“Locky” ransomware – what you need to know

“Locky” ransomware – what you need to know

“Locky” is the nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky.

Of course, it doesn’t just rename your files, it encrypts them first, and – as you probably know about ransomware – only the crooks have the decryption key.

You can buy the decryption key from the crooks via the so-called dark web.

The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/£280).

locky-ransom

The most common way that Locky arrives is as follows:

  • You receive an email containing an attached document (Troj/DocDl-BCF).
  • The document looks like gobbledegook.
  • The document advises you to enable macros “if the data encoding is incorrect.”

locky-macros

  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).

Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.

Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, that you may have made.

Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.

Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:

locky-wallpaper

If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.

Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.

Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.

It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.

If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed.

Giving yourself up front all the login power you might ever need is very convenient, but please don’t do it.

Only login (or use Run As...) with admin powers when you really need them, and relinquish those powers as soon as you don’t.

WHAT TO DO?

  • Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. ADECS can provide you with an encrypted Off-site backup service if you do not already have one in place. Contact Us for more information
  • Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
  • Mail Filter. Make sure your mail protection solution is blocking macro-enabled documents and .js scripts

Amazon stops selling Fire Smartphone

Just fifteen months after its launch, Amazon has stopped selling its Fire Smartphone.  According to the Amazon website, both the 32GB and 64GB models are ‘currently unavailable’, with no plans to replenish supplies.

Launched in June 2014, the Fire Phone was amazon’s first foray into the smartphone market.  The main selling point was its ‘dynamic perspective’ camera, which can track the user’s movements and give the impression of depth and 3D.  It also includes a 24 hour customer service tool and an in-built encyclopaedia called X-Ray.  Unfortunately, the phone did not impress consumers and it has suffered from negative reviews.

www.bbc.co.uk technology news (9th September 15)

Changes to the Stamp Duty

Changes to the Stamp Duty

Business leaders in Coventry and Warwickshire described George Osborne’s announcement to change the stamp duty system as ‘pulling a rabbit out of the hat’.  Companies came together to give their verdict on the Chancellor’s final Autumn Statement before the next General Election.  Anne Rose, from Burgis & Bullock (the event sponsors) said, ‘It will be popular with most of the population and is a subtle way of introducing a wealth tax.’

Amrik Bhabra of ADECS said, ‘ I am very much on favour of the changes around apprentices and I am also encouraged by more support for those doing Masters degrees.’

(Coventry & Warwickshire in Business, Issue 45, January/February 2015. Page 4)

How do we make sure young people are ready for work?

The Coventry and Warwickshire Chamber of Commerce is bringing together companies, councillors, schools and colleges in a bid to ensure  young people get the help needed for them to become the region’s next generation workforce. Amrik Bhabra, Chief Executive of ADECS, was one of the business leaders who attended the meeting.

Evidence has shown that where local businesses are willing to support schools and education it does indeed help get youngsters more ‘work ready’.  76% of companies blamed a lack of work experience for young people not being ready for work.  However, there are a number of companies who are now enthusiastic about offering work experience to youngsters – as a commitment to their local area, and as a bid to prepare the future workforce.

(Coventry & Warwickshire in Business, Issue 44, November/December 2014.  Page 22)

PLEASE READ: New ADECS numbers

PLEASE READ: New ADECS numbers

As a result of changes being made to consumer calls by OFCOM from 1 July this year, the ADECS telephone number (0845 310 9400) will be changing.  Our new contact numbers are as follows:-

ADECS MAIN TELEPHONE NUMBER- 024 7699 5930

ADECS SUPPORT HELPDESK TELEPHONE NUMBER – 024 7699 5931

We are sorry for any inconvenience caused, but hope the new local number will be soon memorised!

We have taken the decision to change our telephone numbers so that the cost of calling ADECS is clear to all our clients.  We did not want you, the client, paying unnecessary charges.

 

Here is an explanation of why the changes are being made:

There are some changes being made to telephone call rates by Ofcom.  It is the biggest change to affect telephone call rates in ten years.  The new system – known as UK Calling – is designed to make the cost of calling service numbers from landlines and mobiles clear to everyone.

Service numbers, usually beginning with 08, 09, or 118, are regularly used to call companies, directory enquiries, TV shows, etc.  The cost of these types of calls are usually explained as – ‘calls cost 20p per minute from a BT landline. Other landlines may vary and calls from mobiles may cost considerably more.’   It is not very easy to work out how much you are paying for the call.

From 1 July 2015, the cost of calling service numbers will be made up of two parts:

The ACCESS CHARGE
This goes to the phone company connecting you to the service you want, charged as pence per minute

The SERVICE CHARGE
The rest of the call charge. The organisation you are calling decides this and will tell you how much it is

These rules will apply to all consumer calls to 084, 087, 09 and 118 numbers across the UK, ‘delivering clearer call rates for everyone’ (according to OFCOM!).

The changes do not affect calls made to ordinary landline numbers (01, 02), 03 numbers or mobile (07) numbers.

For more information please refer to the following OFCOM website – www.ukcalling.info