The Locky ransomware is back and it’s worse than before. After a rather quiet start of 2017, Locky is hitting victims again via a spam campaign containing malicious docs.
According to My Online Security, the new wave of spam messages comes with emails pretending to be payment receipts with various subjects, including “Receipt 435,” “Payment Receipt 2724,” “Payment-2677,” and so on, where the numbers change.
The attachments are PDF files with nondescript names like P72732.pdf, which give away nothing about what’s inside and, therefore, add to the curiosity factor. When you open the PDF, you get prompted to open an embedded Word document. Just to be clear, this is highly suspicious behavior and not something anyone does.
If you open that file, the Word document opens and the typical malicious word document prompt pops up. More specifically, it tells you that the document is protected and you have to enable a macro to see the content.
Microsoft has made macros require specific action from users because of schemes like this one, where the feature was exploited by hackers seeking to spread malware onto computers. Enabling the macro will, obviously, unleash Locky.
The Locky binary is downloaded, decrypted, and saved to %Temp%\redchip2.exe. The file is then executed and the files on your computer are rapidly encrypted.
The files encrypted by Locky ransomware have an .OSIRIS extension, so they’re easy to spot.
When the job is done, the ransom note is displayed to inform the victim they have been infected. “All of your files are encrypted with RSA-2048 and AES-128 ciphers. […] Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server,” the message reads.
The victim is then instructed to download and install Tor and to go to a certain address, demanding a Bitcoin payment in exchange for the decryption key.
The bad news is that there is currently no free decryption tool for Locky ransomware, so you’ll have to either say goodbye to your files or pay up, although the latter is never advisable. Security experts advise victims to keep the files in case they come up with a decryption key that works.
Source: New Locky Ransomware Campaign Detected, Spreading via Spam Emails
Link no longer working.