Cyberthreats

von Claudius Schulze

The unique Locky pay wall makes it easy for SMEs to manage the escalating cyberthreat against their organizations. On its security blog, Locky has already achieved a high profile in the cybersecurity industry, mainly due to the growing trends of ransomware and „botnets“. A new ransomware infection is the latest threat to cause serious and expensive damage to the sector, visit websites like https://www.fortinet.com/solutions/industries/healthcare and learn all about it!

Locky has also previously tested against the Jigsaw ransomware, and is compatible with the anti-analysis, anti-forensics, and antiphishing feature built into Microsoft’s Windows Defender. Locky can penetrate even the most advanced encryption by leveraging the EFS 2.0 encryption algorithm and using the hashing technique that requires less than 50% of the original file. This technique also makes it harder for the attackers to extract decryption keys, as its routines are not as efficient. If you want to protect your home and business network, then check out sites like www.eatel.com/residential/internet and consult them about network security.

It exploits CVE-2017-0066, the latest version of the EFS vulnerability that has been present in Windows since December 2017. This vulnerability is the direct result of a software security flaw, which also enables the use of Linux, GNU/Linux, and macOS on many recent systems. The Linux kernel is also a common point of origin for ransomware, and Windows hosts Windows binaries that run on Linux. Any and all Windows systems with EFS patches installed are now at risk. However, the Locky ransomware is different to EFS ransomware and relies on EFS 2.0 encryption to encrypt the entire system.

Locky targets several Windows users with the EFS flaw, as most systems (mostly users with administrator privileges) will be affected by the exploit. How does Locky seek a victim’s files? A „kill switch“ is included in the ransomware to kill all ransomware instances when a device connected to the network is turned off. This „kill switch“ acts as an interface between the attacker and the ransomware.

Locky will not run automatically or silently in the background. Locky can send out a specific error message (unless the user runs the encryption software directly) telling the victim that their files were encrypted and they must pay up. The user will receive a confirmation message on the same day stating that they will need to pay the ransom if they wish to recover their files.

A time estimate is sent to the user via email.
The Locky ransomware leverages the latest AES-128 and RSA encryption. The ransomware is an self-replicating file encryption executable that is only 40-50 kilobytes in size. The code runs as a.NET application and is using ncrypt (N-Crypt) for encryption.

Kommentar verfassen:

  • (will not be published)