back to article Locky ransomware is spreading like the clap

Greedy miscreants have created a new strain of ransomware, dubbed Locky. Locky typically spreads by tricking marks into opening a Microsoft Word attachment sent to them by email. Victims are encouraged to enable macros in the document which, in turn, downloads a malicious executable that encrypts files on compromised Windows …

  1. pewpie
    Paris Hilton

    I know what you're thinking..

    Did I read five billion warnings about .doc files, or six?..

    1. Anonymous Coward
      Anonymous Coward

      Re: I know what you're thinking..

      Several like that have come into my inbox this week. There was also a .RTF attachment. Others invited me to follow a link. The Demon filtering doesn't seem to be catching them.

    2. Locky
      Black Helicopters

      Re: I know what you're thinking..

      I know what I'm thinking

      This is going to get me in trouble...

  2. Paul Crawford Silver badge

    "If you are logged in as a domain administrator and you get hit by ransomware"

    You should seriously be considering a change of job?

    1. Crazy Operations Guy

      I got a promotion because the head admin was logged into a domain controller for our root domain with his 'Enterprise Admin' account and decided that it was a good time to watch some borderline-illegal porn (Seeing as how the domain controller was one of the few machines not behind the content filters yet had very-high speed connection to the itnernet). We ended up cleaning 75k+ machines because of that...

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Tell the truth. You were "assisting him" in this accident?

        1. Paul Crawford Silver badge
          Trollface

          Sounds like a BOFH story :)

  3. Anonymous Coward
    Anonymous Coward

    BitCoin... seriously?

    Why is bitcoin still allowed to exist at all?

    All I've seen for the last 2 years is how this BC "bank" lost millions of dollars worth of BC on a hard drive somewhere or this cryptoware is using BC to avoid tracing the money back to them...

    Bitcoin sounds like something actually designed by criminals just for this sort of thing (and to slurp electronic money from suckers wallets).

    BC should just be declared an illegal currency and any "bank" should have to return BC money to investors and shut down or face counterfeiting laws.

    I'm pretty sharp on how this whole InterWeb thing works and I don't really understand why this is an untraceable currency. It's still IP to IP traffic and there should be logs on servers that would give away the account files being accessed at the time a transfer packet comes in, so why can't these bastards be tracked back by following the money.

    Maybe since the FBI got hit last month they will take this all the way to the bank and actually find the degenerates behind some of it.

    BAN BC now... this is out of hand.

    1. Christoph Silver badge
      Boffin

      Re: BitCoin... seriously?

      "BAN BC now"

      Excellent suggestion - could you please explain how you intend to go about it? Preventing anyone anywhere in the world from running particular software?

    2. tiesx150

      Re: BitCoin... seriously?

      Sorry but what a crazy tangent to go off on. You suggestion is the equivalent to asking for cash to be banned as criminals exchange it for drugs an you can't see a paper trail that can be retrospectively analysed by a bean counter at anlater date.

      1. Steven Raith

        Re: BitCoin... seriously?

        You may titter, but they've stopped scrappys from taking cash for scrap metal to try to halt the stolen copper market in it's tracks, as debit cards leave a paper trail.

        Seriously. See 'Cash Trading' here: http://www.recyclemetals.org/about_metal_recycling

        Steven R

        1. Da Weezil

          Re: BitCoin... seriously?

          .... and yet if you know the "right" scrappy...... Considering this affects all scrap - including cars which have Govt. issued Id documents, it seems pretty clear this is less about stolen metal and more about micro managing the money flow in and out of small businesses in a way that will never happen with the big tax avoiders.

          Its a known fact the HMRC hates - with a passion - any business that deals mainly in cash.

        2. Mystic Megabyte Silver badge

          Re: BitCoin... seriously? @Steve Raith

          Generally scrappys *give* cash for scrap metal although you will have to pay them if your junk car has tyres attached.

    3. weevil

      Re: BitCoin... seriously?

      You don't send bitcoins to an IP Address. You send it to a Wallet. That Wallet in-turn doesn't have an IP address associated with it. Unless you're running Wireshark at the perps end it's untracable. As soon as the perps receive the money its divided into subsidary coins or alternative currencies and put back into BTC.

      BTC has nothing to do with this. You need to look at the real issue which is Least Privilege.

    4. Destroy All Monsters Silver badge
      Facepalm

      Re: BitCoin... seriously?

      BAN BC now... this is out of hand.

      This was the "Omnipotent Government" message of today.

      Why are Madame May Minions posting here?

  4. a_yank_lurker Silver badge

    Enabled Macros?

    As I understand it, this ransomware requires one to run a Word macro. Macros should be disabled by default.

