Russian hackers are suspected to be behind Locky virus

You must have heard about the latest ransomware called Locky virus. If not, then we have to warn you that this cyber threat has already infected 40,000 devices. Some say that it has already surpassed its ‘brother’ TeslaCrypt virus but still stays behind CryptoWall virus in the scale of inflicted damage. The most affected countries are Germany, US, France, Japan, Canada and Australia. No matter that the virus showed up a few weeks ago, some part of anti-virus programs are still incapable of detecting it. Fortunately, security experts keep looking for the best way that could help people prevent Locky virus.

As we have mentioned, Locky virus came to light several weeks ago when it shut down the computer system of Hollywood Presbyterian Medical Centre and swindled out $3,4 million. Since then, security experts have started noticing translated versions of this ransomware. The most interesting fact is that Locky ransomware stays away from Russian-speaking countries and, even if it gets through it, it terminates itself. The same can be noted about another ransomware-type virus, called Cerber virus, which clearly avoids Ukraine, Belarus, Georgia, and Russia. Because of this feature, there are lots of speculations that Locky and similar ransomware threats hail from Russian-speaking countries. Speaking of possible suspects, security experts have also started to look at the developers of Dyre virus (also known as Dridex), which is a notoriously known banking trojan. According to them, Locky ransomware uses similar distribution ways and has a potential to collect huge profit, which is a must for professional cyber criminals.

You might wonder how the virus managed to make such impact. The main peculiarity of this virus is that it encrypts users’ crucially important documents, files or even entire networks. Then, if users are desperate to open their encrypted files, this threat starts showing its ransom note offering to download Locky Decrypter for a specific amount of money. It seems that the amount of money varies each time as some individual users have reported about $400 ransom while companies have announced about the loss of several millions of dollars. However, it is still unknown whether they managed to recover their data after paying the money. The most luckiest victims are the ones who back up their files in advance. Also, while similar ransomware threats tend to generate a random decryption number automatically, Locky uses its command-and-control infrastructure to transmit a decryption key. According to IT experts, this could be one of the most important reasons why this virus is considered the most complicated ransomware these days.

This ransomware spreads via infected files attached to misleading email messages. Usually, the virus hides in Word attachment, but there are several victims who report about infected JavaScript attachments. Users are deceived by the misleading title “Invoice” which requires enabling macros. Commonly, macros are disabled by default by Microsoft to decrease the distribution of malware. In case they are enabled, the infected document downloads Locky virus. While IT security specialists are still looking for effective ways to confront Locky ransomware, users are advised not to open any shady emails. Moreover, they should keep current backups of their most important data and limit their access to suspicious websites.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

Read in other languages