Info on Ransomware Locky

Written by  on April 26, 2016 

DISCLAIMER: MrBackup is an offsite, data storage solutions provider. MrBackup does not provide anti-malware or anti-virus solutions. The comments presented here are based on our experience in disaster recovery situations. Please contact an accredited software specialist when dealing with anti-virus, anti-malware software and general Windows software queries.

Please also be aware that malware such as Locky may change its behaviour. Therefore, even if the comments which appear are accurate at the time of writing, this may change at any time.

Information on Locky

From dealing with client hardware in disaster recovery situations, it appears that:

  • Locky launches itself with current user privileges. This is important, as the more restricted these privileges are, the lower the risk of total data loss. Allowing a computer user full access as Administrator invites disaster.
  • Locky ignores the Program Files environment. Over time, Locky may indeed infest the Program Files folder(s) as well, but at least initially, it seems to ignore this folder.
  • Locky targets recent user files. Regardless of the extension, Locky seems to monitor Windows process activity and locks files recently accessed, which may include Full Access, ie Read, Write, Create.
  • Locky is network aware and spreads over LAN connections. Locky may scan and enumerate network connections, rapidly propagating over Mapped Drive connections, such as Z:\; unmapped shares are not safe.
  • Locky ignores IP connections.
  • Locky spreads incredibly fast, and can disable a local LAN within minutes, rendering an entire server unusable within 90 minutes.

Please see this prior warning concerning Locky

The most disturbing part about a Locky infestation appears to be the fact that once software has been launched, there is no guaranteed accurate detection or termination option.

There appears to be no reliable prevention at this time.

It should be noted that permanently connected storage media, such as NAS or RAID devices are also at risk. Keeping the backup media permanently attached to the system exposes the backed up data to the same risk as the live data negating the supposed benefits of the attached device as a data storage medium.

This information was collected independently by MrBackup from field notes and does not reflect other secondary sources.

This article was edited on 3 May 2016.

Category : backupDataMrBackupRemoteSecureStorageThreat

Tags :