    1. Steven Raith

      Re: Enabled Macros?

      .....and users shouldn't be opening unsolicited attachments.

      The problem isn't the macros, it's poor user training as much as it is the greed of the malware writers. Stupid is as stupid does.

      Steven R

      Dept Of Bleeding Obvious.

      (sorry, but someone had to point that out, and I'm grumpy tonight)

    2. Halfmad

      Re: Enabled Macros?

      Our are disabled my default, we still get hit as staff enable them when prompted without thinking.

      PICNIC.

      If I'm told one more time that I don't do enough staff awareness I'll scream, there's only so much you can do for some people, after that you really need to start going down the disciplinary route.

    3. veti Silver badge

      Re: Enabled Macros?

      Macros *are* disabled by default. You have to go out of your way to enable them.

      But that's just a social engineering problem, and scammers have become pretty good at those.

      1. Michael H.F. Wilkinson Silver badge

        Re: Enabled Macros?

        I will remind the kids ONCE MORE, that if they get odd documents sent to them, they should NEVER open them unless they have consulted me, and I will add that MACROS ARE BAD, and anyone enabling them without my consent shall be ousted from all computers in the house, and will have to hand in their smart phones for at least a week (now that REALLY hurts them).

        They have been very good so far, but a reminder is in order.

  5. Anonymous Coward
    Headmaster

    > Feeling Locky, punk? Well, do ya?

    Strictly speaking, that should be "..., are ya?"

    Sorry, feeling particularly pedantic today.

    1. The bigger, blacker box.
      Headmaster

      >>Strictly speaking, that should be "..., are ya?"

      Strictly speaking, to be close to the quote, it's [You've got to ask yourself one question] "Do I feel locky?", Well do ya, punk? (the second bit was correct with the original, and the context missing for the first).

      Meh... pedantry

    2. allthecoolshortnamesweretaken Silver badge
  6. Mephistro Silver badge

    "Once seeded on a host, the ransomware can spread widely over associated local networks, according to security expert Paul Ducklin."

    That's the reason I define every network my devices connect to as "Not trusted" exept in a "need to" basis, and I heavily firewall, protect and -very occassionally- security audit every part of my home network.

    This has saved my arse in several occasions, where typically invitee's devices bring with them some hidden present from the outside world.

    On the other hand, this is a true PITA!. I'm beginnig to fear that I'm becoming a grumpy gaffer and that soon I won't be able to put up with the load. Perish the thought! :-(

    In my humble opinion, if the (quite ignorant) general public isn't gifted or educated enough to understand these issues and they can't protect themselves from electronic eavesdropping, a government duty is PROTECT these subjects and their rights. If the government is just another contestant trying to rip off their subjects, "bad things will happen!"

  7. Tezfair
    Unhappy

    docm's deleted

    Been a run on docm emails across my clients so I have currently banned them - specifically the filters are deleting them. I'm not aware of any user that would need a macro enabled document to be emailed to them and given the risks, anyone that has to send one can rename it.

    Gotta be brutal to save my clients.

    1. John Tserkezis

      Re: docm's deleted

      "I'm not aware of any user that would need a macro enabled document to be emailed to them and given the risks, anyone that has to send one can rename it."

      Never say never. I've had to do that in the past.

      Worst was trying to email an installable to a client - his end didn't like the executable. Tried renaming, then compressed and renamed, all to no avail.

      Finally settled on a burnt CD sent via old school snail mail. FFS we have email and can't use it.

      1. Oengus Silver badge

        Re: docm's deleted

        I used to have to send .mdb files via e-mail.

        Step 1 Rename file to .dbm

        Step 2 Zip file with password

        Step 3 Send zipped file as attachment

        Step 4 Send password in a separate e-mail.

        The e-mail server would look at the zip file, see the content was not a forbidden file type but couldn't extract to check because of the password and allow it through. If we forgot the password it would extract and examine the file and strip it out.

        The receiver reversed the process...

        Clunky but effective.

        The same trick worked with .exe and .vbs files.

    2. tiesx150

      Re: docm's deleted

      Agree. Infection vector for this latest malware is email + Social engineering. .docm can easily and should be banned as an attachment from external addresses at the very least.

    3. Anonymous Coward
      Anonymous Coward

      Re: docm's deleted

      "Been a run on docm emails across my clients so I have currently banned them - [...]"

      Just did an experiment. Created a Word 2010 document and saved as test.docx.

      Renamed the file in its directory as test1.rtf. Clicked on it - and Word happily sorted out that it was actually a .docx content.

      Presumably a .docm posing as .rtf would also slip through and get executed. That would explain the .rtf that was attached to a spam email this morning.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019