How Locky Hijacks Every File On Your Network


It probably seems like we here at Empower IT are obsessed with security and in particular ransomware. We won’t deny this charge but our passion for protection is not without its merits. In many cases, security issues are avoidable and when you consider just how damaging they can be to small and mid-sized organisations, not being secure is simply reckless. Every day small businesses are exploited for tens of thousands of dollars because they aren’t aware of security threats that can infiltrate their company through the internet and email in particular.

Locky is the latest and arguably most prominent form of ransomware targeting businesses in Australia at the moment. According to statistics from software security company Fortinet, there were over 3.5 million Locky infections worldwide during the last two weeks of February. This was only the beginning and experts including McAfee believe Locky will continue to proliferate as its design coupled with a brutal effectiveness makes it the malware du jour for cyber criminals.

Once a computer or network is infected, all files on it are essentially locked, hence the name Locky. These files can only be unlocked with an encryption key which is held by those cyber criminals who infected it in the first place. They are happy to provide you with it should you meet their demands, normally a few hundred dollars payable via Bitcoin.

In order to better understand malware, you should know what it looks like, how it works and what you can do should it infect your computer systems. We’ve complied a brief guide on Locky to help bring you up to speed on this powerful form of ransomware.

Where does Locky come from?

Email scams continue to target businesses of all sizes and more of these are featuring attachments loaded with Locky. These emails come in the form of phishing and are disguised to look as if they are being sent from government agencies or other entities you might trust. We recently wrote about a scam email that looked as if it was from Australia Post. This has been one way cyber criminals have tricked users into downloading malware-infected attachments onto their computer.

When it comes to Locky, these suspicious attachments come in two forms. They will either be Microsoft Word documents or JavaScript files hidden in a zip folder. Let’s take a look at how each one of these will appear and how it installs itself onto your system.

Infected Word document – When you download a Locky-infected Word document you will notice a bunch of gibberish text that resembles the Wingdings font which you probably haven’t used since year six of primary school. There will also be a note on the top of the document telling you to enable macros to correct the coding. As Sophos notes, doing this actually runs a code inside the document that saves the infected file to your disk and runs it installing Locky in the process.

Infected zip file – If you download a zip file attachment infected with Locky, it will unzip itself like a normal file. However, when you open the unzipped folder you will see a couple unfamiliar icons as .exe files. If you click on one of these, the installation process begins. There is essentially nothing you can do at this stage and while you may not realise it at the time, Locky will soon begin encrypting your files.

Stage 1 – Encryption behind the scenes

Once it has been installed, Locky starts getting to work doing some highly technical maneuvering that only the most adroit of computer scientists would recognise or even understand. After it has done this it stealthily begins encrypting all files that hold even the tiniest bit of value. Documents, spreadsheets, photos and the like will be gone. At the moment it is believed that Locky can encrypt over 160 file types including several business-centric applications such as CAD files.

Malwarebytes Labs explains that the encrypted files are completely renamed by Locky in such a way to feature nothing but a bunch of letters and numbers that won’t let you know what it is. All the files will also end with the extension of .locky and have nothing distinguishable to identify them.

And remember, it is not just your hard drive that will be attacked by Locky should a computer become infected. Locky is able to attack fixed and removable drives connected to a computer as well as any network shares. This has made small and medium-sized organisations with shared networks particularly vulnerable as the threat can spread to affect all files at a business basically shutting it down.

Stage 2 – Revealing itself

It isn’t until after the encryption has taken place that most people realise Locky has infiltrated their systems. In most cases, Locky announces itself via your computer’s background screen informing you it has been installed and giving you some directions on how to pay the ransom. In addition to this, there is likely to be a text file on your computer that has not been encrypted containing these instructions as well.


Stage 3 – Making a decision

The first thought most people have is to locate their shadow volume copy they have saved on their computer to restore their system. Unfortunately, during the encryption process Locky deletes this leaving you with two options to regain access to your files: use an off-site backup to restore everything or pay the ransom.

If your company utilises off-site backups or has one on-site that is not connected to a network share, you can restore your system with that and avoid paying the ransom. However, if you do not have any backups in place, the situation puts your back up against the wall. In many cases, small businesses must have access to their files and end up paying the ransom which normally costs somewhere between $200 and $700. In nearly every case, the encryption key is provided and you do get access to your files back, but it isn’t just about the ransom. Every minute your company is without access to critical files and applications is causing downtime and costing you in countless other ways.

The Director of Empower IT, Salim Sukari says, “Locky caught many businesses by surprise at the start of the year thanks to its advanced phishing techniques and comprehensive encryption process that renders files inoperable. However, now that more is known about it, you can take steps to safeguard your business. For starters, make sure you and your staff are aware of what to look for and avoid the downloading of any suspicious email attachments. It’s also important to have backups in place to prevent you from being at the mercy of cyber criminals in times like this.”

Locky is simply the latest in a long line of threats to your company’s technology. Cyber crime is a big business and one that continues to grow in Australia. Not putting the proper protections in place at your company nowadays is an unnecessary risk that could haunt you in the future. Get in touch with Empower IT today for information on how you can improve your security.