A new variant of ransomware has been discovered on Tuesday (February 16), known as "Locky," and has been spreading swiflty since it first appeared. The attackers behind Locky have spread the malware using massive spam campaigns and compromised websites. Locky typically spreads itself by tricking users into opening a document attachment sent to them by email. Once downloaded, the document looks like random characters and symbols, and victims are prompted to enable macros in the document, which downloads a malicious file that encrypts files on compromised Windows PCs.

Locky encrypts files on victims’ computers and adds a “.locky” file extension to them. The ransom demand varies between 0.5 to 1 bitcoin (approximately US$210 to $420).

Figure 1. Example of spam email used to distribute Locky

What is a Macro Virus?

Word documents containing a malicious macro are attached to these emails. A macro virus is defined as “a computer virus written in the same language used for software applications, such as word processors.” Microsoft Word and Excel are two examples of applications that feature powerful macro languages, which are embedded in documents so they run automatically when the documents are open. If this macro is allowed run it will install Locky on to the victim’s computer.

Figure 2. Example of Locky ransom message

Tips on protecting yourself from ransomware

• Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware is removed from the computer.
• Be sure to have Internet security software such as Norton Security. Always keep your security software up to date to protect yourself against any new variants of malware.
• Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
• Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
• Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
• If you do not use macros, you can disable them by following these instructions.
• If you are unable to disable macros, you can also try using Word Viewer by Microsoft. Word viewer will allow you to view a Microsoft document, however, it does not support macros, therefore will not run them.

*UPDATE* 
Since its discovery, Symantec has observed the attackers behind Locky are continuing to spread the ransomware through extensive spam campaigns. One of the most recent spam campaigns occurred on Friday (March 11 2016) and the emails were disguised as coming from an address on the recipient’s network. 

Spam email can be disguised in many ways, including appearing to come from network connected devices such as scanners and printers, still, by far the most common tactic is to disguise spam emails as financial statements, especially as invoices. A wide variety of sender names and addresses were used in the campaign we observed. Most sender addresses were spoofed, which makes them appear to come from domains registered to legitimate companies. 

While ransomware infections had been detected at a rate of between 10,000 and 15,000 per week January and early February 2016, the number began to rise, coinciding with Locky’s appearance on February 16, and detections stood at more than 20,000 in the week to March 8.