Locky: The New Ransomware – and the Three Principles of Fighting Ransomware

According to Security Magazine, the number of ransomware attacks is predicted to increase in 2016. For the second quarter of 2015, more than 4 million samples of ransomware infections were identified as compared to 1.5 million in the third quarter of 2013. That’s a pretty big increase.


So what is ransomware? Ransomware is a piece of malware that encrypts your data and holds it hostage until you pay a ransom. The idea is that after you pay the ransom, you receive the decryption key in order to decrypt your data and make it accessible again. The payment is made in bitcoins since the bad guys don’t accept VISA or MasterCard. Previous versions of ransomware infect your local drive and any other data that appears as a drive letter to your computer. That could be the external USB drive that shows up as L: or the flash drive that identifies itself as the E: drive to your computer.

One of the latest versions of ransomware is called Locky and has brought the infection risk to a new level. Locky is delivered as an evil Word macro. The good news is that execution of macros is disabled by default. So the first lesson is: Don’t run the macro when you see the warning box. The really scary part about Locky is that it will encrypt network shares that use a UNC (Universal Naming Convention) path. You will recognize a UNC path as being defined as \\<server name>\<share name>. You can recognize a Locky infection as it changes all the file extensions to .locky after it encrypts the contents. Many system administrators were using UNC as a way to get to network resources instead of drive letters to minimize the impact of ransomware infections. With the release of Locky, even UNC paths won’t help you. As the bad guys evolve, so must we.


So what can you do to minimize the potential of ransomware infection? Probably the most effective method is training employees to recognize the delivery mechanism for ransomware. Obviously, don’t click on any suspicious links or open unexpected attachments. Essentially, it’s a two-step process to get infected with Locky. First you have to launch the Word attachment, which you shouldn’t have done in the first place. Second you have to allow the macro to execute after you get the warning message. In other words, you’re not just stupid once, but twice. Regular training should significantly reduce the stupid factor.


There is no 100% solution to prevent a ransomware infection. There are software solutions that are designed to stop installation and execution of ransomware, but there are new variants that will get by the technology solutions. You can implement Group Policies in a Windows domain environment to prevent certain software installations or access to particular areas of the computer.


Since no solution is a 100% guaranteed, you need to make sure that your data is protected and can be restored should you get hit with a ransomware attack. This means that should your data get encrypted, you can just restore a non-encrypted version and avoid paying the ransom. In order to achieve this, your backups need to be engineered to be safe from a ransomware infection. If you are using external USB drives to backup data, unplug them once the backup is complete. If you leave them plugged in, the contents will also get encrypted if you contract ransomware. Remember, any data that presents itself as a drive letter is a potential target to be encrypted. Larger organizations will want to backup their data using agent based systems in addition to backing up data to the cloud.


  1. We hear mostly about backups being infected along the connected local network, but there are also misconceptions that cloud providers like Google Drive will somehow prevent nefariously encrypted files from coming home to roost.
    This is a false sense of security still, is it not?
    I’m aware of this account of one consultancy with international clients that got into trouble when a machine and user with a Google Drive app connected to the company’s shared Google Drive account fell prey.
    One might think the brains at Google could lock down such activity (especially since there’s some fairly suspicious volume being done by a single user account converting files into weird configurations), but have they not been of more help?