The following information was obtained from the different cyber security sources and provided as a notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG). The information provided is classified as Restricted pursuant to the PNP Regulation 200-012 on document security with impact rating of significant and threat rating of high, based on PNP Information and Communications Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Locky is a ransomware distributed via malicious .doc files attached to spam email messages. Each word document contains scrambled text, which appear to be macros. When users enable settings in the Word program, an executable file (the ransomeware) is downloaded. Various files are then encrypted and Locky changes all file names to a unique 16-letter and digit combination with a .locky file extension. Thus, it becomes virtually impossible to identify the original files. All are encrypted using the algorithms and a private key stored on remote servers controlled by cyber criminals and is required for decrytion. To deycrypt the files, victims must pay a ransom
Locky can also infect the computer when the computer user visit a hacked site that has an exploit kit on it. Theses exploit kits will scan the computer for vulnerable programs and attempt to eploit them to install and start the ransomware without the victim’s knowledge.2
When the Word file attachment is downloaded, the virus starts scanning the computer for files, including a photo, video, documents, archives and other files and then encrypts them with the Advanced Encryption Standard (AES) algorithm. This virus does not only affect the Office files but may also connect to external storage drives connected to the computer or network sharing sites and lock the files there as well. The online file clouds and network sharing sites are also at risk of being hijacked. This is an extremely dangerous virus, so do NOT open unknown emails and do not download any suspious files attached.3
When a victim discovered that the computer is infected with Locky virus, immediately shutdown the computer and if possible create a copy or image of the hard drive. This allows the victim to save the complete state of the hard drive in the event that a free decryption method is developed in the future. If you do not plan on paying the ransom and can restore from a backup, then scan the computer with an anti-virus or anti-malware program and let it remove everything. Unfortunately, most people do not realie Locky is on their computer until it displays the ransom note and the files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with the ransomware program.3
To avoid this kind of ransomware, netizens should never click on unknown links or open any software downloads without first performing a virus scan. In addition, users should deny any User Account Control (UAC) request unless they are making modifications to their own system. Likewise, they should be cautious in visiting web pages with malicious code, for this will disallow the attacker to compromise through the infected system. It is best to install security software with warning signals for the detection of malicious software.
The community is advised to follow the best practices listed for securing and protecting information whether for personal use or for work:
• Back-up regularly and keep a recent backup copy off-site;
• Do not enable macros in document attachments received via email;
• Be cautious about unsolicited attachments; and
• Consider installing the Microsoft Office viewers
For additional information, please refer to the following security websites:
POINT OF CONTACT