Locky is generally delivered via the same mechanisms as other Ransomware you may have heard of including Cryptowall. Primarily it is spread via an infected Word document using a macro that a user opens from an attachment in a piece of spam e-mail. During the process of opening the infected document it runs a dropper that renames itself svchost.exe through the %temp% folder. Once this is complete the Ransomware is launched and begins by deleting locally stored copies of the operating system and then moves on to attaching a .locky extension and encrypting the files on the PC. Once the encryption is complete the end user will be presented with the Ransomware demands, generally requiring payment in the form of bitcoins to obtain the encryption key. For more information on this Ransomware please refer to: http://www.pcworld.com/article/3042580/security/locky-ransomware-activity-ticks-up.html
Again this Ransomware has a similar method of distribution and deployment on user’s machines who unwittingly open an infected attachment. The major difference with Jigsaw is that it does not stop its destructive path while it waits for the user to meet the ransom demands. In this new form of Ransomware it will present the user with the ransom message and ask for payment. At this point a clock begins and failure to pay the ransom will result in files being permanently deleted from the system every hour until payment is made. In addition, if the system is rebooted or the infection process is stopped and restarted, it will delete 1000 files from the system. Processes have been developed to remove this Ransomware without paying but shouldn’t be attempted unless being done by someone who is very familiar with the process. For more information on this Ransomware and the potential removal process please refer to: http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/
How to prevent infection or minimize impact:
- Don’t open spam e-mails, or e-mails from unrecognized senders
- Don’t open attachments from suspicious e-mails (for example, if you get a suspicious FedEx e-mail, call them or go to their direct website instead)
- Ensure all operating systems and anti-virus software are up-to-date
- Regularly backup important files and data (ex- FileHopper Plus)
- Use anti-virus and anti-malware products such as SecureIT Live and Tech Home
How to recover files:
- If you have been backing up your system regularly using a program such as FileHopper you can restore from a backup.
- You could pay the ransom to get a decryption key, although this doesn’t guarantee you will get the decryption key.