Results 1 to 15 of 15
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Ransomware alert: Don't be unlucky with Locky


    ON SECURITY



    Ransomware alert: Don't be unlucky with Locky


    By Susan Bradley

    Ransomware is a rapidly growing plague on computer users, and the latest variant of Locky adds malicious Word macros to its weaponry. If you must open Word documents created by others, here are some ways to ensure you don't become a ransomware victim.

    The full text of this column is posted at windowssecrets.com/on-security/ransomware-alert-dont-be-unlucky-with-locky/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td] [/tr][/tbl]
    [/SIZE][/COLOR][/FONT]

  2. #2
    New Lounger
    Join Date
    Jun 2012
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Could you please advise on the merits of switching on ransomeware protection offered by anti-virus software. I use Bitdefender but am reluctant to switch it on as I am not clear how much hassle it will involve subsequently
    Last edited by satrow; 2016-03-17 at 10:07.

  3. #3
    Star Lounger
    Join Date
    Feb 2010
    Location
    near Ottawa, Ontario, Canada
    Posts
    73
    Thanks
    111
    Thanked 15 Times in 14 Posts
    Good article. Anyone using computers should read and understand this.

    A couple places it could be slightly improved.....

    1) You do mention macros in both Word and Excel, but then you only mention disabling it in Word. You should explicitly state to disable them in Excel too. I have received emails with Locky in both types of files.

    2) It would be useful to explicitly advise to disconnect your external back-up device from the PC between backups. If mounted, the backup drive(s) could be encrypted too!

    3) I have seen reports of Locky being distributed in java script (.js) files too. We need to be vigilant of many file types.

    Keep up the good work of spreading the knowledge of these new plagues.

    Thanks!
    -brino
    Last edited by brino; 2016-03-18 at 08:28.

  4. #4
    New Lounger
    Join Date
    Jun 2010
    Location
    North Palm Beach, Florida
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts

    What do you suggest for Excel?

    OK Susan, you've explained what to do for Word.

    But although you included Excel in your item, you did not explain what to do about macros in Excel.

    I am still using Office 2007.

    Please advise,

    Ron
    Last edited by satrow; 2016-03-17 at 10:06.

  5. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    20
    Thanks
    3
    Thanked 1 Time in 1 Post
    Susan,
    First off, let me say that I read and follow your Patch Watch religiously. So thanks for the great info you share.

    Also thanks for this article. However I have several questions.
    1. I use Macrium and make one backup image a day and keep a weeks worth on a rotating basis, on both an internal HDrive and an external HDrive. Are you saying that if I get infected that this malware would lock "ALL" the saved backup images or just the one that was created on the day of the attack? If it only effects the latest backup image, then I can simply go back to a day before the attack and restore that image and be back up and running again.
    2. I also save specific files to the cloud. But in order to gain access to them, I must know my password. How can this malware lock my cloud files if the files have password protection?
    3. Lastly, I have Erunt make a backup of my registry each morning when I boot up. Couldn't I just restore the last registry backup to foil Locky and this type of ransomware?
    Thanks,
    SG
    Last edited by sag; 2016-03-17 at 10:20.

  6. #6
    New Lounger
    Join Date
    Jan 2012
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Does a non-Admin accuont offer any protection?

    Thanks Susan, informative as always.
    One thing that you don't mention is whether being logged in as a Standard User rather than with an admin account would offer any protection. I have a sneaky feeling that it wouldn't as (presumably) the encrypting macros can run as a normal user too, but I'd be interested to hear your take on this. Would Applocker also be ineffective?
    Andy

  7. #7
    Star Lounger
    Join Date
    Feb 2010
    Location
    near Ottawa, Ontario, Canada
    Posts
    73
    Thanks
    111
    Thanked 15 Times in 14 Posts

    disable macros iin excel.....

    Quote Originally Posted by ronbar View Post
    OK Susan, you've explained what to do for Word.

    But although you included Excel in your item, you did not explain what to do about macros in Excel.

    I am still using Office 2007.

    Please advise,

    Ron

    Hi ronbar,

    On my system (with Win7 and Excel 2007), first open the Excel application, then
    1) hit the "Office Button" then "Excel Options",
    2) within the "Excel Options" pop-up, hit "Trust Center" then "Trust Center Settings",
    3) finally within the "Trust Center" pop-up, hit "Macro Settings" then make your choice, I use "Disable all macros with notification"

    See below for screen-shots.
    A little hidden, but not difficult.

    -brino

    clip_808.jpg

    clip_809.jpg

    clip_810.jpg
    Last edited by brino; 2016-03-18 at 08:29.

  8. #8
    Lounger
    Join Date
    Dec 2014
    Posts
    35
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Hello Ms. Bradley,

    First of all allow me to say how much I enjoy your columns, especially your "Patch Watch." I always check your patch watch before installing any Microsoft updates.

    I have a couple of comments regarding your excellent ransomware article. First, before I start my laptop I make sure any external drive or USB drive I use for backup is disconnected from the laptop. If I am going to update my backup, I disconnect from the Internet and then run a malware scan. Only after I am satisfied that all is as it should be do I connect my external backup drive. Secondly, say my system and data do get infected by ransomware, would it be possible to boot from a USB or DVD drive and copy over the encrypted files from a backup, thus replacing encrypted files with unencrypted files, or would that result in spreading ransomware to my backup? Thirdly, I dual boot Linux on my laptop. If my windows OS is infected, would it also infect Linux? If not, would I be able to boot into Linux, mount the Windows volumes and copy over the encrypted files with fresh files from my backup? Do such strategies have any potential?

