Businesses warned about massive surge in Locky ransomware emails

Security researchers are warning against a sudden spike in the number of infected emails containing malicious attachments, which downloads and installs ransomware onto an infected device. When opened, it encrypts victims‘ files on their PCs and requires a ransom for decryption.

Security expert Rodel Mendrez from Trustwave wrote in a blog post that around 4 million malware spam instances have been recorded in the last seven days, with 200,000 emails hitting their servers in a single hour.

Behind the surge is a malware strain called Locky produced two weeks ago, coming from the same botnet that used malicious macros in documents to download the Dridex trojan.

> See also: Apple has been targeted by ransomware for the first time, so how big is the risk to business

But the malware has changed to using attachments written in JavaScript, allowing them to go under the radar of antivirus software.

Mendrez writes that this type of malware has a 'very destructive payload', and includes a walkthrough of exactly how it works to take hold of a user's data.

After encrypting an infected machine, Locky asks for a payment of 3 bitcoins (£885) in exchange for a decryption key.

So how do you prevent yourself becoming a victim?

As spotting these emails manually can be virtually impossible, Mendez advises that a robust gateway blocker is the only real solution.

'For those wanting extra protection, also carefully consider your inbound email policy,' says Mendez. This means blocking inbound .js attachments and inbound Office documents at the gateway.

'While these steps might seem very strict, some companies have opted for them, at the same time as considering alternative ways to pass valid .js and macro documents into the organisation.'

'And of course your last line of defense against ransomware infection is always having an up to date and good backup process.'

Ransomware attacks grow more common because they’re effective – and lucrative. Last year prevalant ransomware Cryptowall cost businesses in the US at least $325 million.

> See also: One threat down, but plenty more to go: why ransomware is not going away

As David Gibson, VP of strategy and market development at insider threat protection specialist Varonis explains, ransomware is effective because it’s relatively easy to trick someone into downloading malware via phishing.

'Once a user launches a piece of ransomware it often won’t be detected (until it’s too late) because most aren’t watching or analysing file activity on networked file shares or in SharePoint.'

This means that it’s difficult to spot and stop an attack/infection while it’s in progress. Without a record of activity, it’s difficult to know which files were encrypted and when, so recovering from backup can be challenging.

'It’s lucrative because many people and organisations end up deciding it’s just easier to pay,' says Gibson. 'User Behaviour Analytics that incorporates file activity can help detect and stop the spread of malware, and make recovery much more straight-forward.'

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...