguably Locky is one of the most widely disseminated of all Ransomware families today; the malware has been detected on all seven continents in 200 countries.

On a single day in October, 14 million emails laced with Locky were recorded moving across the Internet by security firm AppRiver. Malwarebytes Labs says that between July and October of 2016, Locky accounted for more than 14-percent of their Ransomware detections worldwide – ten percent in the U.S.

“The main reason to Locky's success is the constant variation and expansion of its distribution mechanisms, including spam emails and malvertising. The actual ransomware is nothing exceptional, but it has a lot of work being put into how to get it on as many machines as possible infected,” explained Omer Dembinsky, Lead Data Analyst for Check Point Software.

Locky is commonly found in email, because it's a quick and cheap delivery method for criminals who often rent the infrastructure needed to target people. Some of the more common email subject lines focus on simple topic or terms, such as:

  • !! Urgent Payment Request
  • Receipt
  • Important Information
  • Overdue Invoice
  • It Is Important
  • Scan Paper
  • Order #(random numbers)
  • Attention Required
  • Document Scan
  • Delivery Status
  • Please Pay Attention
  • Virtual Card
  • Financial Documents
  • Health Insurance
  • Suspicious Movements
  • E-Ticket
  • Wrong Tracking Number

Stopping ransomware

The first line of defense against Locky is to avoid opening email attachments from people you don’t know, especially if they use any of the aforementioned subject lines. Also, if you open an Office document (Word, Excel, etc.) and it asks you to enable Macro’s - don’t do it!

The second line of defense is anti-Virus software, and in some cases Windows Defender. On Windows 10, Windows Defender does a decent job against known Ransomware families and variants, but it is far from perfect and should not be your primary layer of protection.

Note: During testing, the variant of Locky CSO used to infect our laptop wouldn’t work 24-hours later, because Windows Defender prevented it from saving to the desktop.

As for vendors, some anti-Virus (AV) vendors are better than others are when it comes to signature-based defenses, but as far as Ransomware is concerned, they’re all kind of equal - they'll either stop the Ransomware or they won't.

When it comes to AV, pick a vendor that doesn’t drag your system down, updates its software regularly, and is affordable. Symantec and Kaspersky are both popular AV offerings, but there’s also Avast!, Malwarebytes, McAfee, Bitdefender, Panda, and ESET, just to name a few.

Finally, make sure you have system restoration functionality enabled and backups that are regularly maintained and tested. You must store your backups off-system, perhaps on an external drive that isn't permanently connected, otherwise (as shown in the video) the Ransomware will infect those files too.

For our experiment, CSO used the System Restore settings that come with Windows 10, as well as the default backup settings. Both worked as expected, and were easy to maintain. The video for recovering from Ransomware can be seen here.

Microsoft Support has additional details on creating a system restore point and configuring backups, should you need help.

Copyright © 2017 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022