Last month, reports emerged that the Locky, an deadly ransomware, which made headlines in 2016 might strike again anytime and now it looks like, has made its way into India.
State-run Indian Computer Emergency Response Team (CERT-In) has issued an advisory that Locky ransomware is spreading fast in India and warned the citizens not to open any emails with attachments from unknown senders.
CERT-In has come to know that over 23 million messages have been sent in this campaign. The messages contain common subjects like "please print", "documents", "photo", "Images", "scans" and "pictures". However, the subject texts may change in targeted spear phishing campaigns.
"The messages contain "zip" attachements with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky ransomware," CERT-In warned.
If the system is infected by Locky all files are encrypted and string with random numbers with extension "[.]lukitus" or "[.]diablo6" is appended to the encrypted files. It may be noted that earlier variants of Locky add extension ".locky" to the encrypted files.
"After encryption, desktop background is changed with instructions and a "htm" file with a name "Lukitus[dot]htm". The instructions contain installation of TOR browser and visiting ".onion" sites and demanding ransom of ".5 Bitcoins," CERT-In added.
It is also reported that a spam campaign showing links to fake dropbox sites is being used to spread Locky variants.
Read more: Locky ransomware: All you need to know
What makes Locky malware more deadly compared to others is that it is capable of understanding the sensitivity of the hacked files and set an individual price-tag for particular data and earn high-value ransom in quick time.
So far, Locky malware creators are said to have extorted more than $7.8 million in payments from victims.
Here's how to protect your PCs from ransomware and malwares:
- Always keep your PCs updated with latest firmware; most software companies including Microsoft and Apple usually send software updates regularly in terms of weekly or monthly, always make sure to update them immediately
- Make sure to use premium Anti-virus software, which also provides malware protection and Internet security
- Never ever open email sent from unknown senders
- Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
- Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configurations
- Never ever install plugins (for browsers) and application softwares on the PCs from un-familiar publishers
- System administrators in corporate companies should establish a Sender Policy Framework (SPF) for theri domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
Additional security measures that may be considered by system administrators:
- Use RDP Gateways for better management
- Change the listening port for Remote Desktop
- Tunnel Remote Desktop connections through IPSec or SSH
- Two-factor authentication may also be considered for highly critical systems
List of malicious domains/IPs that are hosting Locky ransomware:
- files with extension " [.]lukitus" or "[.]diablo6"
- file Win[.]JSFontlib09[.]js
- Locky ransomware post-infection URL: hxxp://184.108.40.206/imageload.cgi
Fake dropbox sites:
For more information on updated list of latest malious URLs, check HERE.
Follow us @IBTimesIN_Tech on Twitter for latest news on cyber security and more.