MENU

The following information was obtained from the different cyber security sources and provided as a notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG). The information provided is classified as Restricted pursuant to the PNP Regulation 200-012 on document security with impact rating of significant and threat rating of high, based on PNP Information and Communications Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Locky is a ransomware distributed via malicious .doc files attached to spam email messages. Each word document contains scrambled text, which appear to be macros. When users enable settings in the Word program, an executable file (the ransomeware) is downloaded. Various files are then encrypted and Locky changes all file names to a unique 16-letter and digit combination with a .locky file extension. Thus, it becomes virtually impossible to identify the original files. All are encrypted using the algorithms and a private key stored on remote servers controlled by cyber criminals and is required for decrytion. To deycrypt the files, victims must pay a ransom

Locky can also infect the computer when the computer user visit a hacked site that has an exploit kit on it. Theses exploit kits will scan the computer for vulnerable programs and attempt to eploit them to install and start the ransomware without the victim’s knowledge.2

The main method used for spreading Locky ransomware relies on spam, it can affect all versions of Windows, including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. Some of these misleading emails have a Word files attached on it, others are filled with a JavaScript attachment. Each of theses email messages tries to look very convincing to trick people into downloading the attachment in the computers.2

When the Word file attachment is downloaded, the virus starts scanning the computer for files, including a photo, video, documents, archives and other files and then encrypts them with the Advanced Encryption Standard (AES) algorithm. This virus does not only affect the Office files but may also connect to external storage drives connected to the computer or network sharing sites and lock the files there as well. The online file clouds and network sharing sites are also at risk of being hijacked. This is an extremely dangerous virus, so do NOT open unknown emails and do not download any suspious files attached.3

When a victim discovered that the computer is infected with Locky virus, immediately shutdown the computer and if possible create a copy or image of the hard drive. This allows the victim to save the complete state of the hard drive in the event that a free decryption method is developed in the future. If you do not plan on paying the ransom and can restore from a backup, then scan the computer with an anti-virus or anti-malware program and let it remove everything. Unfortunately, most people do not realie Locky is on their computer until it displays the ransom note and the files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with the ransomware program.3

To avoid this kind of ransomware, netizens should never click on unknown links or open any software downloads without first performing a virus scan. In addition, users should deny any User Account Control (UAC) request unless they are making modifications to their own system. Likewise, they should be cautious in visiting web pages with malicious code, for this will disallow the attacker to compromise through the infected system. It is best to install security software with warning signals for the detection of malicious software.

RECOMMENDATION

The community is advised to follow the best practices listed for securing and protecting information whether for personal use or for work:

• Back-up regularly and keep a recent backup copy off-site;
• Do not enable macros in document attachments received via email;
• Be cautious about unsolicited attachments; and
• Consider installing the Microsoft Office viewers

For additional information, please refer to the following security websites:

• http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#locky
• https://www.bleepingcomputer.com/virus-removal/locky-ransomeware-information-help#locky-encryption

POINT OF CONTACT

Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at http://mail.pnp.gov.ph/ and This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5514.

3https://www.2-spyware.com/remove-locky-virus.html