    I would be happy to have your views on these copy strategies.

    Best Regards,

    Perri 7

    p.s. As an alternative to copying, would it be possible to clean the Windows OS volumes by running anti-ransomware software from the Linux partition? Moreover, if you don't have a dual boot option (i.e. Linux is not installed on your hard drive), would it be possible to clean the Windows OS by launching Linux from a DVD (or USB) and then using the anti-ransomware software to remove the ransomware? (Note: Malwarebytes is Beta testing Anti-Ransomware Software - current version is Beta 5.) Thank you.
    Last edited by Perri 7; 2016-03-20 at 04:35. Reason: Add Run Anti-Ransomware Software from Linux Partition

  9. #9
    Star Lounger
    Join Date
    Feb 2010
    Location
    near Ottawa, Ontario, Canada
    Posts
    73
    Thanks
    111
    Thanked 15 Times in 14 Posts
    For a quick summary of the details of Locky see this Bleeping Computer page:
    http://www.bleepingcomputer.com/news...etwork-shares/

    That page does list the affected file types. That is, Locky will (currently!) only encrypt those specific files.

    So if you have a USB drive where you back up your files (Microsoft Word, Excel, Powerpoint file, or even your home videos .avi, etc.) with a simple file copy (either manually or automatically) and if this backup drive is connected when the ransomware strikes then you risk your backup copies being encrypted too!

    If you use an image-based backup you _MAY_ be okay if the ransomware does not target your particular image file type......however, it is easy to see that for the biggest ransom income the next version or generation of ransomware could easily add all common image file types to their targeted file list.

    The same applies for "cloud-based" connections. If you leave it constantly connected for easy back-up and retrieval of your files, then the ransomware may also have easy access.

    Play Safe!
    -brino
    Last edited by brino; 2016-03-18 at 08:54. Reason: fixed typo

  10. #10
    Star Lounger
    Join Date
    Feb 2010
    Location
    near Ottawa, Ontario, Canada
    Posts
    73
    Thanks
    111
    Thanked 15 Times in 14 Posts
    Hi All,

    After thinking about this for a while I started to wonder if Microsoft PowerPoint also supported macros.

    Well guess what: Yes, it does!

    Turning off macros in PowerPoint 2007 is identical to doing it in Excel as I showed in post #7 above.

    -brino

  11. #11
    Lounger
    Join Date
    Dec 2009
    Posts
    27
    Thanks
    2
    Thanked 10 Times in 4 Posts
    Quote Originally Posted by brino View Post
    For a quick summary of the details of Locky see this Bleeping Computer page:
    If you use an image-based backup you _MAY_ be okay if the ransomware does not target your particular image file type......however, it is easy to see that for the biggest ransom income the next version or generation of ransomware could easily add all common image file types to their targeted file list.
    But backup images are large, so encrypting one would

    a) take a long time and
    b) require a lot of free space to encrypt

    It also seems likely to me that the number of people who DO have a backup and DO NOT have an off-line copy is likely to be small. If I were creating ransomware I think I would be unlikely to go after image files until income from encrypting easier targets started to diminish. And then I'd try to encrypt them as they were created for about a month before I demanded the ransom.

  12. #12
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    From the this: http://www.bleepingcomputer.com/news...etwork-shares/

    Could some protection be as simple as adding the bold line to the registry up front?
    Last, but not least, Locky will store various information in the registry under the following keys:

    HKCU\Software\Locky\id - The unique ID assigned to the victim.
    HKCU\Software\Locky\pubkey - The RSA public key.
    HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
    HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer
    Last edited by RussB; 2016-03-24 at 09:11. Reason: Fix Link
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  13. #13
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,137
    Thanks
    101
    Thanked 575 Times in 460 Posts
    Quote Originally Posted by RussB
    Unfortunately the link appears truncated. I think it should be http://www.bleepingcomputer.com/news...etwork-shares/.

  14. #14
    Star Lounger
    Join Date
    Feb 2010
    Location
    near Ottawa, Ontario, Canada
    Posts
    73
    Thanks
    111
    Thanked 15 Times in 14 Posts
    Quote Originally Posted by RussB View Post
    Could some protection be as simple as adding the bold line to the registry up front?
    Hi Russ,

    I do believe that would help with this one particular threat....as you say "some protection".

    However it would require only a new version with a simple registry key name change to defeat it. A better approach would be to detect/block some of the methods many of these encrypting ransomware use.

    One tool I like is CryptoPrevent by FoolishIT:
    https://www.foolishit.com/cryptoprev...re-prevention/
    it uses Windows group policies (unavailable to most Windows "Home" users) to deny many of the tricks used by ransom-ware.

    and MalwareBytes is moving forward with their Anti-Ransomware Beta:
    https://blog.malwarebytes.org/news/2...nsomware-beta/
    but that product is very early in the design cycle.

    -brino

  15. #15
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    ...and every preventive step taken by any piece of software will only work until the 'next' release of malware by-passes the preventive steps.
    It has always been a race, and likely will remain there until a 'fool-proof' AI method is developed. But even that will eventually be overcome. :-(
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •