Ransomware like Cryptolocker has been the bane of my existence for a while, and a new variant called Locky is beginning to make it’s presence known. Like all ransomware, it encrypts the files on your computer and once this has been completed, a message pops up informing you that you need to pay a ransom in Bitcoin to retrieve your files. There isn’t a fix for any of the variants I have found so far – you have to restore from backups.
A new variant called “Locky” is starting to show up and it seems just as bad as the original. So far it appears to be spread through email attachments. Victims receive an attachment that says something like “Invoice” and appears to be a Word document, but when you open it you see what appears to be garbled text. A message on the top says you should click to “enable macro if the data coding is incorrect.”
Of course, “Enabling the macros” doesn’t actually fix the document, it installs the malware on your computer. It will encrypt any files it can find, including mapped network drives, and the only solution aside from paying the ransom is to restore a previous backup. If the malware had access to a locally attached backup that will likely be encrypted too, so you will need to have an offsite backup to actually restore.
I’ve had a few clients pick up this virus and it is something I dread. So far everyone that has gotten it has had an offsite backup (I think most clients do at this point) but it’s always a worry.
The bottom line is, (as always!) if you aren’t expecting an attachment from someone, just don’t open it. Even a trusted contact could send this to you if they were infected and didn’t know it, or if their email address was spoofed (faked). If you aren’t completely certain it’s a legitimate attachment, give the sender a quick call and ask if they sent something. In addition, you can always forward suspicious emails and attachments to me and I will be happy to take a look or scan them for you.
If you are interested in a little more in-depth information on Locky, you can find an excellent article from Sophos here, and as always, please feel free to call me if you have questions or suspect you may have an issue.