1. Computing

‘Locky’ ransomware harnesses the power of Microsoft Word to trick you into paying

By

How to get Microsoft Office for free
guteksk7/Shutterstock
Ransomware is a form of malware that’s more annoying than usual both because it revokes access to your computer, and because it then has the nerve to charge you money in order to reverse the lockout. A new type of ransomware, called Locky, appears to deceive users by taking after banking software Dridex.

In a typical Locky attack, victims are emailed a Microsoft Word document disguised as an invoice that requires that a macro app be executed from within the word processor. By default, macros are disabled by Microsoft. If you happen to have enabled them yourself, though, a macro will open from within Word and download Locky to your computer, explained Palo Alto Networks in a blog post earlier this week.

Because of the similarity to a process used by Dridex, many reports are assuming that the developer behind Locky bears some affiliation with the banking software developer “due to similar styles of distribution, overlapping file names, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky,” Palo Alto stated.

The way ransomware works is that files on the computer are usually encrypted at the user’s expense, literally, as the malicious software will take control of your personal data and then charge a fee for you to regain access.

It appears the coders behind Locky were planning an attack on a colossal scale. In fact, Palo Alto Networks claims to have uncovered 400,000 sessions that take advantage of the Bartallex macro application used by the ransomware in question.

Unlike other ransomware, Locky’s command-and-control infrastructure tries to employ a key exchange in memory prior to file encryption. Notably, PC World states that this could serve as a weak point for the ransomware.

“This is interesting, as most ransomware generates a random encryption key locally on the victim host and then transmits an encrypted copy to attacker infrastructure,” Palo Alto’s post explains. “This also presents an actionable strategy for mitigating this generation of Locky by disrupting associated” command-and-control networks.

Kevin Beaumont, who wrote a Medium post about the ransomware, points out that files affected by a Locky attack are, quite logically, labeled with a “.locky” extension.

Beaumont adds that for those users affected by Locky within an organization, “You will likely have to rebuild their PC from scratch.

Editors' Recommendations

The best free antivirus software for 2021

best free antivirus

The best Android games currently available (March 2021)

android games

How to secure your Wi-Fi network

man wearing wireless earbuds

The best Android apps (March 2021)

best Android apps

How much RAM do you need?

ram prices are increasing until third quarter 2017 corsair vengeance led ddr4 memory

Here are all the new Macs rumored to launch in 2021

iMac 2021 redesign with five colors

Surface Pro 7, Surface Laptop 3 prices slashed at Best Buy — up to $400 off

Microsoft Surface Pro 7 with Type Cover Keyboard

This HP Chromebook is at its lowest price ever today at Amazon

hp chromebook 14 series deal amazon march 2021 laptop

Nvidia RTX 3060 vs. 3060 Ti vs. 3070

nvidia rtx 3060 vs ti 3070 geforce product gallery full screen 3840 2 bl

The most common HTC Vive problems, and how to fix them

amazon prime day htc vive cosmos vr deal

The best laptops under $500 for 2021

lenovo chromebook flex 5

Arduino vs. Raspberry Pi

arduino vs raspberry pi history of reupload

AMD shows why a GPU with 12GB of VRAM is essential for gaming performance

amd radeon rx 6700 xt 12gb gddr6 vram