Bitcoin ransomware "LOCKY" lands in Anhui

On the morning of March 24, the Tongling Public Security Bureau's Cyber ​​Security Brigade received a report from an employee of a company in the city, saying that the documents and other files in his computer were encrypted into files with the suffix "lock", and the contents could not be seen. The computer interface prompted that payment could only be made in the specified way before the files could be unlocked.

According to Dai Hua, deputy chief of the Public Security Bureau's Cyber ​​Security Brigade, the documents in the computer were encrypted by a malware called "Locky Ransomware." Analysis revealed that this is a type of ransomware that spreads via spam, and is the first Bitcoin ransomware with Chinese prompts, indicating that the criminal group has begun to target Chinese users.

The hacker sends an email with a malicious word document to the victim's mailbox. The word document contains malicious macro code carefully constructed by the hacker. After the victim opens the word document and runs the macro code, the host will actively connect to the specified web server, download the locky malware to the local Temp directory, and forcibly execute it. After the locky malicious code is loaded and executed, it actively connects to the hacker's C&C server, uploads local information, and downloads the encrypted public key.

The key step in the execution of malicious code is to manually enable the macro code. The macro code can be run by opening the doc file with Word 2003. However, for Office 2007 and above, there are strict requirements on the suffix name for whether the macro code can be run. To ensure that Office 2007 and above can also execute malicious code, the user needs to enable it manually. Therefore, only when the user clicks "Enable Macros" can the malicious code be executed.

The ransomware "Locky" can bring huge profits to the attackers. Because it uses Bitcoin for transactions, it is difficult to track; once the user is infected with the ransomware, they can only pay to decrypt or discard the files. Even if the ransom is paid, it does not necessarily guarantee that the encrypted files can be fully restored.

According to Deputy Captain Dai Hua, this is the first time this year that this type of ransomware has been encountered, indicating that this type of attack has landed in Tongling City enterprises, mainly through malicious documents in emails to enter the victim's computer. At present, it is recognized by the industry that encrypted files are difficult to retrieve. Prevention is still the main approach to dealing with ransomware: regularly back up important files, be careful of unfamiliar emails and attachments, and pay special attention when opening Office files with macro codes, and enable macros only after confirming that they are credible. (Dai Hua, Wu Bin, reporter Liu Haiquan)